General
-
Target
2ed5e08904545beef35a09a2be25b45215218b8a4e7d5f9711125f92d8b86a6f.gz
-
Size
861KB
-
Sample
241122-cpt94sslfv
-
MD5
ec24fd3d2c63f4c5eb1013fc10ec44ab
-
SHA1
aeb58eeacf56684b9cd2598d02b099191a427930
-
SHA256
2ed5e08904545beef35a09a2be25b45215218b8a4e7d5f9711125f92d8b86a6f
-
SHA512
2c53850d19a23f3bf8a5e0d9c0cadfe60efdf693ff7c2b808db2d7a437def6e936dfb92a6a0c135435712a26817bbc8e779437bc885e7e658d4746ac501f53de
-
SSDEEP
24576:EHJ9rEhUt9Mqqr++XBD0v2kujqw/Hj+136FZ9OLSEg+rIl:eghUtKqt+XhUx3w/HjkEiLSyre
Malware Config
Extracted
remcos
cee
cee.work.gd:2531
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
vlc
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
ios
-
mouse_option
false
-
mutex
gig-1IH5DX
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
sos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
Purchase Inquiry_002.exe
-
Size
893KB
-
MD5
c016b06a4942455df9ce8a58b72bcc90
-
SHA1
dba52afe33451c444fd5cf3c6aca9d2ced768d2c
-
SHA256
e115d3bd2903d9d663a7a69edd08b0ba5f2528c831d17530bbf621648b44894c
-
SHA512
961475a98cfdc14a29725b43c1807a3eda08a2257f50d216375faf262880ce39cf7847d00263d00fd1ce032ad14fbb003b3ab1e78bbd25b3a644f3d6746168fe
-
SSDEEP
24576:WNo7gN9rqhq/5UqutCi1BDUTskujqA5pd6p3MFHdIvYV:QL2hq/6q1i1h4v3A5pdSOWvY
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-