Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
17292426117520cd75b25a51ebefb218dbc2b7cacb3aeee4de01b54e2c5e515ed5641e70f9435.dat-decoded.exe

Overview

General Information

Sample name:17292426117520cd75b25a51ebefb218dbc2b7cacb3aeee4de01b54e2c5e515ed5641e70f9435.dat-decoded.exe
Analysis ID:1536899
MD5:1cf5143564277a72e31a37c151784049
SHA1:9189c10ece73c7a9b431fdbe92329a1abfb5845b
SHA256:c9079f723c036ba26ac4570140e324a3a2520f3d190aa9907a8f82e39a39765a
Tags:base64-decodedexeuser-abuse_ch
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: The image file %1 is valid, but is for a machine type other than the current machine.

Detection

Remcos
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected Keylogger Generic
Yara signature match

Classification

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
17292426117520cd75b25a51ebefb218dbc2b7cacb3aeee4de01b54e2c5e515ed5641e70f9435.dat-decoded.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    17292426117520cd75b25a51ebefb218dbc2b7cacb3aeee4de01b54e2c5e515ed5641e70f9435.dat-decoded.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
      17292426117520cd75b25a51ebefb218dbc2b7cacb3aeee4de01b54e2c5e515ed5641e70f9435.dat-decoded.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        17292426117520cd75b25a51ebefb218dbc2b7cacb3aeee4de01b54e2c5e515ed5641e70f9435.dat-decoded.exeWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x71a7b:$a1: Remcos restarted by watchdog!
        • 0x71ff3:$a3: %02i:%02i:%02i:%03i
        17292426117520cd75b25a51ebefb218dbc2b7cacb3aeee4de01b54e2c5e515ed5641e70f9435.dat-decoded.exeREMCOS_RAT_variantsunknownunknown
        • 0x6b817:$str_a1: C:\Windows\System32\cmd.exe
        • 0x6b793:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x6b793:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x6bc93:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x6c4c3:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x6b887:$str_b2: Executing file:
        • 0x6c919:$str_b3: GetDirectListeningPort
        • 0x6c2b3:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x6c433:$str_b7: \update.vbs
        • 0x6b8af:$str_b9: Downloaded file:
        • 0x6b89b:$str_b10: Downloading file:
        • 0x6b93f:$str_b12: Failed to upload file:
        • 0x6c8e1:$str_b13: StartForward
        • 0x6c901:$str_b14: StopForward
        • 0x6c38b:$str_b15: fso.DeleteFile "
        • 0x6c31f:$str_b16: On Error Resume Next
        • 0x6c3bb:$str_b17: fso.DeleteFolder "
        • 0x6b92f:$str_b18: Uploaded file:
        • 0x6b8ef:$str_b19: Unable to delete:
        • 0x6c353:$str_b20: while fso.FileExists("
        • 0x6bdcc:$str_c0: [Firefox StoredLogins not found]
        Click to see the 1 entries

        Sigma Signatures

        No Sigma rule has matched

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Yara detected Remcos RAT
        Source: Yara matchFile source: 17292426117520cd75b25a51ebefb218dbc2b7cacb3aeee4de01b54e2c5e515ed5641e70f9435.dat-decoded.exe, type: SAMPLE
        Source: 17292426117520cd75b25a51ebefb218dbc2b7cacb3aeee4de01b54e2c5e515ed5641e70f9435.dat-decoded.exeBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_d98a9372-9

        Exploits

        barindex
        Yara detected UAC Bypass using CMSTP
        Source: Yara matchFile source: 17292426117520cd75b25a51ebefb218dbc2b7cacb3aeee4de01b54e2c5e515ed5641e70f9435.dat-decoded.exe, type: SAMPLE
        Source: 17292426117520cd75b25a51ebefb218dbc2b7cacb3aeee4de01b54e2c5e515ed5641e70f9435.dat-decoded.exeString found in binary or memory: http://geoplugin.net/json.gp/C
        Source: Yara matchFile source: 17292426117520cd75b25a51ebefb218dbc2b7cacb3aeee4de01b54e2c5e515ed5641e70f9435.dat-decoded.exe, type: SAMPLE

        E-Banking Fraud

        barindex
        Yara detected Remcos RAT
        Source: Yara matchFile source: 17292426117520cd75b25a51ebefb218dbc2b7cacb3aeee4de01b54e2c5e515ed5641e70f9435.dat-decoded.exe, type: SAMPLE

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 17292426117520cd75b25a51ebefb218dbc2b7cacb3aeee4de01b54e2c5e515ed5641e70f9435.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
        Source: 17292426117520cd75b25a51ebefb218dbc2b7cacb3aeee4de01b54e2c5e515ed5641e70f9435.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
        Source: 17292426117520cd75b25a51ebefb218dbc2b7cacb3aeee4de01b54e2c5e515ed5641e70f9435.dat-decoded.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
        Source: 17292426117520cd75b25a51ebefb218dbc2b7cacb3aeee4de01b54e2c5e515ed5641e70f9435.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
        Source: 17292426117520cd75b25a51ebefb218dbc2b7cacb3aeee4de01b54e2c5e515ed5641e70f9435.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 17292426117520cd75b25a51ebefb218dbc2b7cacb3aeee4de01b54e2c5e515ed5641e70f9435.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
        Source: classification engineClassification label: mal64.troj.expl.winEXE@0/0@0/0

        Stealing of Sensitive Information

        barindex
        Yara detected Remcos RAT
        Source: Yara matchFile source: 17292426117520cd75b25a51ebefb218dbc2b7cacb3aeee4de01b54e2c5e515ed5641e70f9435.dat-decoded.exe, type: SAMPLE

        Remote Access Functionality

        barindex
        Yara detected Remcos RAT
        Source: Yara matchFile source: 17292426117520cd75b25a51ebefb218dbc2b7cacb3aeee4de01b54e2c5e515ed5641e70f9435.dat-decoded.exe, type: SAMPLE

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping1
        System Information Discovery        		Remote Services1
        Archive Collected Data        		Data ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        No Antivirus matches

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://geoplugin.net/json.gp/C0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        No contacted domains info

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://geoplugin.net/json.gp/C17292426117520cd75b25a51ebefb218dbc2b7cacb3aeee4de01b54e2c5e515ed5641e70f9435.dat-decoded.exefalse
        • URL Reputation: safe
        		unknown

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1536899
        Start date and time:2024-10-18 11:11:06 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 1m 28s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:1
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:17292426117520cd75b25a51ebefb218dbc2b7cacb3aeee4de01b54e2c5e515ed5641e70f9435.dat-decoded.exe
        Detection:MAL
        Classification:mal64.troj.expl.winEXE@0/0@0/0
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Unable to launch sample, stop analysis

        Errors

        • No process behavior to analyse as no analysis process or sample was found
        • Corrupt sample or wrongly selected analyzer. Details: The image file %1 is valid, but is for a machine type other than the current machine.

        Warnings

        • Exclude process from analysis (whitelisted): dllhost.exe
        • VT rate limit hit for: 17292426117520cd75b25a51ebefb218dbc2b7cacb3aeee4de01b54e2c5e515ed5641e70f9435.dat-decoded.exe

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        No created / dropped files found

        Static File Info

        General

        File type:MS-DOS executable
        Entropy (8bit):6.6780414290678705
        TrID:
        • Generic Win/DOS Executable (2004/3) 49.94%
        • DOS Executable Generic (2002/1) 49.89%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.17%
        File name:17292426117520cd75b25a51ebefb218dbc2b7cacb3aeee4de01b54e2c5e515ed5641e70f9435.dat-decoded.exe
        File size:525'228 bytes
        MD5:1cf5143564277a72e31a37c151784049
        SHA1:9189c10ece73c7a9b431fdbe92329a1abfb5845b
        SHA256:c9079f723c036ba26ac4570140e324a3a2520f3d190aa9907a8f82e39a39765a
        SHA512:2278a0c31b5d45eff4d9fe3477b54f4dd64f4e2d14b174a358af8d5beeaba60afccbb0666825b1bb32416d4cc5227d189928d640f51c4ec4f6b59d317e2ee91c
        SSDEEP:12288:RCYR/tGm3Wh/MnWXCVpPKt1udWhrLR73:l/Em3Wh/MnLVpPKtiWhn
        TLSH:40B47C11AA91C071E8F71E300E3AEA72FAB6BC5015214C7B77DD0CBABD715407A25EE6
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.-H..~H..~H..C.:...'~[..~..%C.:....~..$~V..C.:.AbR~I..~...C.:.J..~.D..R..C.:..D..r..~.D..j..~AbE~Q..C.:.H..~v..~.D..,..~.D)~I

        File Icon

        Icon Hash:00928e8e8686b000

        Network Behavior

        No network behavior found

        Statistics

        No statistics

        System Behavior

        No system behavior

        Disassembly

        No disassembly