General
-
Target
a2a7ff35bd33480418bd39e0832d0875.bin
-
Size
2.8MB
-
Sample
241223-bzerqstnal
-
MD5
413cd9141e50be3152948748965330db
-
SHA1
32e51a5512339bdf1e25f5d241d169106dc46616
-
SHA256
b42a6ccaace158cfe939c39eb9aa26cbdd36566b8faf2ddf5cf35de925d61ffd
-
SHA512
9e7543a284d7b3d042c0442e5c2c0ed2527cd5b897145ab5166320e5e7da2fb0c2a7092b3c0fc7d92fc0c4fe35261e5beda4a95231e7c3350ad31a81dafe8a68
-
SSDEEP
49152:aF1QcnkCBUUSxVJ3OiduaxUdmjtr5LCw/PvqynmPIDjsBYJH0KbGfZ2dI:sSYUwi1xPhpXSyzDIevbGx2dI
Static task
static1
Behavioral task
behavioral1
Sample
46004e5408d63486737753e360a3c9ef74246163497c920d1ac7aa504c488e54.msi
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
46004e5408d63486737753e360a3c9ef74246163497c920d1ac7aa504c488e54.msi
Resource
win10v2004-20241007-en
Malware Config
Extracted
remcos
Teddy
adminitpal.com:8080
adminitpal.com:443
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
5
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
putty
-
mouse_option
false
-
mutex
tRvr-YKFHJK
-
screenshot_crypt
false
-
screenshot_flag
true
-
screenshot_folder
Putty
-
screenshot_path
%AppData%
-
screenshot_time
1
- startup_value
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;chrome;edge;
Targets
-
-
Target
46004e5408d63486737753e360a3c9ef74246163497c920d1ac7aa504c488e54.msi
-
Size
2.8MB
-
MD5
a2a7ff35bd33480418bd39e0832d0875
-
SHA1
8cd2ec2310b1240ffa9944631c409e658cea03a7
-
SHA256
46004e5408d63486737753e360a3c9ef74246163497c920d1ac7aa504c488e54
-
SHA512
20b4bcc20bdd3d40ec0d2d3f8531615c5fce78339784dd8f346e6aeccdca8307f472e59d9f246daeb1e1a4343c9d6d53f83b2deb7eb21f5b4035b2d083ad037c
-
SSDEEP
49152:IiSoOl+YyNuCClJkqwhmsl5aBZJnxsTKHgX7Gu0ojmWS8MqIugHt:It7+YJCCvkEsloxTHZojmWhDg
-
Remcos family
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext
-