General
-
Target
AWB 5596370080 Documents.gz
-
Size
887KB
-
Sample
240723-q8lc7stcmj
-
MD5
8e1ff426694b680b166d92c1d92863f9
-
SHA1
033cf1d2087b978ee425eb20a470ada41f74dd65
-
SHA256
1b4991d36f09f8cb146534524957f89da72621057cce18a95335b001566b08b2
-
SHA512
a3874478d8009e7b782a30d71c1138415bdb3a0491e33975c8de3e74a0d1d12dc9e4fdd5768c27f0573c772e877e4be2ebb229179b8698f9ef5a8a51756a0fa1
-
SSDEEP
24576:YR9UtmVyyP+ojt5FGxPEEvlqayxOCvHnJ2s+v:YRWmEyP+MGjvlNWn1s
Static task
static1
Behavioral task
behavioral1
Sample
AWB 5596370080 Documents.exe
Resource
win7-20240705-en
Malware Config
Extracted
remcos
5764576
172.93.218.178:45667
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
765-XJJE0J
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
AWB 5596370080 Documents.exe
-
Size
934KB
-
MD5
1ef0c7abe1471a69b746d6b0605ce71f
-
SHA1
ca1cae85ebb6120908d39d45b1ffa232daeff544
-
SHA256
377e5c1f1fd2f26d7a348a6393e110800b21f0cfe7d9ecf108e7612e43f5230b
-
SHA512
04810d34bc2e9c55d276844bd5a8a65a12ce5e73df819aa4a9ff5c25ab0e6486c5e48ce1c382887e64d7f78fd4044c4ffa7872250eb51ce13340d4de109478e5
-
SSDEEP
24576:sAwoIc0sIftPNPh64pCIUkbiFdb7aK8cvXrP74I6GLMbP:sFFPh6nIO/yK57hFC
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-