Overview

overview

10

Static

static

Appraisal.vbs

windows7_x64

10

Appraisal.vbs

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Appraisal.vbs

  • Size

    706B

  • Sample

    210426-zemd4ja3x6

  • MD5

    b201aa5242dd9b32ec9c38e1f999c723

  • SHA1

    61ab2c43d19c6441e394561e0441890168b9a9ab

  • SHA256

    d2d9b66c9aad0e6cc20a786a89299a8b4a65a5a344db369dfd7bfbad3fb40b55

  • SHA512

    a21aeb8a0ec963875d75ba4920f3bde9a134717a910b94a2743ab7051dabe9e17a5e0a15aeb51be26373f0cb6313b6c964bef2ebb318061074399296d5c5ddfc

Score
10/10
remcosrat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ia601406.us.archive.org/10/items/all_20210426/ALL.TXT

Extracted

Family

remcos

C2

185.19.85.168:1723

Targets

    • Target

      Appraisal.vbs

    • Size

      706B

    • MD5

      b201aa5242dd9b32ec9c38e1f999c723

    • SHA1

      61ab2c43d19c6441e394561e0441890168b9a9ab

    • SHA256

      d2d9b66c9aad0e6cc20a786a89299a8b4a65a5a344db369dfd7bfbad3fb40b55

    • SHA512

      a21aeb8a0ec963875d75ba4920f3bde9a134717a910b94a2743ab7051dabe9e17a5e0a15aeb51be26373f0cb6313b6c964bef2ebb318061074399296d5c5ddfc

    Score
    10/10
    remcosrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • Nirsoft

    • Blocklisted process makes network request

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks