General

  • Target

    776-84-0x0000000001EC0000-0x0000000001F3C000-memory.dmp

  • Size

    496KB

  • MD5

    6b529a4b33d42e9eb10bf4ad6a6ae7be

  • SHA1

    f1117a74cc15c6f343c58ebe542849dbbc4d375d

  • SHA256

    0946b60a2b3e683952c2cdeda0d61dbbe45f579c6c29cd81de1f741639b2dd17

  • SHA512

    65f097973faa4d111723d1151d11fede0945c2b424132f7b8c41f417630e5c0369b8f3f4c7bfd43d9f7f67b931f12a62c7601e9d25b58f383eb233f7800dad73

  • SSDEEP

    6144:BXVUvr+eNVx6JuGD5To83sRnymABKtqulRwOJfZJEfcZdC48hAyWsAOZZ8RX7mck:BX8/Vx65HCnDAByqulR1fZJQCs/Z8

Score
10/10

Malware Config

Extracted

Family

remcos

Botnet

APRIL

C2

mrbigice.hopto.org:3453

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-N5A2Q9

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    toolz

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos family
  • Unsigned PE 1 IoCs

    Checks for missing Authenticode signature.

Files

  • 776-84-0x0000000001EC0000-0x0000000001F3C000-memory.dmp
    .exe windows:5 windows x86 arch:x86


    Headers

    Sections