Overview

overview

10

Static

static

1

INVSO269936_pdf.vbs

windows7-x64

8

INVSO269936_pdf.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    INVSO269936_pdf.rar

  • Size

    18KB

  • Sample

    250207-jpvn7stray

  • MD5

    67a83e4846b85d00f7f5d23908202e62

  • SHA1

    d5af0db5b67df71393ffaf460de344fc1556dd3b

  • SHA256

    6f2e2c1986b6dd76cad9368a7da92ae8f4b8f6118ee56fcd22287b9e5fc2c95a

  • SHA512

    ee756f823fd616e5c04f104e06d3adb56f512643613fdfcba69c6bbd9c2c6ba1db46d487c9e53e90aef3cb666c37f6e5d77222eb4334048bd80fec7f2bf2d1da

  • SSDEEP

    384:IELNEo+kFkTFkhZF5SabULGEnHEeRevymnhKttyToKQNcD0AgfwnZW:IELNEvkyT0V9gBEvymhJToKAcXgfiW

Score
10/10
remcossvcdiscoveryexecutionrat

Malware Config

Extracted

Family

remcos

Botnet

svc

C2

meme7.work.gd:3124

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    svchost

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    smss

  • mouse_option

    false

  • mutex

    meme-ZPFPWZ

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    svc

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      INVSO269936_pdf.vbs

    • Size

      190KB

    • MD5

      507901780438f38bcd55386972a90f44

    • SHA1

      22c5a6d3df6cbc78303a3309c0859bc1a080f7e9

    • SHA256

      31b4230ab0b1e15b55948c13c881ac07627b49cbf2cddd29bef7e527536896b4

    • SHA512

      cb4ca4683ff1a9288dbf2f7851044a8df3ee471852f94cf2279e6a364fca599def444292dac5e84b96e46800b00815561a1e37ab8f2d16de03c5ce56ddea7b33

    • SSDEEP

      3072:mV5VjCwpL15Yhn/Ui59Ymd95DnpTkwKxWccMF+:mV5Vq59Ymd1

    Score
    10/10
    executionremcossvcdiscoveryrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks