General
-
Target
08d247fb70ecc7efcd06910e6ae50d308cd6850987943a07374028a9d7c77415.gz
-
Size
850KB
-
Sample
240917-ses73azckj
-
MD5
aa153884e73156bd44208fb9d1917aba
-
SHA1
a07fa599da3f4384265a1abefb93c4228d91c47d
-
SHA256
08d247fb70ecc7efcd06910e6ae50d308cd6850987943a07374028a9d7c77415
-
SHA512
79638b45414a5ed85da6998a0bbca395a448c4138f041838752108274d5b91063e1bbc1fbc99808fb971f50f1a1ef05e118e8699ab59bd48cb0e909a1c48a48a
-
SSDEEP
24576:NWnj81akfCViEDhkD+08jwUNH7wMOYfcuLTJdHRa:NWg1akf8iehgzIHJ7wMODIVdHRa
Malware Config
Extracted
remcos
RemoteHost
127.0.0.1:59321
nnamoo.duckdns.org:59321
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-41EVS0
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
Bordereau de versement.exe
-
Size
849KB
-
MD5
90b3d027e4e43d4c867f04b4c89c8589
-
SHA1
c23bed92fbe828fa9699115d15e0296ba18ca561
-
SHA256
bac49390230b8d170af75761bf64a3e877b570bea0c9b5ba73dd54a7fab5c351
-
SHA512
c5ad505038b66cc8388cfd8d558734663ab3a01e648fe91a25f3103e0493d78e42d03d7090a6738fbf0acda474511be9af57b0416618df3cfb089bb326b82fe4
-
SSDEEP
24576:wWnj81akfCViEDhkD+08jwUNH7wMOYfcuLTJdHRa:wWg1akf8iehgzIHJ7wMODIVdHRa
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-