General
-
Target
CI-TLN0124796CMACGM.TBZ.rar
-
Size
860KB
-
Sample
240923-rjfl4ayckq
-
MD5
fd7e1bdfdc662e3178360b91a7b64850
-
SHA1
b3b8f8daba42e0dc23b196f48f016a752069c894
-
SHA256
e8aa95c6ae470b7631ac3b11a81e7f76fe0a0b10a6fafff1ab987e10438a3e0e
-
SHA512
2080d41eab7d174d41152bc3918f15f122f01fa6c2156f6e885d0fa663d2fbb004894a825f3f3f89d0101ee17eb6c0378e67ec381abd29500e4ffaa511be4f09
-
SSDEEP
24576:ueWODCOdvMn6rin7jQSLo6iqG3qdTOAY4MJ9rYAbPbP:uOCOdvQQSu93W674+sAbPbP
Malware Config
Extracted
remcos
GeneralWire-Slaves
milliondollar23.duckdns.org:3984
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-TWU43D
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
CI-TLN0124796CMACGM.scr
-
Size
915KB
-
MD5
02d513fa3a4c04f1ffce97c25caccdff
-
SHA1
853948f7ff1d69a293c4f4617185c24b9859e6dd
-
SHA256
d00a443bf00b909b32fbd9894462283fca5788e28b96a9e729f43fc4f2ca585a
-
SHA512
9a9b925e7d5acec5216ecb64f7352a8a27598106452984f08155f2bef640fe1ad93ff3a7869cacfaec2514641740c41fcc0e7e4f0172eaa7072c1c9c05087ab3
-
SSDEEP
24576:SgW2J4Sl29MaW6EEJJQEtTShtxMwwW7yUVzmoeli:SgjJYSoxtuDxZlyUVzmo
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-