General
-
Target
11122024_1242_DHL__WB1391078651DutyInvoice_pdf.vbs.gz
-
Size
56KB
-
Sample
241211-p8epzstlct
-
MD5
5167727c227ae0ca2b9b664a6747cddb
-
SHA1
318d1a219c08b49c69d3ebb6b08052a9ee72140a
-
SHA256
de75cc32ecf78278545898dcaef4146a260025f731da74ca01496e449be7a971
-
SHA512
954b0eb1cc3c8fe6117b2919534a41bb769613d6ebad4b3f349c86fe9866b14aef75f2a2adb1b70b7764030db8978b56a63c3540db2c029b324f61a869a34e95
-
SSDEEP
1536:dlQYx/YD96BiXnCWCb2H+nN2o9UF6rEGXBrFDz:bP/KE8ZCb288FsRFz
Static task
static1
Behavioral task
behavioral1
Sample
DHL__WB 1391078651 & Duty Invoice_pdf.vbs
Resource
win7-20240729-en
Malware Config
Extracted
https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg%20
https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg%20
Extracted
remcos
ood
goody.work.gd:4173
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
vlc
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
ios
-
mouse_option
false
-
mutex
gig-R8G1B2
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
sos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
DHL__WB 1391078651 & Duty Invoice_pdf.vbs
-
Size
151KB
-
MD5
ff8212965e057afb4e0946517ec05f68
-
SHA1
3d1e2b49c8d6c57e08bfbd00a83ca1404af9dca4
-
SHA256
d17e5a5ff4aa847109dbd63cd69ffbb6d6dd85c6578c58da91b1656e6641b8c1
-
SHA512
1581ebef93d2fcf133f7367552b725e3d67340b26c163878ee744a1fe7b263b74c6ae4112e12d63e73557cab3d569986a5a3cd2eeb06f1a3b6a6c14557ef1229
-
SSDEEP
3072:qYf8nkleSrzLv/Iu6KjrCuvYf8nkleSrzLv/Iu6oYf8nkleSrzLv/Iu6c:qYf8nMZP/Iu6UYf8nMZP/Iu6oYf8nMZB
-
Remcos family
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Suspicious use of SetThreadContext
-