General

  • Target

    moon.exe

  • Size

    423KB

  • MD5

    b1c7d8102bcab505d2fdec27282767f3

  • SHA1

    4f3496b126eabcd57335e2a315d59bdd2e043c89

  • SHA256

    010b6fa39f761c1444233c206b2c4434428a75ff9d0583bcb84b12e2804340db

  • SHA512

    c1da6810dbcf11b582f80820f55279258a5779eb420ec5a19b9da04a3d90dc37febb841e50d54be55b2fc447d77fd8f775a1e6f5ac7e8e10acb35bbbf8ce6748

  • SSDEEP

    6144:YeghbOV4Asvo/Z+wo6TmTIHnqgKIuTi5gTaWnLLDt1dbWAOaKapXFWbcFSU:YeKbOV4A3ho9IKNti5gT/wUzzWTU

Score
10/10

Malware Config

Extracted

Family

remcos

Version

3.8.0 Light

Botnet

moon

C2

204.10.194.175:4444

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    WindowsUpdater.exe

  • copy_folder

    WindowsUpdater

  • delete_file

    true

  • hide_file

    true

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %SystemDrive%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-4GSXVB

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    WindowsUpdater

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos family
  • Unsigned PE 1 IoCs

    Checks for missing Authenticode signature.

Files

  • moon.exe
    .exe windows:5 windows x86 arch:x86

    d5baaf7db716df76241a88766114f3b8


    Headers

    Imports

    Sections