General
-
Target
1a656b2cbd02513830d9652917a1c77c648d28a4c82f83dc3178a0150e6bf5a0
-
Size
833KB
-
Sample
240417-qrejbshe63
-
MD5
965cd7c4cbd82c6e4a45958d199e4cc8
-
SHA1
608896cbf123dcea9886d64d1135fba0ebd63bb8
-
SHA256
1a656b2cbd02513830d9652917a1c77c648d28a4c82f83dc3178a0150e6bf5a0
-
SHA512
6b89f72794dbe72652fee14e7ffad03961da3b3bfb96f32a5116700439718ae51f14b865740bf29b25bab8aabd6f22a36582c1527fbea2689cbc0cbb2b1cf768
-
SSDEEP
24576:Zt3tv4jY4PTdmbJHYtyn8HN1qLk4n+Cy7WF:Zt3tvv4bdKtEyn8HNoI4Ry7WF
Static task
static1
Behavioral task
behavioral1
Sample
f9905175d2bba89cc70840195fe3ab71f3da27cb466e532f5e58c0b89f6880c9.exe
Resource
win7-20240215-en
Malware Config
Extracted
remcos
7272626
windowsserverfebarch.duckdns.org:5841
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
72626-GNX3E4
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
f9905175d2bba89cc70840195fe3ab71f3da27cb466e532f5e58c0b89f6880c9.exe
-
Size
844KB
-
MD5
8bddc2d176b374df21988621d1e34229
-
SHA1
e9482bcfa0106160bd0d8c535082ec2a64d8e620
-
SHA256
f9905175d2bba89cc70840195fe3ab71f3da27cb466e532f5e58c0b89f6880c9
-
SHA512
9f597e449f017d184d726f4da8ce1a2471ff6dcf6570588790320394469110b76a1759d6cdb7f24b1904b5136b3078a390bb5e31405ff7904e989479ab9b5dd9
-
SSDEEP
12288:sp4+EpVjZsEpt4Q8gn/pu6JnTzk9Sv+LWK+WGnsVNvlkYkBCdonHi6NQkt8YfhvW:m4Fpl+yD8c/sXwnmYk4HtSkt8WhMUPQ
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1