General
-
Target
DHLAWB_NO_90785388091.gz
-
Size
913KB
-
Sample
241217-s61ffssmbw
-
MD5
092d21679b867868934f404ceb16ed05
-
SHA1
d9e3028192415012de9c6e809c443ddbfaa2c2ab
-
SHA256
1c2a5b8fae11f7c10d52ad7844ce50c1e45deb88bdb83063e087abeeead69bf8
-
SHA512
ac64f93817f01169ffb54dbd5977079beaf59193fb99aed809e01d6e4d312eee4cc9d258a35cc3d6b2c9716acf2064565ffe207f1c90b4b03900bbf24303825f
-
SSDEEP
24576:HH755TQYV6rBWs3B61BfJSaR5nX0o3jZRv5es:15UYVAYE4ZXjlRh/
Malware Config
Extracted
remcos
hdyebf
decmainserver.webredirect.org:45682
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
46875-RPQWNM
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
DHL AWB_NO_90785388091.scr
-
Size
1.0MB
-
MD5
ad02c1d63098791b74efafd0f684956e
-
SHA1
8036d3f0acfc9aaa164b8a7e8af64e6068a492c7
-
SHA256
8111eaa8541605d148824165100a381556716c3c73aadee3f938bfc036756863
-
SHA512
5b276c9651f2858cbfe2109733e9d93ec735d7687289bf53b921cfc2002e216ba551136270c5d292a3c829582ffef7c92cbb17f25c5e089148c3517fef457b3b
-
SSDEEP
24576:kLu2uOrtwKPRr/6f3ffazcU3nkTTeZi64UX+FUX0lojqIu2:klu0wSYfEc4kfezXKUP
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-