invoice_2818144.vbs

General
Target

invoice_2818144.vbs

Size

226B

Sample

210929-ap75vsddan

Score
10 /10
MD5

fce037aad780c08c85db2f24bff80cfa

SHA1

881fc64b6fe1dad9459327e931399635fc1fe27c

SHA256

cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89

SHA512

cc3b7adfa276163c33fd5cb62dacf0ae754d53d749b0ed95686a42344ecd1cb94a712f89cc6a2ddaae2eaff90a6ac9913fd368ce196612a2a861fba9eecfbb95

Malware Config

Extracted

Family remcos
Version 3.2.1 Pro
Botnet RemoteHost
C2

snackebay.ddns.net:7676

Attributes
audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remasascos-LVXDHO
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;
Targets
Target

invoice_2818144.vbs

MD5

fce037aad780c08c85db2f24bff80cfa

Filesize

226B

Score
10/10
SHA1

881fc64b6fe1dad9459327e931399635fc1fe27c

SHA256

cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89

SHA512

cc3b7adfa276163c33fd5cb62dacf0ae754d53d749b0ed95686a42344ecd1cb94a712f89cc6a2ddaae2eaff90a6ac9913fd368ce196612a2a861fba9eecfbb95

Tags

Signatures

  • Registers COM server for autorun

    Tags

    TTPs

    Registry Run Keys / Startup Folder
  • Remcos

    Description

    Remcos is a closed-source remote control and surveillance software.

    Tags

  • Blocklisted process makes network request

  • Drops startup file

  • Loads dropped DLL

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Privilege Escalation
                      Tasks

                      static1

                      behavioral1

                      10/10