General
-
Target
a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe
-
Size
998KB
-
Sample
240408-pmq6wshb44
-
MD5
3c799830186bb6a7d63083ba711c551d
-
SHA1
c6b90d7469836e55207608fe46ca201a83d3aa47
-
SHA256
a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490
-
SHA512
b9719254257581c6648fbe7f3c379326f96a299d6c46bd7870c88917a70fcc1c13f2ca1ed148b42e13958a31b78fc53c9a1a047838aea1ace46e02881bc86494
-
SSDEEP
12288:ukH6ayww0yNDAooku24inFf7DCwHVr1cErwHJ5Z2r4cdhu6YgX7ZL2OvIpdbMaGv:r6ajKqo+2rnF9SHYkGTX9KOAr/xAP
Static task
static1
Behavioral task
behavioral1
Sample
a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe
Resource
win7-20240221-en
Malware Config
Extracted
remcos
Host
37.120.235.114:2269
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-FCA9SV
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490.exe
-
Size
998KB
-
MD5
3c799830186bb6a7d63083ba711c551d
-
SHA1
c6b90d7469836e55207608fe46ca201a83d3aa47
-
SHA256
a9df1a3b22a408f630ea9e57fdcce2b8483cb5eac3414b5c172b51ec98178490
-
SHA512
b9719254257581c6648fbe7f3c379326f96a299d6c46bd7870c88917a70fcc1c13f2ca1ed148b42e13958a31b78fc53c9a1a047838aea1ace46e02881bc86494
-
SSDEEP
12288:ukH6ayww0yNDAooku24inFf7DCwHVr1cErwHJ5Z2r4cdhu6YgX7ZL2OvIpdbMaGv:r6ajKqo+2rnF9SHYkGTX9KOAr/xAP
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-