General
-
Target
2b08ba942fe3db3fb1937ca40e1f392ed7d98513b70fd73c2da9723ac8c971ac.zip
-
Size
1.5MB
-
Sample
240920-bk9css1gnm
-
MD5
8046dae95394e8f8d0f70638678aa4bd
-
SHA1
5cbc3d2fe90cbd331b7358cea28ea8cc5ad28b3b
-
SHA256
2b08ba942fe3db3fb1937ca40e1f392ed7d98513b70fd73c2da9723ac8c971ac
-
SHA512
aa824b0255092c112856b0947b1bd1cf5abf0263103319d515a77ed4db735d4e1f635169d1a5f1796ed3b79a6d091f64bb2a627c9b4e1619b1ca19700afffee8
-
SSDEEP
24576:H3Gs2GVrF3nXbPFILCRdR5s/rp9m8U7ixXt1JiDGFoAdKf4hTUQZ8iQmtq+5fV7:H2JGf3XxILCRwQ8U7gkdNf+NZXV75h
Malware Config
Extracted
remcos
SPIRIT
nzobaku.ddns.net:8081
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-KF96SW
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
PO-LIST.exe
-
Size
2.0MB
-
MD5
e21b8ab721253a904d148587bb256be4
-
SHA1
36c602234b7a066799d81ec264cb44ac366a0a8e
-
SHA256
0482038dee8cdc3992533d6d3bfd36123a0efc02809b9c1cb87febef83a3517a
-
SHA512
efc3adfd0023202c9582c5890d69fb995122bdaf1453c1be9c301cf4e74ed7c1191b4ee58ea51ad1661749a78a472b07d6a039da9afb1a9c1f8c99c3ebb5e0ba
-
SSDEEP
49152:6TvC/MTQYxsWR7alUZqvJ+UtB7wxAzbimbJX:KjTQYxsWRpZqvJ+kBGob7bJ
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-