General
-
Target
4e8b3c07043d58d62d456ddb7201ad7b14578df119f005a8b441885b8208114b
-
Size
106KB
-
Sample
250328-y7119ssps2
-
MD5
74ab85b4e4ce88ed54968571bfcce061
-
SHA1
63292a08e7365eb0ae6815414cb01e6e510af599
-
SHA256
4e8b3c07043d58d62d456ddb7201ad7b14578df119f005a8b441885b8208114b
-
SHA512
c2517c61bd5a38035f8526f3086d0ee9ab865fbd5b08d1e1a9540f8bf1c935998a14c8508cc854abb4cbaa0749b83e89168a3fac3ea0c5a7057e6031e812efc0
-
SSDEEP
3072:iz/YQyMXgMCyEfuF9JxDYtKRMkkSoxiAnU:izYMztuuF2tmkSox/U
Malware Config
Extracted
remcos
1.7 Pro
Host
192.168.168.154:5555
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_lxuvlzlakuvlhki
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
main.pdf.pif.exe
-
Size
492KB
-
MD5
5ae083acb92a7e6dfe29b4edb7ec20fb
-
SHA1
c12a45b9cf33a1881c34e0e3d469e7d039130426
-
SHA256
7390d25410ff7cf2690c1d340f46578881687443fd3653283cf3818769bbb848
-
SHA512
75b23e5f3a1fb90424932a211cbdac7c8c3c078a57d8d6754e15d9bdaa4cd7b58ff91abb36a20639597a149b2aa8a1a4feec75a31233afb02a7e4d303f497f5b
-
SSDEEP
3072:kMSncRzAOP4g5IdrO79+lHNNqqRPsO98bx0NO4lzv:XSncRlPbI1O7kNPRPp98V0xl
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1