Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1729249145127ccd5429d033dc60e2ce5d188721b7fc01a0339ffaeec81002d291fb9ffc68225.dat-decoded.exe

Overview

General Information

Sample name:1729249145127ccd5429d033dc60e2ce5d188721b7fc01a0339ffaeec81002d291fb9ffc68225.dat-decoded.exe
Analysis ID:1536969
MD5:4a178df0fcf3b232e30a5b9067dce691
SHA1:91fdf0acc3ba355aef7ab562cbc323e5419a611c
SHA256:90c06069a6d8c7cc9faea0709af27ee0d7e6c8dedfb352b9bc16493034e5a29e
Tags:base64-decodedexeuser-abuse_ch
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: The image file %1 is valid, but is for a machine type other than the current machine.

Detection

Remcos
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected Keylogger Generic
Yara signature match

Classification

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
1729249145127ccd5429d033dc60e2ce5d188721b7fc01a0339ffaeec81002d291fb9ffc68225.dat-decoded.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    1729249145127ccd5429d033dc60e2ce5d188721b7fc01a0339ffaeec81002d291fb9ffc68225.dat-decoded.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
      1729249145127ccd5429d033dc60e2ce5d188721b7fc01a0339ffaeec81002d291fb9ffc68225.dat-decoded.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        1729249145127ccd5429d033dc60e2ce5d188721b7fc01a0339ffaeec81002d291fb9ffc68225.dat-decoded.exeWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x71a7b:$a1: Remcos restarted by watchdog!
        • 0x71ff3:$a3: %02i:%02i:%02i:%03i
        1729249145127ccd5429d033dc60e2ce5d188721b7fc01a0339ffaeec81002d291fb9ffc68225.dat-decoded.exeREMCOS_RAT_variantsunknownunknown
        • 0x6b817:$str_a1: C:\Windows\System32\cmd.exe
        • 0x6b793:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x6b793:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x6bc93:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x6c4c3:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x6b887:$str_b2: Executing file:
        • 0x6c919:$str_b3: GetDirectListeningPort
        • 0x6c2b3:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x6c433:$str_b7: \update.vbs
        • 0x6b8af:$str_b9: Downloaded file:
        • 0x6b89b:$str_b10: Downloading file:
        • 0x6b93f:$str_b12: Failed to upload file:
        • 0x6c8e1:$str_b13: StartForward
        • 0x6c901:$str_b14: StopForward
        • 0x6c38b:$str_b15: fso.DeleteFile "
        • 0x6c31f:$str_b16: On Error Resume Next
        • 0x6c3bb:$str_b17: fso.DeleteFolder "
        • 0x6b92f:$str_b18: Uploaded file:
        • 0x6b8ef:$str_b19: Unable to delete:
        • 0x6c353:$str_b20: while fso.FileExists("
        • 0x6bdcc:$str_c0: [Firefox StoredLogins not found]
        Click to see the 1 entries

        Sigma Signatures

        No Sigma rule has matched

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Yara detected Remcos RAT
        Source: Yara matchFile source: 1729249145127ccd5429d033dc60e2ce5d188721b7fc01a0339ffaeec81002d291fb9ffc68225.dat-decoded.exe, type: SAMPLE
        Source: 1729249145127ccd5429d033dc60e2ce5d188721b7fc01a0339ffaeec81002d291fb9ffc68225.dat-decoded.exeBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_4458f5c3-c

        Exploits

        barindex
        Yara detected UAC Bypass using CMSTP
        Source: Yara matchFile source: 1729249145127ccd5429d033dc60e2ce5d188721b7fc01a0339ffaeec81002d291fb9ffc68225.dat-decoded.exe, type: SAMPLE
        Source: 1729249145127ccd5429d033dc60e2ce5d188721b7fc01a0339ffaeec81002d291fb9ffc68225.dat-decoded.exeString found in binary or memory: http://geoplugin.net/json.gp/C
        Source: Yara matchFile source: 1729249145127ccd5429d033dc60e2ce5d188721b7fc01a0339ffaeec81002d291fb9ffc68225.dat-decoded.exe, type: SAMPLE

        E-Banking Fraud

        barindex
        Yara detected Remcos RAT
        Source: Yara matchFile source: 1729249145127ccd5429d033dc60e2ce5d188721b7fc01a0339ffaeec81002d291fb9ffc68225.dat-decoded.exe, type: SAMPLE

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 1729249145127ccd5429d033dc60e2ce5d188721b7fc01a0339ffaeec81002d291fb9ffc68225.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
        Source: 1729249145127ccd5429d033dc60e2ce5d188721b7fc01a0339ffaeec81002d291fb9ffc68225.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
        Source: 1729249145127ccd5429d033dc60e2ce5d188721b7fc01a0339ffaeec81002d291fb9ffc68225.dat-decoded.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
        Source: 1729249145127ccd5429d033dc60e2ce5d188721b7fc01a0339ffaeec81002d291fb9ffc68225.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
        Source: 1729249145127ccd5429d033dc60e2ce5d188721b7fc01a0339ffaeec81002d291fb9ffc68225.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 1729249145127ccd5429d033dc60e2ce5d188721b7fc01a0339ffaeec81002d291fb9ffc68225.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
        Source: classification engineClassification label: mal64.troj.expl.winEXE@0/0@0/0

        Stealing of Sensitive Information

        barindex
        Yara detected Remcos RAT
        Source: Yara matchFile source: 1729249145127ccd5429d033dc60e2ce5d188721b7fc01a0339ffaeec81002d291fb9ffc68225.dat-decoded.exe, type: SAMPLE

        Remote Access Functionality

        barindex
        Yara detected Remcos RAT
        Source: Yara matchFile source: 1729249145127ccd5429d033dc60e2ce5d188721b7fc01a0339ffaeec81002d291fb9ffc68225.dat-decoded.exe, type: SAMPLE

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping1
        System Information Discovery        		Remote Services1
        Archive Collected Data        		Data ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        No Antivirus matches

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://geoplugin.net/json.gp/C0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        No contacted domains info

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://geoplugin.net/json.gp/C1729249145127ccd5429d033dc60e2ce5d188721b7fc01a0339ffaeec81002d291fb9ffc68225.dat-decoded.exefalse
        • URL Reputation: safe
        		unknown

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1536969
        Start date and time:2024-10-18 13:00:10 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 1m 23s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:0
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:1729249145127ccd5429d033dc60e2ce5d188721b7fc01a0339ffaeec81002d291fb9ffc68225.dat-decoded.exe
        Detection:MAL
        Classification:mal64.troj.expl.winEXE@0/0@0/0
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Unable to launch sample, stop analysis

        Errors

        • No process behavior to analyse as no analysis process or sample was found
        • Corrupt sample or wrongly selected analyzer. Details: The image file %1 is valid, but is for a machine type other than the current machine.

        Warnings

        • VT rate limit hit for: 1729249145127ccd5429d033dc60e2ce5d188721b7fc01a0339ffaeec81002d291fb9ffc68225.dat-decoded.exe

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        No created / dropped files found

        Static File Info

        General

        File type:MS-DOS executable
        Entropy (8bit):6.6779474143399185
        TrID:
        • Generic Win/DOS Executable (2004/3) 49.94%
        • DOS Executable Generic (2002/1) 49.89%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.17%
        File name:1729249145127ccd5429d033dc60e2ce5d188721b7fc01a0339ffaeec81002d291fb9ffc68225.dat-decoded.exe
        File size:525'222 bytes
        MD5:4a178df0fcf3b232e30a5b9067dce691
        SHA1:91fdf0acc3ba355aef7ab562cbc323e5419a611c
        SHA256:90c06069a6d8c7cc9faea0709af27ee0d7e6c8dedfb352b9bc16493034e5a29e
        SHA512:4c1b512b6fd8b93feacf3a3f88435b9e1e44b400f4e857db9fbda8507a2095036170f4de1c89e847f1822519a7c9d9bb3619e3d308aeeb40c57408e4e8cf0c06
        SSDEEP:6144:B00WYfwq/LQIPFRGmj7WJr/iXn38dXeVVca6uvEuU+gt1u8Ah8hrZXbc638It3:BCYR/tGm3Wh/MnWXCVpPKt1udWhrr73
        TLSH:F0B47C11A692C071E8F71E300E3AEA72FAB6BC5015214C6B77DD0CBABD715407A25EE6
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.-H..~H..~H..C.:...'~[..~..%C.:....~..$~V..C.:.AbR~I..~...C.:.J..~.D..R..C.:..D..r..~.D..j..~AbE~Q..C.:.H..~v..~.D..,..~.D)~I

        File Icon

        Icon Hash:90cececece8e8eb0

        Network Behavior

        No network behavior found

        Statistics

        No statistics

        System Behavior

        No system behavior

        Disassembly

        No disassembly