General
-
Target
4cb0c81e0a65fad12ae7a55db5839cbb.zip
-
Size
7.4MB
-
Sample
241023-kceynasbmn
-
MD5
4cb0c81e0a65fad12ae7a55db5839cbb
-
SHA1
960c0a58ed11f236758674d8d77fc5b59f55b8dd
-
SHA256
1135aff0c127721dd6704747c337ce06abd87852f86cc5d19446c0946c644788
-
SHA512
739e5af401317af769777ecd95b00666759ba65c6987fba67b07edc6d6153d1bf7d00498f25210eab98984a0b7f82b2a288e9760150740b2ff9d6aa65e21e205
-
SSDEEP
196608:sMv+L2+8mtYhCsR3tQMxgROqXz9cYoMpx6kGKlKNgHFBl:sMU5mCTOsz9cZ7kGKlTl
Malware Config
Extracted
remcos
build
193.29.13.204:5850
-
audio_folder
??????????? ??????
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
sys.dat
-
keylog_flag
false
-
keylog_folder
syslogs
-
keylog_path
%WinDir%
-
mouse_option
false
-
mutex
34534534534ffffsdfd-IPKJ16
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
?????????
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
militaryrespondpro/militaryrespondpro.exe
-
Size
7.5MB
-
MD5
74538bcd359192ab8a3f3f1bf4e84adb
-
SHA1
a20254ff13d8c9eda8569c8b9ce94328c4f8b924
-
SHA256
0bb66047b9a8fc0ad9312c27166c507b82be23e28441be00b0e09b010068bdb6
-
SHA512
47ef3fd2ddb6f0befdbfe2525b6062c8c4408cb0602cd0e1085b441fd9a94ec6a8884595bba9f2faa63a15e2db232d11f192aab2777ea0a7b72034abc589134d
-
SSDEEP
196608:lSPQZgEkukO0V2ODNDwcv4RMcpBrcA0M5XgkOClcfWJTl:lSqDo12XMcBrclnkOCln
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-