General
-
Target
47f9955f36afbe74f292eb02e47c782f720c9adaaa8e31cf9f82e50c74c3b044.exe
-
Size
515KB
-
Sample
240429-blff4sdg93
-
MD5
d5141d80d46fd3df879495cca103caba
-
SHA1
a9019fc51e0288916ff8b61d6fbdf9e3b58b65ba
-
SHA256
47f9955f36afbe74f292eb02e47c782f720c9adaaa8e31cf9f82e50c74c3b044
-
SHA512
063912cfba95c2ef51c7bf927f9a2b251379cdf1aac2bee7e513148504bb438edde4bf4bc24aeb49b11b2933c60a9d19d88ea35b76ce576c6183dcab114aeafd
-
SSDEEP
12288:1fLwLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLPLLLLLLLLLL8:1fLwLLLLLLLLLLLLLLLLLLLLLLLLLLLY
Static task
static1
Behavioral task
behavioral1
Sample
47f9955f36afbe74f292eb02e47c782f720c9adaaa8e31cf9f82e50c74c3b044.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
47f9955f36afbe74f292eb02e47c782f720c9adaaa8e31cf9f82e50c74c3b044.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
⠨/start.vbs
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
⠨/start.vbs
Resource
win10v2004-20240419-en
Behavioral task
behavioral5
Sample
⠨/temp.bat
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
⠨/temp.bat
Resource
win10v2004-20240419-en
Malware Config
Extracted
remcos
RemoteHost
172.94.101.172:6238
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-ZY6SQA
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
47f9955f36afbe74f292eb02e47c782f720c9adaaa8e31cf9f82e50c74c3b044.exe
-
Size
515KB
-
MD5
d5141d80d46fd3df879495cca103caba
-
SHA1
a9019fc51e0288916ff8b61d6fbdf9e3b58b65ba
-
SHA256
47f9955f36afbe74f292eb02e47c782f720c9adaaa8e31cf9f82e50c74c3b044
-
SHA512
063912cfba95c2ef51c7bf927f9a2b251379cdf1aac2bee7e513148504bb438edde4bf4bc24aeb49b11b2933c60a9d19d88ea35b76ce576c6183dcab114aeafd
-
SSDEEP
12288:1fLwLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLPLLLLLLLLLL8:1fLwLLLLLLLLLLLLLLLLLLLLLLLLLLLY
Score10/10-
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Suspicious use of SetThreadContext
-
-
-
Target
⠨/start.vbs
-
Size
170B
-
MD5
65ee9f906fdefca9b4a6a21581dd849f
-
SHA1
b372dea5a9b9a99311445a55b634aa8f6c1d7b9d
-
SHA256
087f43e7f9f78bbeb1050cdbfaeb3d23ad7b4b742d6ef91229b8824a20daaee6
-
SHA512
1f593864f52ac61f7f4ef2aa1bfcf538dd2833e53bbd931f96c42b2ca90d2bf68545fdac547f0f3cce09ad7734acdb629bf642081227a996d3d22117263ad23a
Score1/10 -
-
-
Target
⠨/temp.bat
-
Size
518KB
-
MD5
6c99fcefc4cfca458dc32d1c1b5839e8
-
SHA1
1a790a0de590a6bae014c34490de08700a05fd26
-
SHA256
f459ce2835f50b426f95d901bf5728ca3769595454ccb1910c21d1872b006f7d
-
SHA512
b77a09dcf0061c74fbe00d37317b594f226635bb018bda645b3405d5ce1263d0b05f33998609b112877275ccf9fdef7401ae8c1ecf37da0588afaafce2554dec
-
SSDEEP
12288:cBh7eM7cAGtDKTn88OZoWGuexnQ3LGaO9EMk3bmRp1Z1Wpz942lhCB/rUqhZe7s9:cBh7eM7cAGtDKTn88OZoWGuexnQ3LGag
Score1/10 -