General
-
Target
31102024_0237_30102024_77954-668716095406000-20240826160944.pdf.gz
-
Size
840KB
-
Sample
241031-c4a5saxgpa
-
MD5
8f1747742d3a1ed4b8ac22cfe9143980
-
SHA1
8b82561ba439143af8e1e8606788d60c8efe2ed2
-
SHA256
11628243191e0ea5350275ee991781c35ce22f93635c2a613bd0ae5f49e442f1
-
SHA512
2e504ecc3970404b486df41958cabde9695ea51eb3d87b118f3fa5b07b2978d38597edc58b935da77a1a3bbb76cde01ac1f230a958b416e914b2644229d06a96
-
SSDEEP
24576:O4z/H6uxAnCATgaAmJh6+YpAQePd5tS3afQFt:O4z/aaAntTgyYaFn03XFt
Static task
static1
Behavioral task
behavioral1
Sample
77954-668716095406000-20240826160944.pdf.exe
Resource
win7-20241023-en
Malware Config
Extracted
remcos
Host
oyo.work.gd:3142
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
vlc
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
pdf
-
mouse_option
false
-
mutex
jkm-I9KENP
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
ios
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
77954-668716095406000-20240826160944.pdf.exe
-
Size
3.7MB
-
MD5
9716314d2e2df9ef07b0a5e62594ec54
-
SHA1
4b77033c3a9c5c897c288c57fb5c9c55d57236e9
-
SHA256
7d9a4ed0a06ed9371e27c634f50c6aed4ebc1869c4a094287b03a6be4b810c63
-
SHA512
5acac2ba47c101095d4b0efaf1737b6044977f9547a846f615be67f9bee77c5f6b1361b95308f26e311642ce39909510a0d80a35607d0571a5ca25b6a83b4ee3
-
SSDEEP
24576:CgkzHf6uxcDC8VeaAOJ5o+cPugMB5jrgjafY9M:CgkzHyacDXVei+2FB0jj9M
-
Remcos family
-
Looks for VirtualBox Guest Additions in registry
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4Virtualization/Sandbox Evasion
2