General
-
Target
07082024_1405_07082024_SC0782024CI3T6.ISO
-
Size
1.5MB
-
Sample
240807-rdvh3asgnc
-
MD5
9ae088cbd0552e7ffc4c848edc8318ec
-
SHA1
095befab1d306b5a0028ddbdca91919b26ae823b
-
SHA256
1c1feccd5b1218fa16072ffe996dda639d6d4279f9ccf2cabfeb1c7aedeabba6
-
SHA512
1019c17548fda039613302aa0395126b66b61df348eef1c0070f645c394a76bdd2e7c1f22043d362d4c7f456f7ebedd082a0af8ff1cc12af67e71a78ee038c3f
-
SSDEEP
24576:ZBEkrGVB7ExI6nE8AB+BIYRZHEPfcx2W:ZBtrGVB78IMEvB6tAH
Static task
static1
Behavioral task
behavioral1
Sample
SC0782024CI3T6.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
SC0782024CI3T6.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
remcos
RemoteHost
dave7754.duckdns.org:6908
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
vmn-FGUTXY
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
SC0782024CI3T6.exe
-
Size
1000KB
-
MD5
f4e88e6dac03d2c04aabf759c64fc57d
-
SHA1
04db3f09dfed43f1e3a0eab7349a3e85e415e39a
-
SHA256
b67bba8abf068ba6eca341fa378cc143e824fe924409447c1b69750f2c21abc6
-
SHA512
444c817478b059e2e5be2c476c345342443975902dce12e5c042dab1fafe837d21845402cd16debacf108c8a95db64d7f37da3190f6d5c512267eb8b4c572578
-
SSDEEP
24576:rBEkrGVB7ExI6nE8AB+BIYRZHEPfcx2W:rBtrGVB78IMEvB6tAH
Score10/10-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-