Extracted

• • Target

    URGENT!! DHL invoice SG00101637 Adobe·pdf.vbs

  • Size

    15KB

  • MD5

    84183b62bf0c860efeaea9604efbfe3a

  • SHA1

    4cc58ad007613902ff2118cb7091042f37ba394f

  • SHA256

    b4eff9a95f5eeeaee8c4e4a8ce366f478acf9f309e1df6db8a93375045982c5a

  • SHA512

    916c80269eec78f3391e67819a3fa9a4a64a52a2e7909c5a2a3f310211e1aba01534a932f6df06df8d70ec0ea7d641c7e5b9b5e527045a6f27b65a128f19a81b

  • SSDEEP

    384:WxaWEl8MDBPMpf/X1tBoCPSn5otbq+4Xs4kDyLuoWt:gEl8MDBPy3X7BoBCtbq+4XspDyHWt

  Score

  10^/10

  remcosremotehostcollectioncredential_accessdiscoveryevasionexecutionratstealertrojan

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos

  • Remcos family

    remcos

  • UAC bypass

    evasiontrojan

  • Detected Nirsoft tools

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Blocklisted process makes network request

  • Uses browser remote debugging

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook accounts

    collection

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Legitimate hosting services abused for malware hosting/C2

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2