Resubmissions

12/12/2023, 15:39

231212-s3zdzsfehm 10

12/12/2023, 15:32

231212-syk1ssfdgp 10

12/12/2023, 15:28

231212-swhgwshad3 10

General

  • Target

    Billed-report2023xls.vbs

  • Size

    135KB

  • Sample

    231212-s3zdzsfehm

  • MD5

    81df0d95d784fd74d88174859e7ab470

  • SHA1

    03aed26ac800ea6c492e64fb5fd5ab928b3564ee

  • SHA256

    da59502967c26be14e52f229feb80beb4672ad5454eb943969f1da9a21815886

  • SHA512

    4b76ec39584ab792f17dee8e435834ac50c3c9285fc30fee5a65b32ebf54fc3e918032caeb7f550f0d5d577faf45a8613ec040c6e318afcc0be1f7a47dbd4689

  • SSDEEP

    3072:8DupClYAAAA/AAAA4AAAA4AAAA4AAAA4AAAA4AAAAFsx7YX2ojcAAAA4AAAA4AA3:3

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://textbin.net/raw/ezjmofz3s6

Extracted

Family

remcos

Botnet

RemoteHost

C2

rdm.accesscam.org:8080

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-2OASEE

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Billed-report2023xls.vbs

    • Size

      135KB

    • MD5

      81df0d95d784fd74d88174859e7ab470

    • SHA1

      03aed26ac800ea6c492e64fb5fd5ab928b3564ee

    • SHA256

      da59502967c26be14e52f229feb80beb4672ad5454eb943969f1da9a21815886

    • SHA512

      4b76ec39584ab792f17dee8e435834ac50c3c9285fc30fee5a65b32ebf54fc3e918032caeb7f550f0d5d577faf45a8613ec040c6e318afcc0be1f7a47dbd4689

    • SSDEEP

      3072:8DupClYAAAA/AAAA4AAAA4AAAA4AAAA4AAAA4AAAAFsx7YX2ojcAAAA4AAAA4AA3:3

    Score
    10/10
    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks