General
-
Target
ea563179bb92c04b05ee2e20b43dd960_JaffaCakes118
-
Size
342KB
-
Sample
240919-bt2pbatdrh
-
MD5
ea563179bb92c04b05ee2e20b43dd960
-
SHA1
bae1357c85c933f933cb1c3fbc906bb1e8f0ca72
-
SHA256
d357a2232ad73608f19ef5985d107513da9fc9de1d2e77f77ca259099742b913
-
SHA512
53a5454cb08a9387cc6c5a8b41fbbc55e622ba4a116e66964e12b8919d1c96c054ada46dc8480aff93d4884e0a85199be9e79685b404b612d1230c358744735a
-
SSDEEP
6144:keln+8hieXtkSqkIA/2rtj9QCoCue1P2+ovl7rdN84Zrr5wFdkOR:pl+4ttkSgAerN91oCue1PU9LvrNwFdkm
Malware Config
Extracted
remcos
1.7 Pro
Host
45.137.22.36:20201
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_mvishsbxyn
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
Jagtap Trading - order #JEW-39-16.02.2021.exe
-
Size
700KB
-
MD5
44f10846980aaad7a8c4984b214aa4b0
-
SHA1
77d87acb0ec259ea13dbe261fb51845618bad7b4
-
SHA256
753cc07b3d3e9d5cc44061f9f5b2933d2e1f7f18155f9c17346592e254eab0c2
-
SHA512
2af313958523ffb30473ba3111331a267dc05a1ac1680c3129cb88e143a14ea84a3a30536c98fe28b7841162dd750197f65ca0b161a6757f1d75735f4a4062cb
-
SSDEEP
12288:TBU93mpF4OWwA8rN91UCue1X2EN9+2ii+Tl:TGIWwAkN91Uk1GEFi
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-