General
-
Target
INVSO269936_pdf.vbs
-
Size
190KB
-
Sample
250207-jw7x4svjgz
-
MD5
507901780438f38bcd55386972a90f44
-
SHA1
22c5a6d3df6cbc78303a3309c0859bc1a080f7e9
-
SHA256
31b4230ab0b1e15b55948c13c881ac07627b49cbf2cddd29bef7e527536896b4
-
SHA512
cb4ca4683ff1a9288dbf2f7851044a8df3ee471852f94cf2279e6a364fca599def444292dac5e84b96e46800b00815561a1e37ab8f2d16de03c5ce56ddea7b33
-
SSDEEP
3072:mV5VjCwpL15Yhn/Ui59Ymd95DnpTkwKxWccMF+:mV5Vq59Ymd1
Malware Config
Extracted
remcos
svc
meme7.work.gd:3124
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
svchost
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
smss
-
mouse_option
false
-
mutex
meme-ZPFPWZ
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
svc
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
INVSO269936_pdf.vbs
-
Size
190KB
-
MD5
507901780438f38bcd55386972a90f44
-
SHA1
22c5a6d3df6cbc78303a3309c0859bc1a080f7e9
-
SHA256
31b4230ab0b1e15b55948c13c881ac07627b49cbf2cddd29bef7e527536896b4
-
SHA512
cb4ca4683ff1a9288dbf2f7851044a8df3ee471852f94cf2279e6a364fca599def444292dac5e84b96e46800b00815561a1e37ab8f2d16de03c5ce56ddea7b33
-
SSDEEP
3072:mV5VjCwpL15Yhn/Ui59Ymd95DnpTkwKxWccMF+:mV5Vq59Ymd1
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Suspicious use of SetThreadContext
-