General
-
Target
544c5f2f22e444b131f0b0f6c2b01c6f0c84356dea8aa805d3292ccb2c67aaf5
-
Size
913KB
-
Sample
241003-vnh5kazfke
-
MD5
fb9dbcc64a2c44163bbf4bf30b83a3e9
-
SHA1
da34f9f38e4c579109b10b416051014697b4313d
-
SHA256
544c5f2f22e444b131f0b0f6c2b01c6f0c84356dea8aa805d3292ccb2c67aaf5
-
SHA512
9ec8aad64f81729c6ec820895d5968a8f987095a1af55001e745c3a514a1ad34f7979c618185db74b7de485714856ee723fcb081723a659d6b8f33902015b99c
-
SSDEEP
24576:Kf7Hl3lo/T2Chk5RiaJPKYTJEceUxH6UH21zq9Y:KfTO6ChuRSC2U16UkzcY
Malware Config
Extracted
remcos
IRNSERV1
irnserv1.ddns.net:4424
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-20UF0Z
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
TNT invoice 10.3.2024.exe
-
Size
988KB
-
MD5
8e096c769a06afc7cb0d2e4903632829
-
SHA1
5d1887cbc765869914c5a5139806ca960c1f5c5c
-
SHA256
7e5f8060468b9e18265644190e564d0b53d6eeb0b4cf3b3e35405d3a4447fc1b
-
SHA512
911750d486f469ea98f6e2895bd65657c85a20804b1c06eaf3edbd35f20a76c729c9a39ead4bc5db705300aa4c10740c0190cac1ac0d900f77b95171a16f3073
-
SSDEEP
24576:xgpPDplZrOxmv3s4XVZOL8MevAUxZZ6UHxOt4UXZ:x8Fgmv3s4XHW8sUp6UU3XZ
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-