Overview

overview

10

Static

static

HOH76746.js

windows7_x64

10

HOH76746.js

windows10_x64

10

Analysis

  • max time kernel
    298s
  • max time network
    301s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    19-08-2021 12:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HOH76746.js

  • Size

    1.7MB

  • MD5

    e261e68bcae0c10642170416082702b7

  • SHA1

    6c9b48b65090ec13326a07bef72b1c3995f72513

  • SHA256

    f126bcd906ba8815594cd987e4ba8852bccd58d813ac415a626e66ab5a395db2

  • SHA512

    05979d43fee175648476accc5562a02c9736337e21ca850ce893791365f5b54f55f9b6813cc0a20d2781ba09c16b6425ee01cb853ab546e049bc1e7e03dd8818

Score
10/10
remcosvjw0rm250millionpersistencerattrojanworm

Malware Config

Extracted

Family

remcos

Version

3.2.0 Pro

Botnet

250million

C2

www.ommi-it.com:8760

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    250million-2CWGNX

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 34 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\HOH76746.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:508
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\OrmKzxDqEk.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:1900
    • C:\Users\Admin\AppData\Roaming\250million.exe
      "C:\Users\Admin\AppData\Roaming\250million.exe"
      2⤵
      • Executes dropped EXE
      PID:2472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\250million.exe
    MD5

    d9569e6f7afd3afb9debc99245595adb

    SHA1

    b3e25ed7212be6a1fb0567a14fe9385941086794

    SHA256

    e3f38af5cd488978bbc4156eb62e881c04df48055f5e6819eabcca429c9051d7

    SHA512

    f195cebe98d30bb2a0ca7c07cd984a22cd201288d75e15f000ff41d901f09f825a591d71e4799ab320892b8625a62196e792ce57eb618ef6b3ceb826a8bb9a21

    Download Submit
  • C:\Users\Admin\AppData\Roaming\250million.exe
    MD5

    d9569e6f7afd3afb9debc99245595adb

    SHA1

    b3e25ed7212be6a1fb0567a14fe9385941086794

    SHA256

    e3f38af5cd488978bbc4156eb62e881c04df48055f5e6819eabcca429c9051d7

    SHA512

    f195cebe98d30bb2a0ca7c07cd984a22cd201288d75e15f000ff41d901f09f825a591d71e4799ab320892b8625a62196e792ce57eb618ef6b3ceb826a8bb9a21

    Download Submit
  • C:\Users\Admin\AppData\Roaming\OrmKzxDqEk.js
    MD5

    4ddac2fa49c2f9f17a5faad271025659

    SHA1

    575f942637af4b6e75eba0d046acd7ab67914714

    SHA256

    810c2f963f1741e83aae85cd7e93a99435557f230966cb6632ca405e9482df34

    SHA512

    d26169bd1430337a6dc27b2a75238108701c670bafb52b44f9d07ef70e3dd0b0d385009d7317e06ab159e6be0b41c1c6e356a82e8cb9c88ebd68fbcb77a2bd2f

    Download Submit
  • memory/1900-114-0x0000000000000000-mapping.dmp
    Download
  • memory/2472-116-0x0000000000000000-mapping.dmp
    Download