Overview

overview

10

Static

static

1

Rfq_po_dec...00.vbs

windows7-x64

10

Rfq_po_dec...00.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d7f59bea63a8e6118ebd5e6c116235d2f4aca892952b85c4c93ac863ce7e84d6

  • Size

    10KB

  • Sample

    241209-zbwbksvqdj

  • MD5

    ed0b8acc0e141685b30c95fb2f07b998

  • SHA1

    427d0e67b463870717488030699e2e6a24145f0b

  • SHA256

    d7f59bea63a8e6118ebd5e6c116235d2f4aca892952b85c4c93ac863ce7e84d6

  • SHA512

    12b28744e83d34411c56985dbeae5791bdfecf865dbd3294581426841352aeb12737b8cbc4d45ad9b79be048ab5c164e78e63414c6f83489ed8c85b543e176c2

  • SSDEEP

    192:XyZ4Q4m3HIOzaxUKP+hxiLLuZ5E8R/lWdAKACqTl8yINzK/5DfzLp/EpIdqFea:g4QZ3IO0Ulf5N/4AK9qT8NajyWA

Score
10/10
remcosvaldocollectiondiscoverypersistencerat

Malware Config

Extracted

Family

remcos

Botnet

Valdo

C2

janout21oadsts1.duckdns.org:57484

janout21oadsts1.duckdns.org:57483

janout21oadsts2.duckdns.org:57484

janout21oadsts3.duckdns.org:57484

janout21oadsts4.duckdns.org:57484
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    amaonspt.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    lmoijuetgtso-Y2NXRF

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Rfq_po_december_purchase_list_details_specifications_09_12_2024_0000000000.vbs

    • Size

      34KB

    • MD5

      429fa2fac12973a50fbd8e41998e6c8b

    • SHA1

      774c2fe5f115156eefd125497da2e14f4e4ae001

    • SHA256

      457b79bd32d44957c1e9608f1ff2d2b5a38244beb2c1234356b568c5a3cd5f9a

    • SHA512

      65324b5653bf5e255b029e296cfc78f4fa07757adfa0b09d50ff12d7b70cd68980bfb88ebc916cf480c656132193ac84061ee393b0ae11f1e25a1635ab21367e

    • SSDEEP

      384:y4TN2uK4JSWDatgGQjwFzpOHCAxQzkmXXM3veQ:zTN2uK4JxDatgbjwFp6zxW+mQ

    Score
    10/10
    remcosvaldodiscoverypersistenceratcollection

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks