Threat Report
Tags
Common Information
| Type | Value |
|---|---|
| UUID | e15cf832-b921-42ed-bf0b-e9abd69502e9 |
| Fingerprint | ac2e1183391467c6 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Aug. 3, 2010, midnight |
| Added to db | Sept. 26, 2022, 9:33 a.m. |
| Last updated | Nov. 17, 2024, 6:54 p.m. |
| Headline | Formbook and Remcos Backdoor RAT |
| Title | Threat Report |
| Detected Hints/Tags/Attributes | 61/3/54 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://www.connectwise.com/resources/formbook-remcos-rat |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 23 | pdf-parser.py |
|
| Details | Domain | 53 | oledump.py |
|
| Details | Domain | 9 | decalage.info |
|
| Details | Domain | 1 | shellcode.data |
|
| Details | Domain | 372 | wscript.shell |
|
| Details | Domain | 93 | bazaar.abuse.ch |
|
| Details | Domain | 3 | forensicitguy.github.io |
|
| Details | Domain | 604 | www.trendmicro.com |
|
| Details | File | 1 | safari.pdf |
|
| Details | File | 70 | vbc.exe |
|
| Details | File | 1 | periodicity.dll |
|
| Details | File | 22 | pdf-parser.py |
|
| Details | File | 49 | oledump.py |
|
| Details | File | 1 | safari.raw |
|
| Details | File | 12 | decalage.inf |
|
| Details | File | 9 | oleobject1.bin |
|
| Details | File | 1 | shellcode.dat |
|
| Details | File | 2 | %public%\vbc.exe |
|
| Details | File | 2 | c:\users\public\vbc.exe |
|
| Details | File | 9 | dump.exe |
|
| Details | File | 1 | iys.exe |
|
| Details | File | 1 | c:\users\ieuser\downloads\sharpdllloader-master\sharpdllloader\bin\release\sharpdllloader.exe |
|
| Details | File | 1 | c:\users\ieuser\desktop\dump.dll |
|
| Details | File | 376 | wscript.exe |
|
| Details | File | 30 | c:\windows\system32\wscript.exe |
|
| Details | File | 1 | c:\users\ieuser\appdata\local\temp\install.vbs |
|
| Details | File | 1 | c:\users\ieuser\desktop\install.vbs |
|
| Details | File | 8 | install.vbs |
|
| Details | File | 1 | c:\users\ieuser\appdata\roaming\iys.exe |
|
| Details | File | 1 | %appdata%\roaming\iys.exe |
|
| Details | File | 1 | c:\users\ieuser\appdata\roaming\logs.dat |
|
| Details | File | 1 | %appdata%\local\temp\install.vbs |
|
| Details | md5 | 1 | d75ea3de2ad117e4485816ef2a4a46f1 |
|
| Details | md5 | 1 | D75EA3DE2AD117E4485816EF2A4A46F1 |
|
| Details | sha256 | 1 | d1c2cc0ca653df8ddb46c1337a5972eaceb81ea924e8ebdb7af0699a7ab909fd |
|
| Details | sha256 | 1 | 5d17b63fe99f0608c79129a296bba3af7c8dcfe17913f93ce67dbda376f6987c |
|
| Details | sha256 | 1 | 25672487eb5df23ce72e6ea101ef4047c1407cb0dcb25e59486f125763a9f69d |
|
| Details | sha256 | 1 | e1192a47786ea37fd75864d7b8b9a049b4ab72bad852b052318f863713bc97d7 |
|
| Details | sha256 | 1 | dac51b15136081c2540d2c4c16372668e5e54c89d233e8b30faaabf7c901bc84 |
|
| Details | sha256 | 1 | 490a432a796c670a8eb7b93ee1710eb023ab12fcebc7a7225c4d7b030330abb8 |
|
| Details | IPv4 | 1 | 185.239.243.122 |
|
| Details | IPv4 | 1 | 62.197.136.86 |
|
| Details | IPv4 | 7 | 178.237.33.50 |
|
| Details | Url | 7 | http://decalage.info/python/oletools |
|
| Details | Url | 1 | http://185.239.243.122/421/vbc.exe |
|
| Details | Url | 1 | https://bazaar.abuse.ch/sample/d1c2cc0ca653df8ddb46c1337a5972eaceb81ea924e8ebdb7af0699a7ab909fd |
|
| Details | Url | 1 | https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet |
|
| Details | Url | 1 | https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/backdoor.win32.remcos.usmaneaggk |
|
| Details | Windows Registry Key | 164 | HKLM\SOFTWARE\Microsoft\Windows |
|
| Details | Windows Registry Key | 1 | HKCU\Software\Microsoft\Windows\CurrentVersion\Run\gtr |
|
| Details | Windows Registry Key | 1 | HKCU\Software\Remcos-KO7WBT |
|
| Details | Windows Registry Key | 1 | HKCU\Software\Remcos-KO7WBT\exepath |
|
| Details | Windows Registry Key | 1 | HKCU\Software\Remcos-KO7WBT\licence |
|
| Details | Windows Registry Key | 31 | HKCU\Software\Microsoft\Windows\CurrentVersion\Internet |