General
-
Target
SWA710932Y5V01.gz.zip
-
Size
1.3MB
-
Sample
241010-hys2asweqn
-
MD5
42a0b2d05ff97cd06118efef95aa2809
-
SHA1
d2bd8c85228cdd45e31c3022e5d5a21189ef157d
-
SHA256
df9926a2e71a996ea7652ed915c394c0994c35a6ffe70662c4e0ea6c2dde0ce4
-
SHA512
b43b6143a733aa89099e7c5d7627e4cf087db0fb06641da3f274fd1c2f7f2a0ceac7c378a268ae91dfa29d06cb799f49b0124fab4a6bd9585eae20b169bebb47
-
SSDEEP
24576:Wrj4guvo2MotPq6pwlzVTFE5akjWAa4aN20vSLRHL8Rki2rQEJbvov43JR/ZWx2m:o4g/2mxT2QkjWZ4aN2daMQKXK2DK
Malware Config
Extracted
remcos
MAHARABA
64.188.20.210:3800
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-W8QVO9
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
SWA710932Y5V01.exe
-
Size
1.6MB
-
MD5
6b19d06c2770fce41f9af1703b6ac62c
-
SHA1
23bd88644bfe0167ca5a7fbfaec93c5f4e9b62c7
-
SHA256
746e4e3a4afb2fb0e41287357a561eb9549a719607c0f7b3743314a08d3cac17
-
SHA512
12d7c5c17e9677b00661f8dc936e8116851a9c4690498e9c16d44dc759c9ae1d08623ffbb505d78a3f5c6e1813129d5e5aab282d106798c0fc6f91058719c57f
-
SSDEEP
24576:ffmMv6Ckr7Mny5QLqtPq6hwpzjTNA5Mkj4Aaeav2Wv8LZ73YRka2pQiJTvovqx7L:f3v+7/5QL/HTuekj4Zeav2zyOQYtW2DB
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-