Extracted

• • Target

    Документи.bat

  • Size

    13KB

  • MD5

    4303710398af710fc8acfa7a732aafbd

  • SHA1

    42847713dd9c5313831656894505063c4949a018

  • SHA256

    0a2b1844b3ef7454a977db405d7b86cac2cf6e93cd09773db843290f1e9f0d97

  • SHA512

    d9d88afbfd28a3b0d422be566ba1113e8c21d3d82b32c611800536ef67eb0b9c06392b4d4413b8174b489be56ec0dd1e9ffadb991f197a0336fa1b3937c2001a

  • SSDEEP

    192:OqDZujXdVzn3qxkk5Eno3vvb17652yVjjG/tw+qNbgAcnjz9qjgZn5:ZsjtZnzxn0vb17MNu4B8jcEX

  Score

  10^/10

  remcoshost_onecollectiondiscoveryexecutionpersistenceratspywarestealer

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Detected Nirsoft tools

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook accounts

    collection

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates processes with tasklist

    discovery

  • Suspicious use of SetThreadContext

  behavioral1behavioral2

• • Target

    Документи.vbs

  • Size

    15KB

  • MD5

    f38ba7aa784bb8bcc526ecd9c6953bed

  • SHA1

    f32b215e22d5a7728b2bc2be84f3697e33126f13

  • SHA256

    2837b1cfc87c988e5475f47e4c9f146eb4094e192eebc91c4171d62a60735cd3

  • SHA512

    729adffc803b7ec7c8202e731b81a9c79bdb361a59e9bc1d250e7831c801de6ea3e2b0ff3e0a6d8dadb3f5d406242d128273c473b3074ceb2096a52fbd9e5de8

  • SSDEEP

    192:sWZsOMqxnDxLInuYCWGHn5qg/tyZdG97qwYVLtGcGPJZMxu2hlYF9WBMDxpnO/9m:sBO9xLIuLWGHnD0QWVLQPJmxNSiMFpWm

  Score

  10^/10

  remcoshost_onecollectiondiscoveryexecutionpersistenceratspywarestealer

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Detected Nirsoft tools

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook accounts

    collection

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates processes with tasklist

    discovery

  • Suspicious use of SetThreadContext

  behavioral3behavioral4