General
-
Target
tt.zip
-
Size
33KB
-
Sample
240320-qzv62sae6x
-
MD5
1eebc0a7c6b8dd9a24a9494fbf98614c
-
SHA1
28a75117f034b137f8729a59442148f41bd75503
-
SHA256
eea63589b21f1cf4e89727a02d496b0e9de91b39df40190c88e2d6352615fcb7
-
SHA512
fc3a2c306d143dc5282565292fdcfab7dc84d653832e835c2f21ba59ac16a0ff2f0dc42760bebf06b26456e8c9fdae4761d375eedcbd0cbd88ed00d30c8d7738
-
SSDEEP
768:5MXHXv+Xy2rr2VHKSxmfq3ntb4RDzlsT4b1JjJgeLBgxLLkqMo:56H2Xy2rrYHKSxKOtMJltLlo9LL
Malware Config
Extracted
remcos
1.7 Pro
Host
10.0.2.15:2402
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
U32c.exe
-
copy_folder
MicrosoftCryptographie
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%UserProfile%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
true
-
mutex
remcos_idwxrxyimd
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
Windows Defender
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
explorer.exe
-
Size
36KB
-
MD5
722f70f7c2d8ce48d62723390d7a1898
-
SHA1
a57fd2bee605c399cf92f21b051479049c4868fb
-
SHA256
a6f04a175ecb36c0813e7a8d7504709bc3fd633e05622f2f7bab422d096b2077
-
SHA512
9fa61013ee3f5ae00c96c6d89026fb84122fd0eb4b349582b8d8b911fbd894d4ab44d3221ec26f327eb33dcdb839e443971ef7ec677819c4d879d6d2a48c45d6
-
SSDEEP
768:55PHyCjmhFdWfLubuZ1kvIaEekM26Jr1:55PHfjGPAKbLVPJr
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-