General
-
Target
Bunker_STS_pdf.vbs
-
Size
13KB
-
Sample
241209-gjd36aznhs
-
MD5
5773cb94663b755bd1894b40d8c09abb
-
SHA1
a8f0eeedee12422917be79af4218d6bb12f2d961
-
SHA256
36b0e1a17b7854904b1e3b3bdd16d94599fd7f3d54dc6fd4250409c737740171
-
SHA512
d9f6df51417f72069abbc68c837249837185d96cd0b5eb3eae0c836882c5a764a56566dac33012a5fa4cafcb48b97965835816cdfea6c2d94441ec6670b9fa2d
-
SSDEEP
192:i+twG5TbOTOPDudut5SrhVCEWEkgfH/QYawbIuhKavkpavzesmGKnv2Yng6:iI5TQOPDuI5SPLHI9GvkpLs0vVx
Static task
static1
Behavioral task
behavioral1
Sample
Bunker_STS_pdf.vbs
Resource
win7-20240903-en
Malware Config
Extracted
remcos
RemoteHost
154.216.18.214:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-AOD6MB
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
Bunker_STS_pdf.vbs
-
Size
13KB
-
MD5
5773cb94663b755bd1894b40d8c09abb
-
SHA1
a8f0eeedee12422917be79af4218d6bb12f2d961
-
SHA256
36b0e1a17b7854904b1e3b3bdd16d94599fd7f3d54dc6fd4250409c737740171
-
SHA512
d9f6df51417f72069abbc68c837249837185d96cd0b5eb3eae0c836882c5a764a56566dac33012a5fa4cafcb48b97965835816cdfea6c2d94441ec6670b9fa2d
-
SSDEEP
192:i+twG5TbOTOPDudut5SrhVCEWEkgfH/QYawbIuhKavkpavzesmGKnv2Yng6:iI5TQOPDuI5SPLHI9GvkpLs0vVx
Score10/10-
Remcos family
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook accounts
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-