General
-
Target
30102024_0722_Kemilab-291024Updatedpricelist.vbs.gz
-
Size
329KB
-
Sample
241030-jgja7sxpas
-
MD5
6261b2fa2e7435cfa1f5c6eb9e9ef881
-
SHA1
4ffacfc4616515f46d96b25e0f5274b552a9621c
-
SHA256
9c846be3b660bd458875edf13af88e8e855e934c09458b3e5e469f788136edaf
-
SHA512
9e20d3f152b5b1ed4d6054a0db38f1f6e1a7c38efd12c59e15dfc300b5b281461c46cb20a9f1b68821171eda73a1bb889d620a009b66d019710ea88bb6cf9492
-
SSDEEP
6144:ci5o+pLlXJ1tnin9NmIH9/mRBi0Jlblqj+TT7y6loQDQ0CS1XXhVcDB/cL:cKl51tiCGmBiGYj+TTrhDQ0dcFUL
Static task
static1
Behavioral task
behavioral1
Sample
Kemilab - 291024 Updated price list.vbs
Resource
win7-20240903-en
Malware Config
Extracted
remcos
duntc
duntcesst.duckdns.org:53956
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-HBDZ3I
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
Kemilab - 291024 Updated price list.vbs
-
Size
762KB
-
MD5
be194e845d98b549c86d0b9554195b0e
-
SHA1
5385080d90d6ff6639094e0ceb8cb93ec1a76007
-
SHA256
254fcdccf5d7bbd1b807f553d85da4213c86cc538ac0fbaef3dcd25e6b5537e2
-
SHA512
46f37fd62aaaed52d64533f6da24078e06982b5f05ab2dfecd2a8eaef30e354835d9e77389b91d177e185f5ae341e3547bf3e6564af283a0ef638f56043f0ce1
-
SSDEEP
6144:GLhgReyC6VWe1rl+o0c6dM5t2wgtTuIflUbbp5lrmhKgzoCMWkm3Lvf3/0gFKMcu:dov97Hfeaz86Cq1BQVglyLE1HfJyuWo
-
Remcos family
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-