General
-
Target
1bd0be551dddca318d0d5900bdec33945c8c1dba5a7aa6be77ce5a150eb3d797
-
Size
889KB
-
Sample
240904-vpt88avfpc
-
MD5
1d998cbec50eef6fb310357e062a018d
-
SHA1
1bbc9c694404e9b391b14b31df6f203356f23e1c
-
SHA256
1bd0be551dddca318d0d5900bdec33945c8c1dba5a7aa6be77ce5a150eb3d797
-
SHA512
5772c7481451894ca2c179520611db96ff9cfa01f18dc408ad6944dc891e1dcae3c9523c065901d4036d69188d127884dab2024821d352987c224aa0e2ae9d56
-
SSDEEP
24576:IHNA3RduX6oKlkEnA1f8yWTDAGCOoEoA2nohQw:IHNKSNKlkZfITEKV7
Malware Config
Extracted
remcos
5764576
172.93.218.178:45667
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
765-XJJE0J
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
0955e1c717cfb3cc4b97d2e22f2e1f6493b6afa62f94e8d068baa3946f47f820.exe
-
Size
932KB
-
MD5
64e16402e0b5cb51390ae3045c20a7df
-
SHA1
a5d496972c0344e5d72272d03daa5fcadabcc87d
-
SHA256
0955e1c717cfb3cc4b97d2e22f2e1f6493b6afa62f94e8d068baa3946f47f820
-
SHA512
5e2c69c2922591ee05d1d272e6acea984a8b5d9332f07629ecb3c14e06a516b61ec460b0b438f29155d995c39aa14e4c1eaa7b3233dc6fc8104a9f2f6bb197bc
-
SSDEEP
24576:zYQactqtW214Y3PTp8au7Yf7nP0zChutXNBxRv6N:zS1d3Pl8aueEqutDxJ
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-