General
-
Target
b30bb2c67741afe2a5173337bd2acab5785c408cce2fbb84dc07a3c904f3f3c6.vbs
-
Size
187KB
-
Sample
240626-bxj9fayhpj
-
MD5
71e6ad71e4958df129a87422066d1be1
-
SHA1
75e5f0176d44782d874e74411d72ec5dbe86660c
-
SHA256
b30bb2c67741afe2a5173337bd2acab5785c408cce2fbb84dc07a3c904f3f3c6
-
SHA512
c6217bdc6b15046be438f7367c28b4a1dded02181a0e0579ceba297b0e4cdf4b7256b0ed1e8cada6cb3555bd344d739b166b269b68a05f2e6c391d997b1d7832
-
SSDEEP
3072:fmN8GGebKjeK3ubth+DCFxKCvBB/WnHPP1w/sLJFJ281QIHz1y8mNy7Ey1MgKTZV:f08GxbKja3+DCbKCvBB/WnHXC/sLJFJ4
Static task
static1
Behavioral task
behavioral1
Sample
b30bb2c67741afe2a5173337bd2acab5785c408cce2fbb84dc07a3c904f3f3c6.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b30bb2c67741afe2a5173337bd2acab5785c408cce2fbb84dc07a3c904f3f3c6.vbs
Resource
win10v2004-20240508-en
Malware Config
Extracted
remcos
TOMATO
iwarsut775laudrye2.duckdns.org:57484
iwarsut775laudrye2.duckdns.org:57483
iwarsut775laudrye3.duckdns.org:57484
hjnourt38haoust1.duckdns.org:57484
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
sfvnspt.dat
-
keylog_flag
false
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
shietgtst-DCUF1K
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
- startup_value
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
b30bb2c67741afe2a5173337bd2acab5785c408cce2fbb84dc07a3c904f3f3c6.vbs
-
Size
187KB
-
MD5
71e6ad71e4958df129a87422066d1be1
-
SHA1
75e5f0176d44782d874e74411d72ec5dbe86660c
-
SHA256
b30bb2c67741afe2a5173337bd2acab5785c408cce2fbb84dc07a3c904f3f3c6
-
SHA512
c6217bdc6b15046be438f7367c28b4a1dded02181a0e0579ceba297b0e4cdf4b7256b0ed1e8cada6cb3555bd344d739b166b269b68a05f2e6c391d997b1d7832
-
SSDEEP
3072:fmN8GGebKjeK3ubth+DCFxKCvBB/WnHPP1w/sLJFJ281QIHz1y8mNy7Ey1MgKTZV:f08GxbKja3+DCbKCvBB/WnHXC/sLJFJ4
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-