General
-
Target
URGENTDHLinvoiceSG00101637Adobepdf.vbs
-
Size
15KB
-
Sample
241125-gzwcdasras
-
MD5
84183b62bf0c860efeaea9604efbfe3a
-
SHA1
4cc58ad007613902ff2118cb7091042f37ba394f
-
SHA256
b4eff9a95f5eeeaee8c4e4a8ce366f478acf9f309e1df6db8a93375045982c5a
-
SHA512
916c80269eec78f3391e67819a3fa9a4a64a52a2e7909c5a2a3f310211e1aba01534a932f6df06df8d70ec0ea7d641c7e5b9b5e527045a6f27b65a128f19a81b
-
SSDEEP
384:WxaWEl8MDBPMpf/X1tBoCPSn5otbq+4Xs4kDyLuoWt:gEl8MDBPy3X7BoBCtbq+4XspDyHWt
Static task
static1
Behavioral task
behavioral1
Sample
URGENTDHLinvoiceSG00101637Adobepdf.vbs
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
URGENTDHLinvoiceSG00101637Adobepdf.vbs
Resource
win10v2004-20241007-en
Malware Config
Extracted
remcos
RemoteHost
gnsuw4-nsh6-mnsg.duckdns.org:3613
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-8OIXMO
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
URGENTDHLinvoiceSG00101637Adobepdf.vbs
-
Size
15KB
-
MD5
84183b62bf0c860efeaea9604efbfe3a
-
SHA1
4cc58ad007613902ff2118cb7091042f37ba394f
-
SHA256
b4eff9a95f5eeeaee8c4e4a8ce366f478acf9f309e1df6db8a93375045982c5a
-
SHA512
916c80269eec78f3391e67819a3fa9a4a64a52a2e7909c5a2a3f310211e1aba01534a932f6df06df8d70ec0ea7d641c7e5b9b5e527045a6f27b65a128f19a81b
-
SSDEEP
384:WxaWEl8MDBPMpf/X1tBoCPSn5otbq+4Xs4kDyLuoWt:gEl8MDBPy3X7BoBCtbq+4XspDyHWt
-
Remcos family
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Blocklisted process makes network request
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook accounts
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Authentication Process
1Modify Registry
2