General
-
Target
USD_Payment-Advice69802 Nogales 2023-07-11 .vbs
-
Size
2.1MB
-
Sample
230711-gjmqased76
-
MD5
cda952ff91b69f2d70c56f427bafe567
-
SHA1
35f438e7d1340aba7046620c1b3a58c9615d0ff8
-
SHA256
eb5c9cc7fec783579f200884eef6b349b2a7e65a99b69a872c0de1e717211b7d
-
SHA512
831e38b8360738210c9e53dbadffa25215a40c09a370c654ec1f46fbd76293696cf6e5aaaf3d9b079cbc3ce0add12b4fe8b32d34074233c6e5cf492303c13929
-
SSDEEP
6144:aK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8d:Y3CM0Y
Static task
static1
Behavioral task
behavioral1
Sample
USD_Payment-Advice69802 Nogales 2023-07-11 .vbs
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
USD_Payment-Advice69802 Nogales 2023-07-11 .vbs
Resource
win10v2004-20230703-en
Malware Config
Extracted
remcos
Adobe-Crusher
ea01299e9ae43df8612cc3ecf2c968c41c55b74b483d44927dbc5185bd.crusherx1.cfd:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-N2JN6L
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
USD_Payment-Advice69802 Nogales 2023-07-11 .vbs
-
Size
2.1MB
-
MD5
cda952ff91b69f2d70c56f427bafe567
-
SHA1
35f438e7d1340aba7046620c1b3a58c9615d0ff8
-
SHA256
eb5c9cc7fec783579f200884eef6b349b2a7e65a99b69a872c0de1e717211b7d
-
SHA512
831e38b8360738210c9e53dbadffa25215a40c09a370c654ec1f46fbd76293696cf6e5aaaf3d9b079cbc3ce0add12b4fe8b32d34074233c6e5cf492303c13929
-
SSDEEP
6144:aK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8d:Y3CM0Y
-
Blocklisted process makes network request
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-