General
-
Target
30112024_0348__89004161-000002102-66_20241128pdf.vbs.zip
-
Size
19KB
-
Sample
241130-nfmpfssmhx
-
MD5
cc231be3ce4a2c607b3161bff7ec88b0
-
SHA1
0b31aaff49de78dd131a44a7aaaffe37cce5384e
-
SHA256
1fc6fbf92722053225d14b53d960a903f9ff7b1cf4bb2f626634af38f31d333c
-
SHA512
54b44c917714f1a1713723cec1f6a766eba35be2e31f048b8fe17adb2dfd93ff68f4c37ca0a5a59cdf3fcfded8b49e22e4bc50893557ad5f969636b3baa1ee50
-
SSDEEP
384:kYrxHAkWSLRGiYvuOcw1Ps39ZevDRs4I5YTWe4d21GgsFyp7WqlsxcFIyCaN:lhAZSLVY40Ps3Dc99I5Q10FQaEs+rN
Static task
static1
Behavioral task
behavioral1
Sample
證據_89004161-000002102-66_20241128·pdf.vbs
Resource
win7-20240903-en
Malware Config
Extracted
remcos
RemoteHost
8766e34g8.duckdns.org:3782
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-93TSMD
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
證據_89004161-000002102-66_20241128·pdf.vbs
-
Size
33KB
-
MD5
b87c82bba48c44f8fc387ecd6100ff0e
-
SHA1
2cdcb7b8b4f5a8b0501a121b6b4264aa7c6b2f57
-
SHA256
20100ee5a74b50849ea1a00363a6751320c9aab43ba31859f79147af1b56b509
-
SHA512
442d105706dcc997c39a141d7a944bbb961e8948d15caee81814f1a6d6245e46b00bf98e893c1623bd92b12b1ac440432fd26f4fd9166c5ffea8ac9a575af189
-
SSDEEP
768:5KSasMUqkx36r142byXNoPNhZqpCtHki2ynMVVX09rkFJC:ISas/RF6hWyPN/MbZ09oFM
-
Remcos family
-
Blocklisted process makes network request
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
System Binary Proxy Execution: Verclsid
Adversaries may abuse Verclsid to proxy execution of malicious code.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-