General
-
Target
JaffaCakes118_ad32c876c3e4581137392cba029ef6f69a50d26c7fab4f2f488f20cf3f29c8c2
-
Size
970KB
-
Sample
241225-fynqgayqep
-
MD5
a9be3e1bef382236127146c466e30768
-
SHA1
bf09ff9eaa6a5f203ec3280a207067709a94365f
-
SHA256
ad32c876c3e4581137392cba029ef6f69a50d26c7fab4f2f488f20cf3f29c8c2
-
SHA512
16921b24c01ed8d3dea3e36e22aa5228110bf7b2691c583809fe679ea8ef51147e3f95fcdc142b96a8efbc37bf287601ed493fd426cf28a9333d82ee070b65b3
-
SSDEEP
24576:G73WE1hRT7NXUaLdFxChb4Uo52NDKc5IcWiCVWHJn:+WAh/XUaPxzUVXWtVo
Static task
static1
Behavioral task
behavioral1
Sample
9c273d9b8a1cee3f64842482dfde7a2bf9e107a7f86a189b56d2571f40838f10.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9c273d9b8a1cee3f64842482dfde7a2bf9e107a7f86a189b56d2571f40838f10.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
remcos
RemoteHost
azuite.ddns.net:7667
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
stub1-C43YU8
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Targets
-
-
Target
9c273d9b8a1cee3f64842482dfde7a2bf9e107a7f86a189b56d2571f40838f10
-
Size
1.1MB
-
MD5
6c6dcfc1b71a39e2a1671f20507f4246
-
SHA1
424defefcf75932443ba4c681db36cdb28f5569d
-
SHA256
9c273d9b8a1cee3f64842482dfde7a2bf9e107a7f86a189b56d2571f40838f10
-
SHA512
e68db9a496ced68f49fbc4b39e6365813ce8e44d8b11070e76b738788a942268a5d38397440b6fb6e789ff24e05b075682100fb50118c2a4bfe14c96970bbd4d
-
SSDEEP
24576:NK777777777777Bi1fjBWjE1UOBarHJ0OnXhhcOg7tOX2sBsFzoa:s7777777777770NjkjchMpvXhvgsDiFz
Score10/10-
Remcos family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-