General
-
Target
0e0e4917d553e3bd7c39d4180c498c9052e171be7db2e1fdc6d47099482e44ce.zip
-
Size
3.5MB
-
Sample
241117-gmqalatapj
-
MD5
bd75f580d542e8e146a47c61792f4057
-
SHA1
314ee28e437b9544318f199d19cd42230ea2d24b
-
SHA256
0e0e4917d553e3bd7c39d4180c498c9052e171be7db2e1fdc6d47099482e44ce
-
SHA512
0bfc049b288a231adab22c2937464b558a64608f903520e18ebe8fed5fa6e19cf1ce485f942adb8e24c70a5fc7e37e3cfae4aa53143e1e17f1595539bcf2062c
-
SSDEEP
98304:bQ7BdgZJ902s95Cu1w/M6oDPkh+opiU482iUxJPLCcN1W:s3602s9L2zozkdpFkJPLB1W
Static task
static1
Behavioral task
behavioral1
Sample
AMIBCP/AMIBCP.exe
Resource
win7-20241010-en
Malware Config
Extracted
remcos
New
185.183.32.159:7172
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
UuUuUUu333215s-7Q8DFP
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
AMIBCP/AMIBCP.exe
-
Size
3.0MB
-
MD5
04ff3875bd4aaf9b1b97c44e63512e08
-
SHA1
7fead1d77557785fbf4d34883af8136106a8f4ae
-
SHA256
41e23bfeda59c1c9a4aab2d30fb6e277b92ca56eca438888d1415c6def82452c
-
SHA512
cc4fe3a7718836d689fcda9d690ddd1cd0cbfc4482bf961a7e9acf9c60c2572f94e2190b883de08a2cbcd34ed6b6d53b9483a597cd39c2d0a1465b825dfdfc14
-
SSDEEP
49152:ZEA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTVd3338t:t92bz2Eb6pd7B6bAGx7n333S
-
Remcos family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-