Extracted

• • Target

    PERMINTAAN ANGGARAN (Universitas IPB) ID177888·pdf.vbs

  • Size

    85KB

  • MD5

    736c66558711ee1a2cbf31dd7a30f618

  • SHA1

    8068ed77dbf5b384bf4b36a495bc867fefcc6ed8

  • SHA256

    fbfdf6aee524001b40e5aa011341036a9cfc804c7e328b6cae691de62fff59c3

  • SHA512

    d8bb2933affb1054813b978f54d621d80a5bfe113d3de25706f251673288a49447539f871683fcd8aaaaecf7f73c1975bec55cf411cbaffc9b29555952682f5c

  • SSDEEP

    1536:o70tN910kK4Gd9pzpuoNay2kJtvSgsJUqtkkyCX+7oYLgR1VCXaAj2DexCmG:oQP91hbU9NeatvST1tgCXWoYLEVCgexa

  Score

  10^/10

  remcosremotehostcollectioncredential_accessdiscoveryevasionratstealertrojan

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos

  • Remcos family

    remcos

  • UAC bypass

    evasiontrojan

  • Detected Nirsoft tools

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Blocklisted process makes network request

  • Uses browser remote debugging

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook accounts

    collection

  • Legitimate hosting services abused for malware hosting/C2

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2