General
-
Target
268f9784627f4ec95cf7a729077b43e2d64a14ee86f171a6e01f9929e736419f
-
Size
853KB
-
Sample
240417-p3284afh79
-
MD5
a5320487ce412d7824fa176eaa4559e0
-
SHA1
21589e8463bf767a2a0de14cb1347778fea05a7a
-
SHA256
268f9784627f4ec95cf7a729077b43e2d64a14ee86f171a6e01f9929e736419f
-
SHA512
4f10cbe6ae33c3e77d46d83bd5b85db501ff69f26b4a231834868b8cc9b76ca86eb80e018d36c0401399cec014fb2d0f04430d3124a5be8654c8027c52d761fb
-
SSDEEP
12288:z7938cJrFeZaUnfSbXW0eYt+6u6C1ATwMIprWw+8vfIUJt2Qx+XPhUH6jruW:zJ/1bUnfot+4HnR8XIUJt2QxyZjaW
Static task
static1
Behavioral task
behavioral1
Sample
913d48da1552314523f97efb759a51fca7c7c0d99c1e7e3e75dfdf205bc301d7.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
913d48da1552314523f97efb759a51fca7c7c0d99c1e7e3e75dfdf205bc301d7.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
remcos
884764
serverupdatemarch353.duckdns.org:5987
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
77364-XW3CG1
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
913d48da1552314523f97efb759a51fca7c7c0d99c1e7e3e75dfdf205bc301d7.exe
-
Size
880KB
-
MD5
de0cc354f80bdf7487bd53569ba7128d
-
SHA1
d4b4ff7d05d21cc80d371ec6a75b2ec0e351c3c5
-
SHA256
913d48da1552314523f97efb759a51fca7c7c0d99c1e7e3e75dfdf205bc301d7
-
SHA512
250eb561ba7ece68f273f38423bdd3d67c3e3c963b2db2a02039e96e677a506c300267f04eec1288f32162484bcdaf252fc66d8ac49490b3cb8d1edc8aae1380
-
SSDEEP
24576:+BdKLPsnFfwDzigBFqdJrEDxvHgi2Q7eUI4:+OLP1GrEDx/H9
Score10/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-