General
-
Target
EFEMACPedido0180040240418.vbs
-
Size
187KB
-
Sample
240418-h9ja8sga6w
-
MD5
f08f508e797fa19d89a8a4688019fd99
-
SHA1
32de77ff5689fbc68f64aa9cfd4405cc2686fd85
-
SHA256
610119f52d69e8132b0130740836426d0b25fe5300ee4e12f2c51d1e36fec546
-
SHA512
d33d6dbbac2945a22483026039a6f007698bbbc8a0e507a6cf14fb2a64e92125adbc5081c914fc5e7d6ff73c7018b28c38fa21b01a4c164b7e6fab7cc62c014d
-
SSDEEP
3072:2MC8jqTKK8ccABOwbDS2y2zJETxUuoHh3uSH/OY6C1HwvBpVs2RtBZo5mFSarDYM:QTR8ccABOwbDA2zJETxVu1NH/vsd7tBb
Static task
static1
Behavioral task
behavioral1
Sample
EFEMACPedido0180040240418.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
EFEMACPedido0180040240418.vbs
Resource
win10v2004-20240412-en
Malware Config
Extracted
remcos
Protect
darvien99lakoustr01.duckdns.org:3770
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
lmouitrs.dat
-
keylog_flag
false
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
akmsnxbfg-E906PA
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
- startup_value
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
EFEMACPedido0180040240418.vbs
-
Size
187KB
-
MD5
f08f508e797fa19d89a8a4688019fd99
-
SHA1
32de77ff5689fbc68f64aa9cfd4405cc2686fd85
-
SHA256
610119f52d69e8132b0130740836426d0b25fe5300ee4e12f2c51d1e36fec546
-
SHA512
d33d6dbbac2945a22483026039a6f007698bbbc8a0e507a6cf14fb2a64e92125adbc5081c914fc5e7d6ff73c7018b28c38fa21b01a4c164b7e6fab7cc62c014d
-
SSDEEP
3072:2MC8jqTKK8ccABOwbDS2y2zJETxUuoHh3uSH/OY6C1HwvBpVs2RtBZo5mFSarDYM:QTR8ccABOwbDA2zJETxVu1NH/vsd7tBb
Score10/10-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-