Overview

overview

10

Static

static

1

CAN_POST2617276.vbs

windows7-x64

10

CAN_POST2617276.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    CAN_POST2617276.vbs

  • Size

    718KB

  • Sample

    240830-h28k6asaqh

  • MD5

    f1d1f590417bd518800691a444bd49e5

  • SHA1

    9a59f7967234de4690bb98a2cff9b07a8f4b050d

  • SHA256

    8e6c733358a463e2f118d36832539ed65aec46c1f327ed01e5723f7593b9f388

  • SHA512

    4f09e4025a8ac9ddc75f00a9fd23737114e7477fa394b5bae1bd9ccbcccc11e64cb9aae3ed7cb37593f24b3ae90e2995d6e21468e63223f2ae72d94f6c3cf8c1

  • SSDEEP

    12288:Z8PRcsr+Fb2n6fMDGNxxa0/UxxMAWX62pc3AfRtx7DS3FSwiHoQ09g4JUM2tC+Xr:/g03M4pgZF+pu5at

Score
10/10
remcosremotehostdiscoveryexecutionpersistencerat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
exe.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

Extracted

Family

remcos

Botnet

RemoteHost

C2

remcosco222.duckdns.org:5642

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-UFGYXJ

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      CAN_POST2617276.vbs

    • Size

      718KB

    • MD5

      f1d1f590417bd518800691a444bd49e5

    • SHA1

      9a59f7967234de4690bb98a2cff9b07a8f4b050d

    • SHA256

      8e6c733358a463e2f118d36832539ed65aec46c1f327ed01e5723f7593b9f388

    • SHA512

      4f09e4025a8ac9ddc75f00a9fd23737114e7477fa394b5bae1bd9ccbcccc11e64cb9aae3ed7cb37593f24b3ae90e2995d6e21468e63223f2ae72d94f6c3cf8c1

    • SSDEEP

      12288:Z8PRcsr+Fb2n6fMDGNxxa0/UxxMAWX62pc3AfRtx7DS3FSwiHoQ09g4JUM2tC+Xr:/g03M4pgZF+pu5at

    Score
    10/10
    executionremcosremotehostdiscoverypersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks