General
-
Target
6d7d32231705522b3e2c302da6e662a64f05f52b09b311c6577c9076fef11e11.dll
-
Size
45.1MB
-
Sample
241204-rwgpxstlar
-
MD5
bd37e2d630bcd34e3ea98994ac8df786
-
SHA1
b279fe50517e703243a13b006f256f14720f9dd9
-
SHA256
6d7d32231705522b3e2c302da6e662a64f05f52b09b311c6577c9076fef11e11
-
SHA512
ca769ba4d833356b02fa2fd3c20eefca90299297fc85a1a586f8aae758a6643565d13600e326696c1924485ac5a24d497167cfe2cc6eedf4a3e024cede137d42
-
SSDEEP
786432:bUP7GCGO7t0Srkx/tC0SzIdSwh/WxbpNHQD3trzRp1:bUP7GCG6iSrkx1hSzYsHQD3t/RT
Static task
static1
Behavioral task
behavioral1
Sample
6d7d32231705522b3e2c302da6e662a64f05f52b09b311c6577c9076fef11e11.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6d7d32231705522b3e2c302da6e662a64f05f52b09b311c6577c9076fef11e11.dll
Resource
win10v2004-20241007-en
Malware Config
Extracted
remcos
RemoteHost
pattreon.duckdns.org:7035
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-PBMV55
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
6d7d32231705522b3e2c302da6e662a64f05f52b09b311c6577c9076fef11e11.dll
-
Size
45.1MB
-
MD5
bd37e2d630bcd34e3ea98994ac8df786
-
SHA1
b279fe50517e703243a13b006f256f14720f9dd9
-
SHA256
6d7d32231705522b3e2c302da6e662a64f05f52b09b311c6577c9076fef11e11
-
SHA512
ca769ba4d833356b02fa2fd3c20eefca90299297fc85a1a586f8aae758a6643565d13600e326696c1924485ac5a24d497167cfe2cc6eedf4a3e024cede137d42
-
SSDEEP
786432:bUP7GCGO7t0Srkx/tC0SzIdSwh/WxbpNHQD3trzRp1:bUP7GCG6iSrkx1hSzYsHQD3t/RT
Score10/10-
Remcos family
-
Adds Run key to start application
-
Suspicious use of NtCreateThreadExHideFromDebugger
-