General
-
Target
Quote.gz
-
Size
909KB
-
Sample
250213-ptxbgsykgs
-
MD5
9feb569f15fe97068478467b68737272
-
SHA1
4a5339fc4249265c5e18d603e4dea3fb9c2dbf8d
-
SHA256
b672afc774d2c57bce68ffea72a0236019a2bfe9fdae61b6deac4906f9dff2ce
-
SHA512
dcad99fe1bb5eca8c489940581bceb4f02462bca9f3aa5b244bc9af1db044b690526308bdbf99343eeaeb2b456c8dca2bca6153909c481eedb293a80649f9947
-
SSDEEP
24576:ZKjP5SHpLTFTelHztd6t0EKLVseDLES5Gu/7H:ZuAR5EHpbRVFEzub
Malware Config
Extracted
remcos
RemoteHost
2.58.56.182:2404
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-GM05WY
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
Quote.scr
-
Size
984KB
-
MD5
09d1f74cf4434fd7ff3ee83a2479d7a9
-
SHA1
d70d3164f2fe24b4263e56ff2df171c15110e33b
-
SHA256
9f05db230894256a6be6bf1b5b523894e621cf0b43632c0465c76717058d3ebb
-
SHA512
7e8aa100fb7da347d56b9f34a87a91e5dfe71fa370f9dd42f571e70a37b779819253682dfe879224e06427b0ff10f4951e5b31648945011fd44584d480b062bb
-
SSDEEP
24576:3IHzeLasydPeQ7h+ue7k+i4ZcPU33R1f4VTPx4pty9A:YaLaVJeQ0ue7Tcs33R14Fx4pty9A
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1