General
-
Target
1.gz
-
Size
893KB
-
Sample
241223-lb9mbaxqgy
-
MD5
3da758f3dd63c65268d64ce6bae7ee05
-
SHA1
710685e020757f550dbf7fc684545da5fe97a7b7
-
SHA256
b4d1b79459e02f66fae43fa71b6422be611fc7595306875ad87eddaa0e07ac5c
-
SHA512
db6d8cb0f368b021905edcdb5d6d199991eebb79ec148f4443a4ff136d7c65c30372974e142986c7c91b37c1da2b8daf25f755e7e1b9ca96a3ba7b9da6f8a0fc
-
SSDEEP
24576:oejs9tVi+BU7popGKxwl+kEbWPEdo/Or8DRt:oEyOQsophxy+kgU3oARt
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
Quotation.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
remcos
RemoteHost
185.241.208.87:2404
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-7DRXD9
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
Quotation.exe
-
Size
1.0MB
-
MD5
67b86e9595c2d0d2f44454ec239fda56
-
SHA1
1a44600a7b4e010174d99c152dc20fef1d84061a
-
SHA256
905eb3c354f4f1210442b25983482a2612d6354df9c3d26beb9a0bdaf1e9ac04
-
SHA512
73fb542c826f8e75683e7944f0f616d2317d17c5cc153610e7d2107c6da7458da00c89e797aa4f59c92d92095dcf884ef9474cf7ac5dcc4bf526aa8389486604
-
SSDEEP
24576:BHAXaxESQklIlQcZrVs+3FvrVOuHvKYKrVFmdGp7N1/TBt:BgAlFUrv3FjwuPKYaGK/t
Score10/10-
Remcos family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-