General
-
Target
5e844414ea549987c5b90d612ae041e0c6e88b2480accb542d1a7f8023b3b54a
-
Size
989KB
-
Sample
240820-f9stkawamd
-
MD5
235384f581ddf4188c77eb474666b49d
-
SHA1
5d1fadace4e1c274e70285cf49509607f869137f
-
SHA256
5e844414ea549987c5b90d612ae041e0c6e88b2480accb542d1a7f8023b3b54a
-
SHA512
a880d2847df78e7e2c42285ba25f39a54f1db1e0131cd74f2a2e9a29343a7528821fb310041fe6166bcc76f8d4737bfc193dc977cb2bca02f8d218fdf9af6ba4
-
SSDEEP
24576:aTCVkzC+drd8sg4Oo8ySyR0mNOctl7pt3/LaEOIOy:KCVV+MZ4Oo8IR0Zctlr3/LaEOG
Static task
static1
Behavioral task
behavioral1
Sample
PO530.scr
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
PO530.scr
Resource
win10v2004-20240802-en
Malware Config
Extracted
remcos
RemoteHost
154.216.18.217:7589
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-24WZW7
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
PO530.scr
-
Size
1.1MB
-
MD5
aec21eef4fa2049667248eb94540c273
-
SHA1
4b79b0f47ef7e07e91f17ae9fae0fe5dcb4b325d
-
SHA256
851f982012e2da475ccdcf6ab24db055584f417d28ce943f894b3376417a89df
-
SHA512
93193e81598532a8ad98c50a9a6f0b6f00f7136c53997d300fa6e857cb0fc4394088e36870f1a8af32a5d11533fbe78c2290b0a939575074194cb33f3b5944ee
-
SSDEEP
24576:Jlbn3ToGC/qaSuFKrXgs2MOo0MUbOouIlQ/AI806IR:Pbn8GiUu9tMOo0RLnlQ/r806Q
Score10/10-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-