General
-
Target
03122024_1046_1016012 Piel Company.wsf.zip
-
Size
910B
-
Sample
241203-mtxwxa1rgs
-
MD5
cbdf3dcf921b2d2504d85f52f597e6dc
-
SHA1
e6c8d37d560bd4f227e74cbf73b8f940d8360388
-
SHA256
7b7567d35cb66d03a193190b2ed23f8020430fc36178d71be645951b99411709
-
SHA512
f885418cd6fa54392497d718ea7b2fe21f2091443458281f39e3bfdb204f7be0b45309ab08cf69349e4d7d5d52b2f5f2b9f31722083284589791bc57d63a747c
Malware Config
Extracted
https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg%20
https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg%20
Extracted
remcos
RemoteHost
ahmedahmed.ddns.net:6426
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-SEVL3E
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
1016012 Piel Company.wsf
-
Size
3KB
-
MD5
2351b140cfa13f0cf05f93b471edd1f6
-
SHA1
aab24f356405a117ce7df0016b131872fb1b2f16
-
SHA256
4e176fd538ca3aade9d71291f18cbe73022c88dd19e29fba250a6d0a9137be17
-
SHA512
bb7e68724ba4e4169e90b0ff3d6379dda43c0d01bf1e26b91211a124833317a4741bb6c5f0c3e97bcc79f8d01460bb09b6cf963c2f39890b7063ddd1b74f0085
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Suspicious use of SetThreadContext
-