General
-
Target
57c246dd2b2221edbfd54ff9246a0099.bin
-
Size
865KB
-
Sample
240910-hyv6na1fqm
-
MD5
e639af213c5b91d424222c2119934b43
-
SHA1
720747f1cd89d44a1d9f677877678c3a46c4703a
-
SHA256
af6054c52f9d147fe0dd9efd156d20d1be517145a61576c9ac065e4b99a66c3e
-
SHA512
b5e808cec52cff02e53095f69f4ff1114a02b59972e8106e3172b7619cd687486b22f0053f146c1053bae161566f9dbdb3875b4ef8f0eedf1212a856139da40d
-
SSDEEP
24576:qIF5qNr7cXK/CsX+kxx5rSZrZoO57KfPmMSI8phaE:qI+Nr7ca/jTtKr55ef/saE
Malware Config
Extracted
remcos
throttle_8967
154.216.18.217:8967
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-4SV4HO
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
6fb1afbb72d328bdaca9c019107c5ce12c81bfbabac1f1b7426db29ffec79f96.exe
-
Size
914KB
-
MD5
57c246dd2b2221edbfd54ff9246a0099
-
SHA1
3e4dc6e19407ff041b25629082a90382be7b957f
-
SHA256
6fb1afbb72d328bdaca9c019107c5ce12c81bfbabac1f1b7426db29ffec79f96
-
SHA512
5a49e14dfaa8b6f53bc9e5da299f43d199389ded897c9a23ec6615c396bc83e6589787f0704fa097c395296d643fd0b6b3e83dbdddad385d2ee5af5825cea9e2
-
SSDEEP
24576:+Eb5NCjPBS2nv0frerFWM+u848EUjooYgyUKHdw:N5N+5S2nv0fKxIuRUjoSK
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-