General
-
Target
09102024_1602_09102024_PO2780.7z
-
Size
889KB
-
Sample
241009-tgwawasgqf
-
MD5
63fee1bbd44567fc85856263b78054b2
-
SHA1
a23217e5dc7b2cf54711ad04d8ee6cf5f5f06fdb
-
SHA256
f598d0d709c87d2a6411cec416a9eb92ccbfd2c335d9a3e2ea15d363588c3c16
-
SHA512
8acf1144dc39cce05e1320758c955969b263851ecfca6d502ec909d77fcb6aa02ec113d5a3b4bb96e209a71b65512cc30ee88d711454c0d586c069de90790dc9
-
SSDEEP
12288:cRsJDdpmBs7/zJht5J84J58M+9JdjlVbZBc7Fgj5WtOOZkVbKSiWFmLH1X/6:cWJDOs7/zjtlK7ZBc5r8OWp1FmLH1P6
Malware Config
Extracted
remcos
MAHARABA
64.188.20.210:3800
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-W8QVO9
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
PO2780.exe
-
Size
1.0MB
-
MD5
48bfcf08c8ba3d7f0621ad8ce7802157
-
SHA1
96661e0ba26e1a98cd9eedfba3f3817e281cf190
-
SHA256
f437abfad6088e7817b71f37ea5e3204c96e845f08dd9d524203c05609fb0699
-
SHA512
7d04360468985ada48d34781db3e3b6254a8ef14a1d13dabf8b5624881db52e3eac0379f4df7028ed33a92a2c288a79f72f69a18e3f9abe8d6b95fb106bbb553
-
SSDEEP
12288:aUimcBPOUDcc25O5Jht8rf2jtnVQM+9VdjlVdZBcbFgj54tOGZhGSqAFdUu7NzPg:v6msccSkjtGfg7o9ZBcZB8Gi+dTxjTE
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-