General

  • Target

    11122024_1242_DHL__WB1391078651DutyInvoice_pdf.vbs.gz

  • Size

    56KB

  • Sample

    241211-p8epzstlct

  • MD5

    5167727c227ae0ca2b9b664a6747cddb

  • SHA1

    318d1a219c08b49c69d3ebb6b08052a9ee72140a

  • SHA256

    de75cc32ecf78278545898dcaef4146a260025f731da74ca01496e449be7a971

  • SHA512

    954b0eb1cc3c8fe6117b2919534a41bb769613d6ebad4b3f349c86fe9866b14aef75f2a2adb1b70b7764030db8978b56a63c3540db2c029b324f61a869a34e95

  • SSDEEP

    1536:dlQYx/YD96BiXnCWCb2H+nN2o9UF6rEGXBrFDz:bP/KE8ZCb288FsRFz

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg%20

exe.dropper

https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg%20

Extracted

Family

remcos

Botnet

ood

C2

goody.work.gd:4173

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    vlc

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    ios

  • mouse_option

    false

  • mutex

    gig-R8G1B2

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    sos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      DHL__WB 1391078651 & Duty Invoice_pdf.vbs

    • Size

      151KB

    • MD5

      ff8212965e057afb4e0946517ec05f68

    • SHA1

      3d1e2b49c8d6c57e08bfbd00a83ca1404af9dca4

    • SHA256

      d17e5a5ff4aa847109dbd63cd69ffbb6d6dd85c6578c58da91b1656e6641b8c1

    • SHA512

      1581ebef93d2fcf133f7367552b725e3d67340b26c163878ee744a1fe7b263b74c6ae4112e12d63e73557cab3d569986a5a3cd2eeb06f1a3b6a6c14557ef1229

    • SSDEEP

      3072:qYf8nkleSrzLv/Iu6KjrCuvYf8nkleSrzLv/Iu6oYf8nkleSrzLv/Iu6c:qYf8nMZP/Iu6UYf8nMZP/Iu6oYf8nMZB

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks