General
-
Target
final.cmd
-
Size
2.8MB
-
Sample
240430-z7bl2sfh8y
-
MD5
165ba4f5ee932656ad13c041f9e03609
-
SHA1
6592b713bf210424d4f15ef88182b2138d96e682
-
SHA256
720db8b793961f18eb7d8acab3419851db2ed025917c4d180d6dd157e04200a5
-
SHA512
a19186170d9565cdc745a5ce4c607dbbe6cac685128bf875e632dc6a658f86de36a6df59a27e9ac2619dcccb1e1a6d7d05a0cdbe6fef2a2caed62325b33f5b0d
-
SSDEEP
24576:9ZuUS2Yh88lIMQ6mg9Qbx63eRhHQhS8abRLzhCvrjjy1JfHFJtgRnke9luUH:9ZuSIl5r53wwhSfzhCjmHFJKZJ9lu8
Static task
static1
Behavioral task
behavioral1
Sample
final.cmd
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
final.cmd
Resource
win10v2004-20240226-en
Malware Config
Extracted
remcos
RemoteHost
myumysmeetr.ddns.net:2404
mysmeetr.ddns.net:2404
meetre1ms.freeddns.org:2404
bbhmeetre1ms.freeddns.org:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
WINWIN-3PED2K
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
final.cmd
-
Size
2.8MB
-
MD5
165ba4f5ee932656ad13c041f9e03609
-
SHA1
6592b713bf210424d4f15ef88182b2138d96e682
-
SHA256
720db8b793961f18eb7d8acab3419851db2ed025917c4d180d6dd157e04200a5
-
SHA512
a19186170d9565cdc745a5ce4c607dbbe6cac685128bf875e632dc6a658f86de36a6df59a27e9ac2619dcccb1e1a6d7d05a0cdbe6fef2a2caed62325b33f5b0d
-
SSDEEP
24576:9ZuUS2Yh88lIMQ6mg9Qbx63eRhHQhS8abRLzhCvrjjy1JfHFJtgRnke9luUH:9ZuSIl5r53wwhSfzhCjmHFJKZJ9lu8
Score10/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-