General
-
Target
31102024_0254_Kaufvertrag-Markus-Daten.vbs
-
Size
366KB
-
Sample
241031-dd3b1swqhs
-
MD5
28489bd43750ec8a5017ec4bb7ca68e2
-
SHA1
90e42439a8179e56d56ffd5a2c97d7ff7f0daaca
-
SHA256
7e6c9757b46fc71815670a8056b6db913409bb571775642ef865ea633fe41cc9
-
SHA512
9470e3c42bf13f73bf43abdaacad0721a213b0e5b9376a2ce813ba39d55f8e154fe959dce2dd0cf6cb56904fbbf0003360e4f38e576cf330447cb8d0b9ff1f1c
-
SSDEEP
6144:QUad3PmM9BogPjFvVHhSZH/7h4hpAQErkpZPU/I7CIkKOmPPMWUwUhkOy96SZGFT:aQL6PErk7gvOZMmanT1A02Oh
Static task
static1
Behavioral task
behavioral1
Sample
31102024_0254_Kaufvertrag-Markus-Daten.vbs
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
31102024_0254_Kaufvertrag-Markus-Daten.vbs
Resource
win10v2004-20241007-en
Malware Config
Extracted
remcos
TelOu62tos
www.tla-autos.com:9945
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
TeleAuto8926-8WB4GE
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
31102024_0254_Kaufvertrag-Markus-Daten.vbs
-
Size
366KB
-
MD5
28489bd43750ec8a5017ec4bb7ca68e2
-
SHA1
90e42439a8179e56d56ffd5a2c97d7ff7f0daaca
-
SHA256
7e6c9757b46fc71815670a8056b6db913409bb571775642ef865ea633fe41cc9
-
SHA512
9470e3c42bf13f73bf43abdaacad0721a213b0e5b9376a2ce813ba39d55f8e154fe959dce2dd0cf6cb56904fbbf0003360e4f38e576cf330447cb8d0b9ff1f1c
-
SSDEEP
6144:QUad3PmM9BogPjFvVHhSZH/7h4hpAQErkpZPU/I7CIkKOmPPMWUwUhkOy96SZGFT:aQL6PErk7gvOZMmanT1A02Oh
Score10/10-
Remcos family
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-