top title background image
flash

Order29349.vbs

Status: finished
Submission Time: 2025-02-06 07:52:20 +01:00
Malicious
Trojan
Spyware
Exploiter
Evader
Remcos

Comments

Tags

  • RAT
  • RemcosRAT
  • vbs

Details

  • Analysis ID:
    1608039
  • API (Web) ID:
    1608039
  • Analysis Started:
    2025-02-06 07:52:26 +01:00
  • Analysis Finished:
    2025-02-06 08:04:44 +01:00
  • MD5:
    c81780ab687d23b2f6209af3c662face
  • SHA1:
    3f19d4d38aa2e90229df2c82f3b0e3d1d063e5a3
  • SHA256:
    b516f0a750847a01c97cad8d7d50742d27e9c9cfc9c70de03bfd70bcabc500a0
  • Technologies:

Joe Sandbox

Engine Download Report Detection Info
malicious
Score: 100
System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

malicious
Score: 14/60
malicious
Score: 5/38

IPs

IP Country Detection
37.120.208.40
Romania
168.119.145.117
Germany
178.237.33.50
Netherlands

Domains

Name IP Detection
abokirem.duckdns.org
37.120.208.40
geoplugin.net
178.237.33.50
0x0.st
168.119.145.117

URLs

Name Detection
abokirem.duckdns.org
https://nuget.org/nuget.exe
http://geoplugin.net/json.gp
Click to see the 41 hidden entries
https://www.google.com
https://rum18.perf.linkedin.com/apc/trans.gif?481b7caa9fdb7105b2103a8300811877
http://geoplugin.net/json.gpH
https://aefd.nelreports.net/api/report?cat=bingaot
http://geoplugin.net/json.gp/C
https://aka.ms/pscore6lB
https://0x0.st/8KuV.ps1
https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
https://contoso.com/
https://rum18.perf.linkedin.com/apc/trans.gif?d99a5c14daed171e4daf3a2c1226bd16
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
https://aefd.nelreports.net/api/report?cat=bingrms
https://www.google.com/accounts/servicelogin
https://login.yahoo.com/config/login
http://geoplugin.net/json.gpW
http://www.nirsoft.net/
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DesusertionEndpoint=Edge-Prod-LAX31r5c&
http://www.ebuddy.com
http://www.imvu.com
https://www.office.com/
http://nuget.org/NuGet.exe
http://www.imvu.comr
http://pesterbdd.com/images/Pester.png
http://geoplugin.net/json.gpl
http://www.apache.org/licenses/LICENSE-2.0.html
http://geoplugin.net/json.gpj
https://aefd.nelreports.net/api/report?cat=bingth
https://0x0.st
https://contoso.com/License
https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DesusertionEndpoint=P
https://aefd.nelreports.net/api/report?cat=wsb
https://contoso.com/Icon
http://www.microsoft.
http://www.nirsoft.net
https://aefd.nelreports.net/api/report?cat=bingaotak
https://deff.nelreports.net/api/report?cat=msn
https://edd27623571fc427dc1f8d6ba04dd39f.clo.footprintdns.com/apc/trans.gif?b37f6b94dfddf29d58d90046
https://github.com/Pester/Pester
http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DesusertionEndpoint=Edge-Prod-LAX31r5b&

Dropped files

Name File Type Hashes Detection
C:\ProgramData\remcos\logs.dat
data
#
C:\Users\user\AppData\Local\Temp\5hSScoL6.bat
ASCII text, with very long lines (57555), with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\uimozbywyauabvlhij
Unicode text, UTF-16, little-endian text, with no line terminators
#
Click to see the 1 hidden entries
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_e666ae27.cmd
ASCII text, with very long lines (57555), with CRLF line terminators
#