General
-
Target
3a923e1c1267143a53bbf3e0242069f8c3b5084a8eea62312c56b1baa6300a71
-
Size
877KB
-
Sample
250403-c17dtaxvet
-
MD5
a91aafd90356be290f2fd36f7833ca8b
-
SHA1
f43e68ee6bd4b5d4604f6dcadccf879b95f6bb21
-
SHA256
3a923e1c1267143a53bbf3e0242069f8c3b5084a8eea62312c56b1baa6300a71
-
SHA512
c6b485aa102cfdc67f1ef2dbd6adb60b470f65884d40d0f9e143d539e4e80b8ead2884b9f30185b44ae445f94b515d1085e8b3bf55cfa00d0a3ad2dff8c79af1
-
SSDEEP
24576:x6/xBa66oRAcReyvG8tQParwlgDOMj5dMMdi4:QraOts38trwlIOG24
Malware Config
Extracted
remcos
RemoteHost
127.0.0.1:45111
196.251.92.84:45111
ikechi2.duckdns.org:45111
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-ZKI7L3
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
PO250410-002.exe
-
Size
1.3MB
-
MD5
c9d6a278ac02155c66b6cf5b1fbb1b30
-
SHA1
05f655a5bbba910caea1062b9e0cd54da218a25f
-
SHA256
cd5ef4c1b4c9e2b17ce5c39cf35eec1de1d42dc384b2fde7e2b122459579906b
-
SHA512
e74d6a943dc3f695b65231ff4ede46a1749abf25636e3792901c45ce70de15140542bd196460b9a9f30ddf63ec8d69765b335f4781fb76460c9ac9087e05e116
-
SSDEEP
24576:au6J33O0c+JY5UZ+XC0kGso6FaKR3Wyr88XQPaZWlW388F5d+USqWY:su0c++OCvkGs9Fa+Wz8XZWlO8+kY
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Accesses Microsoft Outlook accounts
-
Suspicious use of SetThreadContext
-