General
-
Target
06112024_0158_NTU 報價請求項目 FMD2024UOS·pdf.vbs.zip
-
Size
8KB
-
Sample
241106-cdvrhasgjg
-
MD5
c6f378ee9e02d98b37a3ed5291ed1bee
-
SHA1
92dc19f62027daf5acabe5ad938e12e4597b9a0e
-
SHA256
fd159a5f1594eb2cf854a2ea8dd03846f73e99bfbf725f44d15659f36c29db51
-
SHA512
6e8b6fc10a97f9683600a20c72c686cc749432440f0f76dbd9ea82400ef950e8ac4c484346e71d165af971359f4f3f1c67c86a98737bbd5c7f3dc40f92a77e1d
-
SSDEEP
192:60mGDvsh+DlFDwugnXpOiNZOYxn+CHSdm6Bdn+jedD7IPXe09/x9i0Ed:xmfwDTDwppOijOYxnvSdvGKIe2/S
Malware Config
Extracted
remcos
RemoteHost
a458386d9.duckdns.org:3256
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-4EN793
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
NTU 報價請求項目 FMD2024UOS·pdf.vbs
-
Size
15KB
-
MD5
7a8593917a881f736dae40fd3e739aa9
-
SHA1
86f696ac97647bac9ef92b24e0818a97a70aee53
-
SHA256
424d1b064b6e0a04e251193013187b35a779473df7411dcc285dc1284cf618d7
-
SHA512
66ee428b08ac48a8550eeec67d3f41540dfb792e24408bb84a08888c69468dec834d0cff167cb62790f14277d35d173f239ee59b4af1c4fddd6b29b6169ed132
-
SSDEEP
192:qzb9JpgciToUkIWTErzlS8HIYVFlXQNE7VrMPQ2cV3766aT0VA:SbLuXTiTErZSCH3gNEmyPVA
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
UAC bypass
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Blocklisted process makes network request
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Modify Authentication Process
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Authentication Process
1Modify Registry
3