Resubmissions
12/01/2024, 14:54
240112-r9xy3aaagr 10General
-
Target
DOCUMENTO FINANCIERO COMPRA ONLINE.tar
-
Size
1.3MB
-
Sample
240112-r9xy3aaagr
-
MD5
f33083d6b0df683078e98e80acd3a119
-
SHA1
68d24e2f493915f1a19e309ba4eadf45deb2ceeb
-
SHA256
0b459d5acf6c6ff8416c4a6ed7abc200c777dd35e33a1b2cc21c46b89728bcfe
-
SHA512
aab089cb9f026c55dfb96b7c8df0079bd1476dd55b6b097e221b40d5fcc5ad1590d65848d2dae2c798d888990b54baec061dac4b114e9e952ec7f14cc9be67c9
-
SSDEEP
24576:gwh3psb6UsUiASO7DE73WaKaVFtRFj4piBZ+Yiy6FQgKE1cyzzkC1KynrwUo9t:gQqb6UlicDo3NfvUpiBZ+bx2m1cRQtUx
Malware Config
Extracted
remcos
ALDOLAR
panel2.con-ip.com:1993
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-35UFD7
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
DOCUMENTO FINANCIERO COMPRA ONLINE.tar
-
Size
1.3MB
-
MD5
f33083d6b0df683078e98e80acd3a119
-
SHA1
68d24e2f493915f1a19e309ba4eadf45deb2ceeb
-
SHA256
0b459d5acf6c6ff8416c4a6ed7abc200c777dd35e33a1b2cc21c46b89728bcfe
-
SHA512
aab089cb9f026c55dfb96b7c8df0079bd1476dd55b6b097e221b40d5fcc5ad1590d65848d2dae2c798d888990b54baec061dac4b114e9e952ec7f14cc9be67c9
-
SSDEEP
24576:gwh3psb6UsUiASO7DE73WaKaVFtRFj4piBZ+Yiy6FQgKE1cyzzkC1KynrwUo9t:gQqb6UlicDo3NfvUpiBZ+bx2m1cRQtUx
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-