Extracted

• • Target

    Document BT24·pdf.vbs

  • Size

    33KB

  • MD5

    b9d77e317447cf7b4fc1b538d04a35d7

  • SHA1

    4bfff79ba434d7c5a508f9ba2720f4ef47cfecec

  • SHA256

    1e74e14032fe7b84a6285d72cfea681f4ec1d0bffe896f02fac5f0c5e5b96060

  • SHA512

    9691361f42668c8dcf9764ac86ad355c5039ca927140ce732452cba7df12bad70ff46c87c54cd8ae6e6cf4673e3bc57894663c8b301f0e40344c0b21dab20ce7

  • SSDEEP

    768:EA9as2DrXeg09BTUUsKNq4Hm8hZn6TgXzwbVV+E2rEJ9YnCmw6fd:D9asyevU844HT/6azCkE2oJIu6d

  Score

  10^/10

  remcosremotehostdiscoverypersistenceratcollectioncredential_accessevasionstealertrojan

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos

  • Remcos family

    remcos

  • UAC bypass

    evasiontrojan

  • Detected Nirsoft tools

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Blocklisted process makes network request

  • Uses browser remote debugging

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook accounts

    collection

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2