Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exe

Overview

General Information

Sample name:17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exe
Analysis ID:1525924
MD5:39a2c03577bd725d8511c986c255a93b
SHA1:1de6d6b8d5be2a809e3b9b423b732916d6fac653
SHA256:9b100312739e9f463f97d8c2732363f2cc77235432d9ffe25fb98c7484890b24
Tags:base64-decodedexeuser-abuse_ch
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: The image file %1 is valid, but is for a machine type other than the current machine.

Detection

Remcos
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected Keylogger Generic
Yara signature match

Classification

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
      17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exeWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x71a7b:$a1: Remcos restarted by watchdog!
        • 0x71ff3:$a3: %02i:%02i:%02i:%03i
        17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exeREMCOS_RAT_variantsunknownunknown
        • 0x6b817:$str_a1: C:\Windows\System32\cmd.exe
        • 0x6b793:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x6b793:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x6bc93:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x6c4c3:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x6b887:$str_b2: Executing file:
        • 0x6c919:$str_b3: GetDirectListeningPort
        • 0x6c2b3:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x6c433:$str_b7: \update.vbs
        • 0x6b8af:$str_b9: Downloaded file:
        • 0x6b89b:$str_b10: Downloading file:
        • 0x6b93f:$str_b12: Failed to upload file:
        • 0x6c8e1:$str_b13: StartForward
        • 0x6c901:$str_b14: StopForward
        • 0x6c38b:$str_b15: fso.DeleteFile "
        • 0x6c31f:$str_b16: On Error Resume Next
        • 0x6c3bb:$str_b17: fso.DeleteFolder "
        • 0x6b92f:$str_b18: Uploaded file:
        • 0x6b8ef:$str_b19: Unable to delete:
        • 0x6c353:$str_b20: while fso.FileExists("
        • 0x6bdcc:$str_c0: [Firefox StoredLogins not found]
        Click to see the 1 entries

        Sigma Signatures

        No Sigma rule has matched

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Yara detected Remcos RAT
        Source: Yara matchFile source: 17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exe, type: SAMPLE
        Source: 17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exeBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_5b9314c3-7

        Exploits

        barindex
        Yara detected UAC Bypass using CMSTP
        Source: Yara matchFile source: 17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exe, type: SAMPLE
        Source: 17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exeString found in binary or memory: http://geoplugin.net/json.gp/C
        Source: Yara matchFile source: 17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exe, type: SAMPLE

        E-Banking Fraud

        barindex
        Yara detected Remcos RAT
        Source: Yara matchFile source: 17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exe, type: SAMPLE

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
        Source: 17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
        Source: 17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
        Source: 17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
        Source: 17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
        Source: classification engineClassification label: mal64.troj.expl.winEXE@0/0@0/0

        Stealing of Sensitive Information

        barindex
        Yara detected Remcos RAT
        Source: Yara matchFile source: 17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exe, type: SAMPLE

        Remote Access Functionality

        barindex
        Yara detected Remcos RAT
        Source: Yara matchFile source: 17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exe, type: SAMPLE

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping1
        System Information Discovery        		Remote Services1
        Archive Collected Data        		Data ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exe5%ReversingLabs

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://geoplugin.net/json.gp/C0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        No contacted domains info

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://geoplugin.net/json.gp/C17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exefalse
        • URL Reputation: safe
        		unknown

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1525924
        Start date and time:2024-10-04 16:39:16 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 1m 36s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:4
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exe
        Detection:MAL
        Classification:mal64.troj.expl.winEXE@0/0@0/0
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Unable to launch sample, stop analysis

        Errors

        • No process behavior to analyse as no analysis process or sample was found
        • Corrupt sample or wrongly selected analyzer. Details: The image file %1 is valid, but is for a machine type other than the current machine.

        Warnings

        • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
        • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, time.windows.com
        • VT rate limit hit for: 17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exe

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        No created / dropped files found

        Static File Info

        General

        File type:MS-DOS executable
        Entropy (8bit):6.678094598264772
        TrID:
        • Generic Win/DOS Executable (2004/3) 49.94%
        • DOS Executable Generic (2002/1) 49.89%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.17%
        File name:17280510148770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5218.dat-decoded.exe
        File size:525'264 bytes
        MD5:39a2c03577bd725d8511c986c255a93b
        SHA1:1de6d6b8d5be2a809e3b9b423b732916d6fac653
        SHA256:9b100312739e9f463f97d8c2732363f2cc77235432d9ffe25fb98c7484890b24
        SHA512:d5d5116e64de2e6959525021f081dd133004ea991e3c0913469a6d091bed074227237dafffe7e047b003fb0f365a56ad2b405225546ee28e2b22c5573c385c29
        SSDEEP:12288:VCYR/tGm3Wh/MnWXCVpPKt1udWhxbV73:h/Em3Wh/MnLVpPKtiWhJ
        TLSH:36B47C11AA91C071E8F71E300E3AEE72FAB6BC5015214C6B77DD0CBABD715407A25EE6
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.-H..~H..~H..C.:...'~[..~..%C.:....~..$~V..C.:.AbR~I..~...C.:.J..~.D..R..C.:..D..r..~.D..j..~AbE~Q..C.:.H..~v..~.D..,..~.D)~I

        File Icon

        Icon Hash:00928e8e8686b000

        Network Behavior

        No network behavior found

        Statistics

        No statistics

        System Behavior

        No system behavior

        Disassembly

        No disassembly