General
-
Target
57aa8232ed82d0667638c6442456b5150a2fc941e1b07ceac890ac96088f6490
-
Size
1002KB
-
Sample
240819-hehffsyhqf
-
MD5
cc82c34275f1370d1cd5723076f05b2a
-
SHA1
d5d2c370f810fd32ee43c316a24e18646c538702
-
SHA256
57aa8232ed82d0667638c6442456b5150a2fc941e1b07ceac890ac96088f6490
-
SHA512
56fe3e6894075d7578779e65df9cdbe834843d45613d72f039e21dfe4352eb330cc2f7b44d6f9689021c00eac9d4b22a4473672c7e190e783c7d07656aff1bac
-
SSDEEP
24576:fmuA/h9Cpv3TJ+dKcTwGDl+ipDjDUkmFyAA:Ouch9CRDcdhw8l+ip7mFLA
Static task
static1
Behavioral task
behavioral1
Sample
FST31064R5I02.scr
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
FST31064R5I02.scr
Resource
win10v2004-20240802-en
Malware Config
Extracted
remcos
RemoteHost
154.216.18.217:7589
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-24WZW7
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
FST31064R5I02.scr
-
Size
1.0MB
-
MD5
3ca1c5a222270170f1dd0631a6412a97
-
SHA1
7f2c4810088c80efd222796f073e601c596ee10b
-
SHA256
e7b280270d102142b0259ab7f4477757deec31060001f3760274979624f7ec8a
-
SHA512
b106cbce4551b1efade7ecd275b296de13a4a94f6079edfd16d11a462fa41117f2ab6f7a585304c58acb639fe37e45936009dc7c203842fa88ecdf5fd94cb911
-
SSDEEP
12288:AtGAMd6OdKEari+iWSY9zzZTD1paycCJdcbrmYs9NLd4BvizJ2dvXDGdqA6VEhff:Atq6h1O4ZTJMz0cbwEo12hXRA6VEPdN
Score10/10-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-