General
-
Target
b884daea2d9b42c3ba7a183381c78d9d9022c77dda6242d1d06a42d0ef678f8b.zip
-
Size
65KB
-
Sample
241119-rdtxjaxerj
-
MD5
83f533f2a00fa2a7a22108035af018ec
-
SHA1
7c88dd7a7fca5a539003c3cb02028ea7bc8589d4
-
SHA256
b884daea2d9b42c3ba7a183381c78d9d9022c77dda6242d1d06a42d0ef678f8b
-
SHA512
ab3e2a34a23c456469b3cbdb05413438a9c2ec504f2d5049c9084e103ec91cdc0d983926ef17c946ef076b85426899c3bf7c3243aa7c8f43b4a6625a60756c9f
-
SSDEEP
1536:LfrM5RGu8aZBbVs85R1FDy/xbAJGsOshKMaBplmZPsGwg:LfrM5RGBQXs85By5AJXEctZwg
Static task
static1
Behavioral task
behavioral1
Sample
Comprovante_de_pagamento.pdf.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Comprovante_de_pagamento.pdf.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
remcos
RemoteHost
212.162.149.42:7118
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-YP127Q
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
Comprovante_de_pagamento.pdf.exe
-
Size
145KB
-
MD5
3cef41ea126aa53d1d98c1fdf6ff5ce2
-
SHA1
f0a8c1041e05baf14600307b722f59fd0349ab5f
-
SHA256
16adbc2a26d4dd6a5c2c74f9631947184c72d8e244e0ceb34d531ef07d852939
-
SHA512
926b92948bd7f146da56ecd6ffb0c0926ec04c36635a0cfc7e742dd8c98c213d3a90da2ebfa4e23fb36e8652b9ffb4a07a447df9c351ab863e5f3d276a3b4b57
-
SSDEEP
3072:p5sUNEt0g9dCXurh4wpvkIMZxaRo/1AxY9UN6vI1dvPKwdqTub:pBqxY986Q4
Score10/10-
Remcos family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-