General
-
Target
79919_0f08893b557febed593cc4f0ec7a01c3bb2ca075e1842e8e380e56c05ad2d12f.zip
-
Size
885KB
-
Sample
240823-hjha9azfpc
-
MD5
d4a1342315e30c7c5ebe55e2b018a64f
-
SHA1
de0ed154449280298cd609824d99a042fccc19d7
-
SHA256
a09ecb38394adc089fcda9dd13c16cf9724ddf3d790db252e6b47acb28f9cd57
-
SHA512
419ea817ec080764216aea4272d7c7e986dc23b4f00836121d76cdff277f86cf7ab2180c5ab5af1570928dfd338b037b2a3b708e86a11cc8fb4d0bc35b59a999
-
SSDEEP
24576:ftY/Wt81X4djFHeoCGhfzVl9sAYVjuuUG27HpKFuySF4Zt7kbYZe:ftV81XwjFAGhrH9sXjeG21K8FiQEe
Malware Config
Extracted
remcos
RemoteHost
204.10.160.190:6565
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-0GGA8I
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
0f08893b557febed593cc4f0ec7a01c3bb2ca075e1842e8e380e56c05ad2d12f
-
Size
949KB
-
MD5
0bc2c86acf4cc16244c2a201b686f3df
-
SHA1
7e945e859c1b6f4632940d9c8d41843d2b280e63
-
SHA256
0f08893b557febed593cc4f0ec7a01c3bb2ca075e1842e8e380e56c05ad2d12f
-
SHA512
7340733ef7f8ab9c75f8d46129b263c623777dce78b3e5dab008b0cd8c79829e26b6d153926d1d69978e3b11369fc3f374f764cbee369bdf59b028b6ef120789
-
SSDEEP
24576:yOv5DoLlqixR07Jb7XV/Aq+Tjq69r7NBEol5ek3:yu5e07NZAqGBN5z
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-