General
-
Target
tmp9vrynm_c
-
Size
1.8MB
-
Sample
241114-l1mh3sxfmk
-
MD5
c3bf525ab42ea2e0a37a55b290dd13bf
-
SHA1
665e8ac35e69dc4a1fa273bd35703a201f9b074d
-
SHA256
7a422ffa32fcdb0ca5698ef80ea3a7bed96b3fc42e008b0458256f4c680bd395
-
SHA512
d6f71d29a5e4b94d04181791edf55d22c3640e2c4115a1b17f4d6c14b79ea0b728a06acb0a0c3848ac4edae8535cf923585af13236fdeddf0051345d083fa9d8
-
SSDEEP
12288:qLXh08hSxuM4AUQC46V10t5hwv1xh14VGpxJz5W+EQpOIzkTJXY8I+6yi:QXNSNVt5+vPh14gxJzsQpOmkTJXY5
Static task
static1
Behavioral task
behavioral1
Sample
tmp9vrynm_c.exe
Resource
win7-20240903-en
Malware Config
Extracted
remcos
GASPLANT
dotatech.de:30908
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
chrome-SYTYBI
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
tmp9vrynm_c
-
Size
1.8MB
-
MD5
c3bf525ab42ea2e0a37a55b290dd13bf
-
SHA1
665e8ac35e69dc4a1fa273bd35703a201f9b074d
-
SHA256
7a422ffa32fcdb0ca5698ef80ea3a7bed96b3fc42e008b0458256f4c680bd395
-
SHA512
d6f71d29a5e4b94d04181791edf55d22c3640e2c4115a1b17f4d6c14b79ea0b728a06acb0a0c3848ac4edae8535cf923585af13236fdeddf0051345d083fa9d8
-
SSDEEP
12288:qLXh08hSxuM4AUQC46V10t5hwv1xh14VGpxJz5W+EQpOIzkTJXY8I+6yi:QXNSNVt5+vPh14gxJzsQpOmkTJXY5
-
Remcos family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4