General
-
Target
f78002f680950372a3ede345fbcd0238af1d97b363cffee9786b67b81afe5524
-
Size
1.7MB
-
Sample
240623-garb5a1flc
-
MD5
85310514a52ac2bafd84419c2804c77a
-
SHA1
604f316febb58698d6c5509ec6e274dbc903ab3b
-
SHA256
f78002f680950372a3ede345fbcd0238af1d97b363cffee9786b67b81afe5524
-
SHA512
fe32d2bf1c07a44e44978d97c4026478c1eab6864b7df675e8d3abb50146057c8a462a8be4621c3c969b7e5715e6740c282e4949f9c84c4fdb3d5a03a76acb5c
-
SSDEEP
24576:+D39v74lfGQrFUspugRNJI2DJ53J/J/L5dJPjYaF:+p7E+QrFUBgq29
Static task
static1
Behavioral task
behavioral1
Sample
f78002f680950372a3ede345fbcd0238af1d97b363cffee9786b67b81afe5524.exe
Resource
win7-20240611-en
Malware Config
Extracted
remcos
1.7 Pro
Host
213.183.58.19:4000
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
read.dat
-
keylog_flag
false
-
keylog_folder
CastC
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_sccafsoidz
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
f78002f680950372a3ede345fbcd0238af1d97b363cffee9786b67b81afe5524
-
Size
1.7MB
-
MD5
85310514a52ac2bafd84419c2804c77a
-
SHA1
604f316febb58698d6c5509ec6e274dbc903ab3b
-
SHA256
f78002f680950372a3ede345fbcd0238af1d97b363cffee9786b67b81afe5524
-
SHA512
fe32d2bf1c07a44e44978d97c4026478c1eab6864b7df675e8d3abb50146057c8a462a8be4621c3c969b7e5715e6740c282e4949f9c84c4fdb3d5a03a76acb5c
-
SSDEEP
24576:+D39v74lfGQrFUspugRNJI2DJ53J/J/L5dJPjYaF:+p7E+QrFUBgq29
-
detects Windows exceutables potentially bypassing UAC using eventvwr.exe
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-