Extracted

• • Target

    Teufelberger,pdf.vbs

  • Size

    565KB

  • MD5

    9b98d98f1219f50085218002b9d6d13e

  • SHA1

    98f7f59822afb1b87f7d5308f07fcfb54fc3c970

  • SHA256

    01ed509842998f2309e2aa5ff2aaba7f12fec0e25c7a7a6f01d5d672c6a06363

  • SHA512

    3fff27a5923af1d7834aa193602bd5231b2f0c0e498d5f87ed232602ef9c61c19a5a8cc11ae7df7b0576169d363c00b7ded0bcd5c980198b60bef56d5554027b

  • SSDEEP

    12288:pJrrbl3eNvxisBksII3s+ngAHjQVbF7ywmL/KSapUd:Ld3eBweII3e+kxpBpS

  Score

  10^/10

  discoveryremcosabokiadwareexecutionpersistenceprivilege_escalationratstealer

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos

  • Remcos family

    remcos

  • Blocklisted process makes network request

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Downloads MZ/PE file

  • .NET Reactor proctector

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Event Triggered Execution: Component Object Model Hijacking

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation

  • Executes dropped EXE

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Installs/modifies Browser Helper Object

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware

  • Drops file in System32 directory

  behavioral1behavioral2