General
-
Target
869031d5e7abc377ebe084c375ffdf1e.bin
-
Size
199KB
-
Sample
240414-bvmxjscg24
-
MD5
ee136c16e3e5108406af659f75ce4450
-
SHA1
eec4a7b355344ad23907eaa45f2432d6728c9b5b
-
SHA256
b213a72ba515813fcaa5fe6aa4128c51d5b3d990deffae0a5ffbfeed7a1e6190
-
SHA512
579458c8ceef7e5f0b17ede5063e8cfb44249df1daac542e636c0b5fe70fd6b32cbe5c781a8d4ba7110b5ad3d05faa58ebe78b431f0693738b84273802284252
-
SSDEEP
6144:MiQ3eYM/vW7/l1gKF/xVBARMymDktmRHVpQD:u3eh/IX1QMzDSmRcD
Static task
static1
Behavioral task
behavioral1
Sample
19bdd11ed161fdce1a8e1dbbf3edfe4fb5273072101e711ee371bc0420afd7e7.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
19bdd11ed161fdce1a8e1dbbf3edfe4fb5273072101e711ee371bc0420afd7e7.exe
Resource
win10v2004-20240412-en
Malware Config
Extracted
remcos
1.7 Pro
Host
185.241.208.113:2404
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_tifinqdfds
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
19bdd11ed161fdce1a8e1dbbf3edfe4fb5273072101e711ee371bc0420afd7e7.exe
-
Size
203KB
-
MD5
869031d5e7abc377ebe084c375ffdf1e
-
SHA1
89c16a7d8f1b95c4c0a72d7407f43686c329ec9f
-
SHA256
19bdd11ed161fdce1a8e1dbbf3edfe4fb5273072101e711ee371bc0420afd7e7
-
SHA512
c269ef4bf32fbb350b0c25cc6f6a4e570cb8d1a6d9755636a1d879aa24956ebef6d1b5f5cbdd4e1b95531dd55553e77ff82eff398cc37c676d8d705a7b6d05c4
-
SSDEEP
6144:1OSGpTE6C8JaksU4gcet422dSnVE492l9:kSMEfUaMce+22YnV
Score10/10-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Modifies WinLogon
-
Suspicious use of SetThreadContext
-