General
-
Target
12112024_2353_DocumentBT24pdf.vbs.zip
-
Size
46KB
-
Sample
241113-ab851asnbv
-
MD5
cc7b71a27716274190e3716e0d3cc349
-
SHA1
2b49521f8c1833ceef370033e130f38119fd5163
-
SHA256
eb88df06fa2f93f3615a04a593ff0c88098a6e4a9d0063dc3cfbd8931f0e625e
-
SHA512
2ba5d97a1372255b453fbdd61ec5dfbf9551f6844cfb0ae708f9b5a74c855a9bc4883d7d3297fe46ebd56a717f29d66afb0ae3fa2626bc5881c04afad1476472
-
SSDEEP
768:VEFQOVLjf0gRHK0G7/wpTGnnrqsb7YSxDoVYGrn9mRSRBjPM1VJdw0HwUMg4/1/O:VEqOVLjf0gRHsITGnVYuDoCGbktVJFnj
Static task
static1
Behavioral task
behavioral1
Sample
Document BT24·pdf.vbs
Resource
win7-20241010-en
Malware Config
Extracted
remcos
RemoteHost
dvlqrd8dhs.duckdns.org:46063
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-0IGFAQ
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
Document BT24·pdf.vbs
-
Size
86KB
-
MD5
acd9a75b2f33064da7ebef088ed16cb9
-
SHA1
8f51e47a0454c8032e2ecd90f85bb115e80b5f35
-
SHA256
cecb613e2e7877b680323862198f05c9634c1dc3e7c64ed95cc3154e9c5e9fd4
-
SHA512
06525377cfdc4e75fab11fd907a65c611bb9c880fe56bc68b3baa108b266e472813d3824969d6e6584c6b7d90b65379dfc633a15ef17bf24705a8195a5c657b3
-
SSDEEP
1536:970ty9v0kvBGd9pOpuoNvhvJELsj+qOhkqXzkx5c3cYdg51VWXaAj2yTk:9Qk9vh5U9QLzFOhbwx5c3cYdqVWrTk
-
Remcos family
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2