General
-
Target
sostener.vbs
-
Size
156KB
-
Sample
231207-r2fptacb68
-
MD5
6b28299322157cbfd18c65db5e060c1f
-
SHA1
91948228f5c1a24195d05e07c0708132a93e2792
-
SHA256
091ed4cf3a6edce5f8c2c51e94d3b1e25a7ccc786a1f49eea463da386c03df5a
-
SHA512
a9a5a3e9341de87463d9d6bfca1f7f507e6ee93ccc12b4cc2a4d3ddc862a4b3fcd2c6e125c2c154dea17a1be35ae90692b17bab9c3d1dab0f4af078739174dfc
-
SSDEEP
3072:2hNhNhNhNhNhNhNQhGhNhNhNhNhNhNhNhehmhNhNhNhNhNhNhNhJhThNhNhNhNhW:2hNhNhNhNhNhNhNQhGhNhNhNhNhNhNhA
Static task
static1
Behavioral task
behavioral1
Sample
sostener.vbs
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
sostener.vbs
Resource
win10v2004-20231127-en
Malware Config
Extracted
https://uploaddeimagens.com.br/images/004/682/796/original/dll.jpg?1701793965
https://uploaddeimagens.com.br/images/004/682/796/original/dll.jpg?1701793965
Extracted
remcos
RemoteHost
remccoss2023.duckdns.org:4576
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
registros.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-E5ZBB0
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Capturas de pantalla
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
sostener.vbs
-
Size
156KB
-
MD5
6b28299322157cbfd18c65db5e060c1f
-
SHA1
91948228f5c1a24195d05e07c0708132a93e2792
-
SHA256
091ed4cf3a6edce5f8c2c51e94d3b1e25a7ccc786a1f49eea463da386c03df5a
-
SHA512
a9a5a3e9341de87463d9d6bfca1f7f507e6ee93ccc12b4cc2a4d3ddc862a4b3fcd2c6e125c2c154dea17a1be35ae90692b17bab9c3d1dab0f4af078739174dfc
-
SSDEEP
3072:2hNhNhNhNhNhNhNQhGhNhNhNhNhNhNhNhehmhNhNhNhNhNhNhNhJhThNhNhNhNhW:2hNhNhNhNhNhNhNQhGhNhNhNhNhNhNhA
Score10/10-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Suspicious use of SetThreadContext
-