Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1728051009f4443008c44185dd0681126f8bf5d6dc61953195b58b40df90184e01763a035f953.dat-decoded.exe

Overview

General Information

Sample name:1728051009f4443008c44185dd0681126f8bf5d6dc61953195b58b40df90184e01763a035f953.dat-decoded.exe
Analysis ID:1525933
MD5:c5a7a5eb2ce991a63285079c2edd4756
SHA1:e9ccdb0725ff52be8a95829aec3adb712896e665
SHA256:6fe8d5c41a41255c157055ce84de6edfa25a518c0224cd29eac442501bc6d482
Tags:base64-decodedexeuser-abuse_ch
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: The image file %1 is valid, but is for a machine type other than the current machine.

Detection

Remcos
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected Keylogger Generic
Yara signature match

Classification

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
1728051009f4443008c44185dd0681126f8bf5d6dc61953195b58b40df90184e01763a035f953.dat-decoded.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    1728051009f4443008c44185dd0681126f8bf5d6dc61953195b58b40df90184e01763a035f953.dat-decoded.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
      1728051009f4443008c44185dd0681126f8bf5d6dc61953195b58b40df90184e01763a035f953.dat-decoded.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        1728051009f4443008c44185dd0681126f8bf5d6dc61953195b58b40df90184e01763a035f953.dat-decoded.exeWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x71a7b:$a1: Remcos restarted by watchdog!
        • 0x71ff3:$a3: %02i:%02i:%02i:%03i
        1728051009f4443008c44185dd0681126f8bf5d6dc61953195b58b40df90184e01763a035f953.dat-decoded.exeREMCOS_RAT_variantsunknownunknown
        • 0x6b817:$str_a1: C:\Windows\System32\cmd.exe
        • 0x6b793:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x6b793:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x6bc93:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x6c4c3:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x6b887:$str_b2: Executing file:
        • 0x6c919:$str_b3: GetDirectListeningPort
        • 0x6c2b3:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x6c433:$str_b7: \update.vbs
        • 0x6b8af:$str_b9: Downloaded file:
        • 0x6b89b:$str_b10: Downloading file:
        • 0x6b93f:$str_b12: Failed to upload file:
        • 0x6c8e1:$str_b13: StartForward
        • 0x6c901:$str_b14: StopForward
        • 0x6c38b:$str_b15: fso.DeleteFile "
        • 0x6c31f:$str_b16: On Error Resume Next
        • 0x6c3bb:$str_b17: fso.DeleteFolder "
        • 0x6b92f:$str_b18: Uploaded file:
        • 0x6b8ef:$str_b19: Unable to delete:
        • 0x6c353:$str_b20: while fso.FileExists("
        • 0x6bdcc:$str_c0: [Firefox StoredLogins not found]
        Click to see the 1 entries

        Sigma Signatures

        No Sigma rule has matched

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Yara detected Remcos RAT
        Source: Yara matchFile source: 1728051009f4443008c44185dd0681126f8bf5d6dc61953195b58b40df90184e01763a035f953.dat-decoded.exe, type: SAMPLE
        Source: 1728051009f4443008c44185dd0681126f8bf5d6dc61953195b58b40df90184e01763a035f953.dat-decoded.exeBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_108bcb53-2

        Exploits

        barindex
        Yara detected UAC Bypass using CMSTP
        Source: Yara matchFile source: 1728051009f4443008c44185dd0681126f8bf5d6dc61953195b58b40df90184e01763a035f953.dat-decoded.exe, type: SAMPLE
        Source: 1728051009f4443008c44185dd0681126f8bf5d6dc61953195b58b40df90184e01763a035f953.dat-decoded.exeString found in binary or memory: http://geoplugin.net/json.gp/C
        Source: Yara matchFile source: 1728051009f4443008c44185dd0681126f8bf5d6dc61953195b58b40df90184e01763a035f953.dat-decoded.exe, type: SAMPLE

        E-Banking Fraud

        barindex
        Yara detected Remcos RAT
        Source: Yara matchFile source: 1728051009f4443008c44185dd0681126f8bf5d6dc61953195b58b40df90184e01763a035f953.dat-decoded.exe, type: SAMPLE

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 1728051009f4443008c44185dd0681126f8bf5d6dc61953195b58b40df90184e01763a035f953.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
        Source: 1728051009f4443008c44185dd0681126f8bf5d6dc61953195b58b40df90184e01763a035f953.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
        Source: 1728051009f4443008c44185dd0681126f8bf5d6dc61953195b58b40df90184e01763a035f953.dat-decoded.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
        Source: 1728051009f4443008c44185dd0681126f8bf5d6dc61953195b58b40df90184e01763a035f953.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
        Source: 1728051009f4443008c44185dd0681126f8bf5d6dc61953195b58b40df90184e01763a035f953.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 1728051009f4443008c44185dd0681126f8bf5d6dc61953195b58b40df90184e01763a035f953.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
        Source: classification engineClassification label: mal64.troj.expl.winEXE@0/0@0/0

        Stealing of Sensitive Information

        barindex
        Yara detected Remcos RAT
        Source: Yara matchFile source: 1728051009f4443008c44185dd0681126f8bf5d6dc61953195b58b40df90184e01763a035f953.dat-decoded.exe, type: SAMPLE

        Remote Access Functionality

        barindex
        Yara detected Remcos RAT
        Source: Yara matchFile source: 1728051009f4443008c44185dd0681126f8bf5d6dc61953195b58b40df90184e01763a035f953.dat-decoded.exe, type: SAMPLE

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping1
        System Information Discovery        		Remote Services1
        Archive Collected Data        		Data ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        1728051009f4443008c44185dd0681126f8bf5d6dc61953195b58b40df90184e01763a035f953.dat-decoded.exe3%ReversingLabs

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://geoplugin.net/json.gp/C0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        No contacted domains info

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://geoplugin.net/json.gp/C1728051009f4443008c44185dd0681126f8bf5d6dc61953195b58b40df90184e01763a035f953.dat-decoded.exefalse
        • URL Reputation: safe
        		unknown

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1525933
        Start date and time:2024-10-04 16:42:16 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 2m 26s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:1
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:1728051009f4443008c44185dd0681126f8bf5d6dc61953195b58b40df90184e01763a035f953.dat-decoded.exe
        Detection:MAL
        Classification:mal64.troj.expl.winEXE@0/0@0/0
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Unable to launch sample, stop analysis

        Errors

        • No process behavior to analyse as no analysis process or sample was found
        • Corrupt sample or wrongly selected analyzer. Details: The image file %1 is valid, but is for a machine type other than the current machine.

        Warnings

        • Exclude process from analysis (whitelisted): dllhost.exe
        • VT rate limit hit for: 1728051009f4443008c44185dd0681126f8bf5d6dc61953195b58b40df90184e01763a035f953.dat-decoded.exe

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        No created / dropped files found

        Static File Info

        General

        File type:MS-DOS executable
        Entropy (8bit):6.67794944032804
        TrID:
        • Generic Win/DOS Executable (2004/3) 49.94%
        • DOS Executable Generic (2002/1) 49.89%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.17%
        File name:1728051009f4443008c44185dd0681126f8bf5d6dc61953195b58b40df90184e01763a035f953.dat-decoded.exe
        File size:525'261 bytes
        MD5:c5a7a5eb2ce991a63285079c2edd4756
        SHA1:e9ccdb0725ff52be8a95829aec3adb712896e665
        SHA256:6fe8d5c41a41255c157055ce84de6edfa25a518c0224cd29eac442501bc6d482
        SHA512:6790afa23cb9c2c8441a10d2c84f197fe62120c112c213898e6f7cca1d81ddc3b6f4cf790c0f6dcfc1fd236948b9abbb9ba97a5cce3b8798330007c6e635435f
        SSDEEP:12288:1CYR/tGm3Wh/MnWXCVpPKt1udWhxyp73:B/Em3Wh/MnLVpPKtiWhk
        TLSH:2AB47C11A692C071E8F71E300E3AEA72FAB6BC5015214C7B77DD0CBABD715407A25EE6
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.-H..~H..~H..C.:...'~[..~..%C.:....~..$~V..C.:.AbR~I..~...C.:.J..~.D..R..C.:..D..r..~.D..j..~AbE~Q..C.:.H..~v..~.D..,..~.D)~I

        File Icon

        Icon Hash:90cececece8e8eb0

        Network Behavior

        No network behavior found

        Statistics

        No statistics

        System Behavior

        No system behavior

        Disassembly

        No disassembly