General
-
Target
15082024_0855_14082024_GST_debit note -Aug 2024.rar
-
Size
557KB
-
Sample
240815-kvlh6azbnm
-
MD5
1a113bc09cbb7e11824e586b471e75ab
-
SHA1
dc45c053f6e7b612a2647c84136c957bc092c3df
-
SHA256
dab4b15e4bd5233f51c8abf8e15cbe1196e2a1b0e328967009f1955acee6ab34
-
SHA512
71ce09e643b74769d5c77ae814d5620dbd28cd5aff3f2aa6e570e9e7dc68b93c91393c5b292f729523af6cb933c113541f1c917fc1038117b413941dc28bb076
-
SSDEEP
12288:iWG5DLlb9sgPxg8xisrjcQNqDWTyrs8p+xCsSxVvqVX9Wr9gdF:m5HlxsktrgQsDDMxCswqgyF
Static task
static1
Behavioral task
behavioral1
Sample
GST_debit note -Aug 2024.pdf.scr
Resource
win7-20240704-en
Malware Config
Extracted
remcos
1.7 Pro
credit
213.152.187.220:27873
stcchd.duckdns.org:27873
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
note.dat
-
keylog_flag
false
-
keylog_folder
credit
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_tgmbmthuqf
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
GST_debit note -Aug 2024.pdf.scr
-
Size
665KB
-
MD5
5dff2b0b6cac8c402d1f6d33b02719b0
-
SHA1
03199418ecff1281be63fc42ee532ff0e70567e8
-
SHA256
d878174195c4772f3f30f1d276685d1bbdecc953ea99d5f842bc36d61753f11c
-
SHA512
fe25929cf5d5f16125265afb94f5656671483e8300f59276f2609d310f97a70a9c12d47571adfe20103be4aef4c2cd3ccdc910d61cb3fbc4c51f3c291214c844
-
SSDEEP
12288:8dw7c65kts5uvaYqwWvHQ+8QZI5Hs6tTIQbfBV63Si61l5Z6JEAmD:8u7+tkYqwEx8Q+5JZYiZ6J
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-