Windows Analysis Report
17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exe

Overview

General Information

Sample name: 17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exe
Analysis ID: 1525924
MD5: 39a2c03577bd725d8511c986c255a93b
SHA1: 1de6d6b8d5be2a809e3b9b423b732916d6fac653
SHA256: 9b100312739e9f463f97d8c2732363f2cc77235432d9ffe25fb98c7484890b24
Tags: base64-decodedexeuser-abuse_ch
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: The image file %1 is valid, but is for a machine type other than the current machine.

Detection

Remcos
Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected Keylogger Generic
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

AV Detection
barindex
Yara detected Remcos RAT
Source: Yara match File source: 17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exe, type: SAMPLE
Source: 17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exe Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_5b9314c3-7

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exe, type: SAMPLE
Source: 17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exe String found in binary or memory: http://geoplugin.net/json.gp/C
Yara detected Keylogger Generic
Source: Yara match File source: 17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exe, type: SAMPLE

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exe, type: SAMPLE

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exe, type: SAMPLE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exe, type: SAMPLE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exe, type: SAMPLE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Yara signature match
Source: 17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exe, type: SAMPLE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exe, type: SAMPLE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exe, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: classification engine Classification label: mal64.troj.expl.winEXE@0/0@0/0

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exe, type: SAMPLE

Remote Access Functionality
barindex
Yara detected Remcos RAT
Source: Yara match File source: 17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exe, type: SAMPLE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1525924 Sample: 17280510148770b5a446779bb6d... Startdate: 04/10/2024 Architecture: WINDOWS Score: 64 5 Malicious sample detected (through community Yara rule) 2->5 7 Yara detected UAC Bypass using CMSTP 2->7 9 Yara detected Remcos RAT 2->9
No contacted IP infos