General
-
Target
56815d5ebf721c3782ecbc8b415f1c0a.bin
-
Size
7KB
-
Sample
241023-bp5v6swbml
-
MD5
f68768601068371f6b2b3cefa3e69f21
-
SHA1
d797eb5d1a8730283bfa6bc0c8f188305c2a029d
-
SHA256
fb58f37e89a830b9cc5d8320841aead3eb85d3c9a01d3574c5b583db0f3d674e
-
SHA512
87b4684d5ead9081ace19f6ade2048212ec01103cabdf709b806183f2fc3645715b751030d834a58dbec9d57c8851d2fe5fd8dbdb4f3e4a9032c27694d5ad9e5
-
SSDEEP
192:vY1TOpUYb3kXrR+EVg/h26rSD72otcJFlhLePWZAcoI:DpUGsr0Mg/hSDtcrlsPWZdf
Malware Config
Extracted
remcos
5.1.3 Light
RemoteHost
154.216.17.141:5922
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-MBKA6A
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
857cc9b2e6ba71e001ff2039a1d3a795e54a8cb99df9362b6ebc255de7aaaad4.vbs
-
Size
15KB
-
MD5
56815d5ebf721c3782ecbc8b415f1c0a
-
SHA1
4bc177cad4a63528f271a3578a12418f96123f69
-
SHA256
857cc9b2e6ba71e001ff2039a1d3a795e54a8cb99df9362b6ebc255de7aaaad4
-
SHA512
17d397695b10f7cd8d94ed23cc7f0e7da07ae36133a47365dc3a747e1850196bbc73b86ce34076a25f161d8235b7fc2beddd2e3f3ae3ea5e00822b2b6e984207
-
SSDEEP
192:yLqqhqxwJrpWlUZVYxIin3lnmLspomTQLGIgAC/rlnCkRcSKWInZo/kpJcGPJZMi:HqJJroZudLsnTaGgPJmxNSiMFpWnk
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-