Extracted

• • Target

    SOLICITUD DE PRESUPUESTO 27-11-2024·pdf.vbs

  • Size

    33KB

  • MD5

    3ce766fced81c253e1d82f6fb1897fa0

  • SHA1

    b929522021b4a1c40993c0b51ae9c0f9c76cdca2

  • SHA256

    0ba724668ce99b2a3241ff89f4f83a27fdc7225b400d0abe304f00881a2c7be9

  • SHA512

    e9ddfa767da48747a1670755441ca476192500eb352f2b05b449e8a2f4b3553e9be58bdbdd75d9ecf63f6380faad73d512023bc7355e58931bcb47178046e302

  • SSDEEP

    768:qG9asa0h+BjfPK+fNXQhZUQdOPYVVv6Or90T51SQ/I:b9asKBD/fNQ/Dp6Oh0TfzI

  Score

  10^/10

  remcosremotehostcollectioncredential_accessdiscoveryevasionexecutionratstealertrojan

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos

  • Remcos family

    remcos

  • UAC bypass

    evasiontrojan

  • Detected Nirsoft tools

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Blocklisted process makes network request

  • Uses browser remote debugging

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook accounts

    collection

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Legitimate hosting services abused for malware hosting/C2

  • Drops file in System32 directory

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2