General
-
Target
9ce9b8793d75a23f6ba6ee34f7a82f60e67341834f79bb73ea24e24e905dd468.vbs
-
Size
156KB
-
Sample
240517-b7asrabf4s
-
MD5
92fb04e0f8028a0889c35bf998aad436
-
SHA1
1b629e0a8bec9d33c38ca47f043df6f3a3a1cc9d
-
SHA256
9ce9b8793d75a23f6ba6ee34f7a82f60e67341834f79bb73ea24e24e905dd468
-
SHA512
8a348f5eb6a48c0773ca00a8186ec1b088caa6cc0c9b1b6f58d82e3837856c4ba2c6b491557b603c858f05deb579a84405f34ff5bfb1654f0bab73adf1dd9a44
-
SSDEEP
1536:ViS+Od99CObilCocEW1aJK66n5yhtW0/5JpWn4cRx9qSZg0BFbUZlu9gISsRkf:VPdw9JK6X/vcjg0BFcB
Static task
static1
Behavioral task
behavioral1
Sample
9ce9b8793d75a23f6ba6ee34f7a82f60e67341834f79bb73ea24e24e905dd468.vbs
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
9ce9b8793d75a23f6ba6ee34f7a82f60e67341834f79bb73ea24e24e905dd468.vbs
Resource
win10v2004-20240426-en
Malware Config
Extracted
remcos
Protected
janbours92harbu01.duckdns.org:3980
janbours92harbu01.duckdns.org:3981
janbours92harbu02.duckdns.org:3980
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
kajsoiestc.dat
-
keylog_flag
false
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
aksoiestgb-1YOAXH
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
- startup_value
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
9ce9b8793d75a23f6ba6ee34f7a82f60e67341834f79bb73ea24e24e905dd468.vbs
-
Size
156KB
-
MD5
92fb04e0f8028a0889c35bf998aad436
-
SHA1
1b629e0a8bec9d33c38ca47f043df6f3a3a1cc9d
-
SHA256
9ce9b8793d75a23f6ba6ee34f7a82f60e67341834f79bb73ea24e24e905dd468
-
SHA512
8a348f5eb6a48c0773ca00a8186ec1b088caa6cc0c9b1b6f58d82e3837856c4ba2c6b491557b603c858f05deb579a84405f34ff5bfb1654f0bab73adf1dd9a44
-
SSDEEP
1536:ViS+Od99CObilCocEW1aJK66n5yhtW0/5JpWn4cRx9qSZg0BFbUZlu9gISsRkf:VPdw9JK6X/vcjg0BFcB
Score10/10-
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
-
Detects executables built or packed with MPress PE compressor
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-