General
-
Target
22052024_1742_22052024_CDE_2049084470 - Copy.Tar
-
Size
850KB
-
Sample
240522-waarpsag62
-
MD5
57ff5862ba564035efd6db04aa017c85
-
SHA1
35840d6b9e3e72101858f11732e4968ccc688825
-
SHA256
a2d5da2dfcffcb6e9abcf4fe9186d506f0fca5425a59f95d55c42c0db5a246c4
-
SHA512
214e18ca57535125da7826e193d373664d6234bf7c6f837072fe8edf89e5a0d2e9272a00b1ccd513ef157aaf07484a21959d72f2ac9a0774c726f6618222da53
-
SSDEEP
24576:yX8MYu6sOVNb7k7RfSZ3M8HRMQJ4vNu7XTS:ySLsOVR7yfQ3My4vD
Static task
static1
Behavioral task
behavioral1
Sample
CDE_2049084470_PDF.cmd
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
CDE_2049084470_PDF.cmd
Resource
win10v2004-20240508-en
Malware Config
Extracted
remcos
DodoCrypt
172.208.52.39:5404
172.208.52.39:5403
172.208.52.39:5402
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
xvxx.dat
-
keylog_flag
false
-
keylog_path
%UserProfile%
-
mouse_option
false
-
mutex
roasazxasasacvxzx-FQHYSN
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
- startup_value
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
CDE_2049084470_PDF.cmd
-
Size
4.3MB
-
MD5
5195a3d6627e770e3324548c567c8472
-
SHA1
125ff038969a23bfff04b9af006837b594548bee
-
SHA256
72fc83042393e2a055a3a10e1ee35367957aa2ed02be67ca61e472ddf16a42cc
-
SHA512
8d1cb56fac1c5a884d9bec97b13742d3419f5923e6c909368ea55a7bfcd2d2ca18cd9be16bdfd69e3cc861d1e97fbcb68dfe711cebfaaa7c057c8fdc4cf09227
-
SSDEEP
24576:WakXdieqvCLukUWOJWEs2UK1lxu223QJyTBDJYBHX063u9ipNimFDp:WaMd4v4ui+Fs2F23QJeN+HzpNimFDp
Score10/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-