General
-
Target
0F8498114C7A081EE0630A00BA4DFF2E.7z
-
Size
1.4MB
-
Sample
240123-fw4nxageb7
-
MD5
bb986434129f2af2f061419eec376669
-
SHA1
6056d711fced706a61d1afa0c9b9967cdf4e8dc4
-
SHA256
422615c8d808550754675e825e1af240833928de9f8da026008b22ada2f16cd7
-
SHA512
b9e323b932938716572becddc11b79273fc4af390acec398cf4aea06cba1134df91f140c1056332b175968817c513bce8c0c0c61ec673c1ad18d1f5d564a1319
-
SSDEEP
24576:vfQkM6TtWtb31H3AKo9tL2X4n3ja8ymHmfQkM6TtWtb31H3AKo9tL2X4n3ja8ym8:3rM6Tt4b31Hbo9tLc43jumHgrM6Tt4bd
Malware Config
Extracted
remcos
Top
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
mqerms.dat
-
keylog_flag
false
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
alpwovnb-G3F5OR
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
0F8498114C7A081EE0630A00BA4DFF2E.exe
-
Size
782KB
-
MD5
8e2f08deaac5bddbb57f3c5d40ea8bd0
-
SHA1
be7842f6e42e7ec89285ef2c65f84952ffebdbd5
-
SHA256
59559873eaa5a5b25f029c6768a22d3e84b03b7467cc764ea5f081edc0bfeb58
-
SHA512
ac2e98db25f2a867383d47f77076b0133242f6492eab7578db557b8c56a57443525f8a57e76438462bc65d9d04a742ea646b1f1351d2970f29fa569debe3a200
-
SSDEEP
24576:3fLMW38ZStHH1tbAKovtn2X4nTFu8EG4W4:voJZ8HH1tPovtnc4TFcG4W4
Score7/10-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
$PLUGINSDIR/System.dll
-
Size
12KB
-
MD5
4add245d4ba34b04f213409bfe504c07
-
SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
-
SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
-
SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d
-
SSDEEP
192:VjHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZv0QPi:B/Qlt7wiij/lMRv/9V4bvr
Score3/10 -
-
-
Target
Invoice for Return of Excess Amount (Temmuz) dd 10.01.2024.exe
-
Size
782KB
-
MD5
8e2f08deaac5bddbb57f3c5d40ea8bd0
-
SHA1
be7842f6e42e7ec89285ef2c65f84952ffebdbd5
-
SHA256
59559873eaa5a5b25f029c6768a22d3e84b03b7467cc764ea5f081edc0bfeb58
-
SHA512
ac2e98db25f2a867383d47f77076b0133242f6492eab7578db557b8c56a57443525f8a57e76438462bc65d9d04a742ea646b1f1351d2970f29fa569debe3a200
-
SSDEEP
24576:3fLMW38ZStHH1tbAKovtn2X4nTFu8EG4W4:voJZ8HH1tPovtnc4TFcG4W4
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
$PLUGINSDIR/System.dll
-
Size
12KB
-
MD5
4add245d4ba34b04f213409bfe504c07
-
SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
-
SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
-
SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d
-
SSDEEP
192:VjHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZv0QPi:B/Qlt7wiij/lMRv/9V4bvr
Score3/10 -