General
-
Target
SADF09865789000.cmd
-
Size
810KB
-
Sample
240116-j26l8sghh8
-
MD5
1b3b0c326406fd3759229ef318857e02
-
SHA1
d4b4a0360dfbef3613c9c4cc21b720a296bfc153
-
SHA256
905c898c3257c17de9307290dcfbc8ee6a39f5b3964cc06ee97cb0a799037821
-
SHA512
22a98d568ca2dcdba4827014af29a8eaebe44dda5cc4ba2ef1af2b907a3a69678ef01a4263c1412b0ac8aab2813358ee9fb2f804105a02a01184bdec9f4281d6
-
SSDEEP
12288:CSuZNbdeDgK4CXlCqb8OC7cPR9TdNQbRjUNDZVi9ZtV9iD7obx1VvuD7QRdl/f:CSGO81es7cp9Td6UF6XV9k7ozVvk7UX
Malware Config
Extracted
remcos
PC
107.175.229.139:8087
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-X5MJYU
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
SADF09865789000.cmd
-
Size
810KB
-
MD5
1b3b0c326406fd3759229ef318857e02
-
SHA1
d4b4a0360dfbef3613c9c4cc21b720a296bfc153
-
SHA256
905c898c3257c17de9307290dcfbc8ee6a39f5b3964cc06ee97cb0a799037821
-
SHA512
22a98d568ca2dcdba4827014af29a8eaebe44dda5cc4ba2ef1af2b907a3a69678ef01a4263c1412b0ac8aab2813358ee9fb2f804105a02a01184bdec9f4281d6
-
SSDEEP
12288:CSuZNbdeDgK4CXlCqb8OC7cPR9TdNQbRjUNDZVi9ZtV9iD7obx1VvuD7QRdl/f:CSGO81es7cp9Td6UF6XV9k7ozVvk7UX
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-