Extracted

• • Target

    b264d23c08e569cfb116398ba9b68da55c929a0450795a1194c296cc307b4d65.exe

  • Size

    18.5MB

  • MD5

    1edf285969ddea6233f47882315193c0

  • SHA1

    a7f25cf4a08b478e0b046a4013ce73cd0edaeba6

  • SHA256

    b264d23c08e569cfb116398ba9b68da55c929a0450795a1194c296cc307b4d65

  • SHA512

    3315d921e8089a6b4d8f2bf26b3335a1dbd8151f2545e2d4790026e4d33d7a2a2d88f791e94cb1f3662e1a3a57079f3eb4960ffcdbd4e99b29672653487d8b8a

  • SSDEEP

    393216:+nfbWnfb7nfbanfbonfbJnfbJnfb9nfb+nfbwnfbWnfb:+ninfnWnknVntnhnincnKn

  Score

  10^/10

  remcosraindiscoveryexecutionpersistencerat

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2