General
-
Target
POLIST.exe
-
Size
2.0MB
-
Sample
240919-t7pk1szarq
-
MD5
e21b8ab721253a904d148587bb256be4
-
SHA1
36c602234b7a066799d81ec264cb44ac366a0a8e
-
SHA256
0482038dee8cdc3992533d6d3bfd36123a0efc02809b9c1cb87febef83a3517a
-
SHA512
efc3adfd0023202c9582c5890d69fb995122bdaf1453c1be9c301cf4e74ed7c1191b4ee58ea51ad1661749a78a472b07d6a039da9afb1a9c1f8c99c3ebb5e0ba
-
SSDEEP
49152:6TvC/MTQYxsWR7alUZqvJ+UtB7wxAzbimbJX:KjTQYxsWRpZqvJ+kBGob7bJ
Malware Config
Extracted
remcos
SPIRIT
nzobaku.ddns.net:8081
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-KF96SW
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
POLIST.exe
-
Size
2.0MB
-
MD5
e21b8ab721253a904d148587bb256be4
-
SHA1
36c602234b7a066799d81ec264cb44ac366a0a8e
-
SHA256
0482038dee8cdc3992533d6d3bfd36123a0efc02809b9c1cb87febef83a3517a
-
SHA512
efc3adfd0023202c9582c5890d69fb995122bdaf1453c1be9c301cf4e74ed7c1191b4ee58ea51ad1661749a78a472b07d6a039da9afb1a9c1f8c99c3ebb5e0ba
-
SSDEEP
49152:6TvC/MTQYxsWR7alUZqvJ+UtB7wxAzbimbJX:KjTQYxsWRpZqvJ+kBGob7bJ
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-