General
-
Target
43281415b361da4215bb7a4a0a950b2c95c2d772f315d451088ffd53480de73f.exe
-
Size
616KB
-
Sample
240611-xjj76sxdle
-
MD5
dec965bfa7c35a4b7c9265610a45a7bf
-
SHA1
e5d97eb5a5bf91e0b006ce75e6ade7bccfde52b2
-
SHA256
43281415b361da4215bb7a4a0a950b2c95c2d772f315d451088ffd53480de73f
-
SHA512
ff8d44422263f2171118b8ae22f2434c00ac665f87bf6088b7afc58aac2849b36f841011a2ab01da4cc6bd0cf50bcc724f531b1e47aab71f564a73ab3372333f
-
SSDEEP
12288:xX0pxBV36Di8BtLhPvBfLjhwCsMmhSqkcAOv19drFOBpCixYTJYviJ9EAmD:ABFKzVLlDsMmYqkcAO1QBpCkiH
Static task
static1
Behavioral task
behavioral1
Sample
43281415b361da4215bb7a4a0a950b2c95c2d772f315d451088ffd53480de73f.exe
Resource
win7-20240508-en
Malware Config
Extracted
remcos
1.7 Pro
banksy
62.102.148.166:3319
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
egsy
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_rpklfmytvo
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
43281415b361da4215bb7a4a0a950b2c95c2d772f315d451088ffd53480de73f.exe
-
Size
616KB
-
MD5
dec965bfa7c35a4b7c9265610a45a7bf
-
SHA1
e5d97eb5a5bf91e0b006ce75e6ade7bccfde52b2
-
SHA256
43281415b361da4215bb7a4a0a950b2c95c2d772f315d451088ffd53480de73f
-
SHA512
ff8d44422263f2171118b8ae22f2434c00ac665f87bf6088b7afc58aac2849b36f841011a2ab01da4cc6bd0cf50bcc724f531b1e47aab71f564a73ab3372333f
-
SSDEEP
12288:xX0pxBV36Di8BtLhPvBfLjhwCsMmhSqkcAOv19drFOBpCixYTJYviJ9EAmD:ABFKzVLlDsMmYqkcAO1QBpCkiH
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-