Extracted

• • Target

    전자세금계산서·pdf.vbs

  • Size

    86KB

  • MD5

    8b88faca30c1d912d945515b0edce924

  • SHA1

    62d5bee19f043112784832da29a423e1a35cdbae

  • SHA256

    2a3615e8c977f2a9411c9fef294c7dd53986ce084579340b55977544fc94f143

  • SHA512

    be3f1dcdb304cf2e72c9f305cc24c3cb99c6a7579b5d5c69c77f14cdfb12dad82cc3b1ba875d0e94c86cafc740a10a4bfc7eb809c58b9c01ece4dc1fc1e549f9

  • SSDEEP

    1536:R70tt9i0kFFGd9p6puoNyVnJrsI/FBqqOkbSApBknXZ8Y4apgi1VdXaAj2LvbAP:RQL9ihHU9Yu4kn1OEDp6nXZ8YjpTVdus

  Score

  10^/10

  discoveryremcosremotehostcollectioncredential_accessevasionratstealertrojan

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos

  • Remcos family

    remcos

  • UAC bypass

    evasiontrojan

  • Detected Nirsoft tools

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • Blocklisted process makes network request

  • Uses browser remote debugging

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook accounts

    collection

  • Legitimate hosting services abused for malware hosting/C2

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2