File name: | 2.ps1 |
Full analysis: | https://app.any.run/tasks/5e0482f0-dd5f-4ab6-903b-c1611f13f92c |
Verdict: | Malicious activity |
Threats: | Remcos is a RAT type malware that attackers use to perform actions on infected machines remotely. This malware is extremely actively caped up to date with updates coming out almost every single month. |
Analysis date: | January 20, 2022, 20:39:30 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CRLF line terminators |
MD5: | FD854C4DE72CCA89BDA6EC7362CB8047 |
SHA1: | CBC87F189AD4FE16808C3B718720852A16437A2C |
SHA256: | E219E04F6DDD3EA4A3C3F5DD9251D1E86EA820694246F7E73695427ECEF1E4D6 |
SSDEEP: | 6144:wWHEnPX+KPg7Ppxbu9d6fnmDVR7YFNQ+UUXd2Jdf6KlPhkXsKwiQ/DaKLP50lu1J:y |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3052 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\AppData\Local\Temp\2.ps1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
3876 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 4.0.30319.34209 built by: FX452RTMGDR Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3052 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF193791.TMP | binary | |
MD5:CCFCF369F751CE8DA0370D84E52A7EED | SHA256:53922490C3F5A04667EC3605A01AF2A4F4F265782D1BCA519F63ACAD413F2ED9 | |||
3052 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | dbf | |
MD5:446DD1CF97EABA21CF14D03AEBC79F27 | SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF | |||
3052 | powershell.exe | C:\Users\admin\AppData\Local\Temp\oslp5o4q.vyb.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
3052 | powershell.exe | C:\Users\admin\AppData\Local\Temp\e0e22da2-dbf8-4303-b7f9-7620a5e9f357\AgileDotNetRT.dll | executable | |
MD5:14FF402962AD21B78AE0B4C43CD1F194 | SHA256:FB9646CB956945BDC503E69645F6B5316D3826B780D3C36738D6B944E884D15B | |||
3052 | powershell.exe | C:\Users\admin\AppData\Local\Temp\fxdexqao.pyf.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
3052 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2F0HUFFJML0EUY20JRO1.temp | binary | |
MD5:633630D4B472E897D6FE7BDB27290365 | SHA256:0598A41B7BB73CF24BBC7AA4D62A61997ACD589555C045DBFEE9D2F1E6008B32 | |||
3052 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:633630D4B472E897D6FE7BDB27290365 | SHA256:0598A41B7BB73CF24BBC7AA4D62A61997ACD589555C045DBFEE9D2F1E6008B32 | |||
3876 | RegAsm.exe | C:\Users\admin\AppData\Roaming\JANBUILD\logs.dat | binary | |
MD5:644593583D2D646FB6C81798466601A1 | SHA256:FD98767F454CCFAD549C31DEAD052D53781124917A4C83A52F379744BE1ECB82 | |||
3052 | powershell.exe | C:\Users\admin\AppData\Local\Temp\ac5c1527-e43f-46b1-9587-143b0e06e0d9\AgileDotNetRT.dll | executable | |
MD5:14FF402962AD21B78AE0B4C43CD1F194 | SHA256:FB9646CB956945BDC503E69645F6B5316D3826B780D3C36738D6B944E884D15B |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3876 | RegAsm.exe | 103.231.91.59:39207 | saptransmissions.dvrlists.com | Intergrid Group Pty Ltd | AU | malicious |
— | — | 103.231.91.59:39207 | saptransmissions.dvrlists.com | Intergrid Group Pty Ltd | AU | malicious |
Domain | IP | Reputation |
---|---|---|
saptransmissions.dvrlists.com |
| malicious |
dns.msftncsi.com |
| shared |