General
-
Target
Purchase Order.zip
-
Size
450KB
-
Sample
240513-kddrzsfd57
-
MD5
a8e54cd71a9542020d401b6c9b256589
-
SHA1
9d08f90763a0207aea3b3a23f9835dacc16cfdac
-
SHA256
e6f6c539da2c4a76486b2351967986aa9e56cc7afb1acf94fb363c8cb844185f
-
SHA512
d13d8517ec67914e04d61753b4df7efaa05d7b3e321fb1507253269205aa37af205a9bc993c6e882111b8b534a7d9ef78a897d01e9b2dce6dfb2a1959eacb196
-
SSDEEP
12288:CiAXpkxN0CxLHkpxPYDJbSl+xQsVNHpmbVeO:+X0N0CxL+gDh7Pho8O
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Purchase Order.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
remcos
abig1
tochisglobal.ddns.net:6426
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
-2MBZMJ
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
Purchase Order.exe
-
Size
566KB
-
MD5
996cd1a4008e0fca3750e9524bd13a9d
-
SHA1
f202d20579ba03acb804f651bf66e2ab47add4c8
-
SHA256
00473ae2a9e945343456d0193e1a5fe58c71776f42e747249a3c435b8ce7e1bb
-
SHA512
8b71beb452cb4f03f6e9fc897ec1164f5ec8e547d3c6ee57ab5c07cca22d5cd71371f8dee45cb63e7bec838dc4b30b34a187b5e81439b3e71553b35a71f9e7b2
-
SSDEEP
12288:ja+TesAUQUC4Mpx3Y1JbSd+xQgVN9pmdVepFq:28esAfUPGI1h3RHY8rq
Score10/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-