General
-
Target
212a56150b50e4bb9b18a8b6c10e2f0b0c18f6d74cb6d41065f8fee0fe2bd39c
-
Size
137KB
-
Sample
240626-xsq23s1epr
-
MD5
7d421d9e6ce2288ccd3bf812e84e1958
-
SHA1
b68144ec39afef3248c53315379759b681918567
-
SHA256
212a56150b50e4bb9b18a8b6c10e2f0b0c18f6d74cb6d41065f8fee0fe2bd39c
-
SHA512
27df2876b389d0af3a8d2b35d23cf3ed648330c8fe181e25fd287cc84cf1295c821f3dd0ea494cb900606d18b45829cb086b7e07a3e977bbfdcd7ae815355cd0
-
SSDEEP
1536:ITHiPBX4nDzMyRXGHrc9YRHqbTypgpmb5Q+ZReSdhk/J+YLgD3mrxb53cSuYQjKg:xPd4n/M+WLcilrpgGH/GwY87mVmIXGD3
Static task
static1
Behavioral task
behavioral1
Sample
212a56150b50e4bb9b18a8b6c10e2f0b0c18f6d74cb6d41065f8fee0fe2bd39c.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
212a56150b50e4bb9b18a8b6c10e2f0b0c18f6d74cb6d41065f8fee0fe2bd39c.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
remcos
1.7 Pro
Host
systemcontrol.ddns.net:45000
systemcontrol2.ddns.net:45000
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
OfficeUpgrade.exe
-
copy_folder
OfficeUpgrade
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
Upgrader.dat
-
keylog_flag
false
-
keylog_folder
Upgrader
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
req_khauflaoyr
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
OfficeUpgrade
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
212a56150b50e4bb9b18a8b6c10e2f0b0c18f6d74cb6d41065f8fee0fe2bd39c
-
Size
137KB
-
MD5
7d421d9e6ce2288ccd3bf812e84e1958
-
SHA1
b68144ec39afef3248c53315379759b681918567
-
SHA256
212a56150b50e4bb9b18a8b6c10e2f0b0c18f6d74cb6d41065f8fee0fe2bd39c
-
SHA512
27df2876b389d0af3a8d2b35d23cf3ed648330c8fe181e25fd287cc84cf1295c821f3dd0ea494cb900606d18b45829cb086b7e07a3e977bbfdcd7ae815355cd0
-
SSDEEP
1536:ITHiPBX4nDzMyRXGHrc9YRHqbTypgpmb5Q+ZReSdhk/J+YLgD3mrxb53cSuYQjKg:xPd4n/M+WLcilrpgGH/GwY87mVmIXGD3
Score10/10-
detects Windows exceutables potentially bypassing UAC using eventvwr.exe
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-