Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1736984347ea2e5f31dec96d559398ef022940c65b7dbf898b88f872c9a695d467d574b77f522.dat-decoded.exe

Overview

General Information

Sample name:1736984347ea2e5f31dec96d559398ef022940c65b7dbf898b88f872c9a695d467d574b77f522.dat-decoded.exe
Analysis ID:1592275
MD5:d59189bb834af4ca4e6b6dbe3bf53c09
SHA1:4a84ef29e1f1227982f1276f50c350a7117640e9
SHA256:2ecfdb89f16c1535e6cc6a83275bd9fbd1e0d8e86db04c04f826146b49d3f691
Tags:base64-decodedexeuser-abuse_ch
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: The image file %1 is valid, but is for a machine type other than the current machine.

Detection

Remcos
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected Keylogger Generic
Yara signature match

Classification

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
1736984347ea2e5f31dec96d559398ef022940c65b7dbf898b88f872c9a695d467d574b77f522.dat-decoded.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    1736984347ea2e5f31dec96d559398ef022940c65b7dbf898b88f872c9a695d467d574b77f522.dat-decoded.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
      1736984347ea2e5f31dec96d559398ef022940c65b7dbf898b88f872c9a695d467d574b77f522.dat-decoded.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        1736984347ea2e5f31dec96d559398ef022940c65b7dbf898b88f872c9a695d467d574b77f522.dat-decoded.exeWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x71a22:$a1: Remcos restarted by watchdog!
        • 0x71f9a:$a3: %02i:%02i:%02i:%03i
        1736984347ea2e5f31dec96d559398ef022940c65b7dbf898b88f872c9a695d467d574b77f522.dat-decoded.exeREMCOS_RAT_variantsunknownunknown
        • 0x6ba38:$str_a1: C:\Windows\System32\cmd.exe
        • 0x6b9b4:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x6b9b4:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x6beb4:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x6c4b4:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x6baa8:$str_b2: Executing file:
        • 0x6c8f6:$str_b3: GetDirectListeningPort
        • 0x6c2a4:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x6c424:$str_b7: \update.vbs
        • 0x6bad0:$str_b9: Downloaded file:
        • 0x6babc:$str_b10: Downloading file:
        • 0x6bb60:$str_b12: Failed to upload file:
        • 0x6c8be:$str_b13: StartForward
        • 0x6c8de:$str_b14: StopForward
        • 0x6c37c:$str_b15: fso.DeleteFile "
        • 0x6c310:$str_b16: On Error Resume Next
        • 0x6c3ac:$str_b17: fso.DeleteFolder "
        • 0x6bb50:$str_b18: Uploaded file:
        • 0x6bb10:$str_b19: Unable to delete:
        • 0x6c344:$str_b20: while fso.FileExists("
        • 0x6bfed:$str_c0: [Firefox StoredLogins not found]
        Click to see the 1 entries

        Sigma Signatures

        No Sigma rule has matched

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Yara detected Remcos RAT
        Source: Yara matchFile source: 1736984347ea2e5f31dec96d559398ef022940c65b7dbf898b88f872c9a695d467d574b77f522.dat-decoded.exe, type: SAMPLE
        Source: 1736984347ea2e5f31dec96d559398ef022940c65b7dbf898b88f872c9a695d467d574b77f522.dat-decoded.exeBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_390aed86-0

        Exploits

        barindex
        Yara detected UAC Bypass using CMSTP
        Source: Yara matchFile source: 1736984347ea2e5f31dec96d559398ef022940c65b7dbf898b88f872c9a695d467d574b77f522.dat-decoded.exe, type: SAMPLE
        Source: 1736984347ea2e5f31dec96d559398ef022940c65b7dbf898b88f872c9a695d467d574b77f522.dat-decoded.exeString found in binary or memory: http://geoplugin.net/json.gp/C
        Source: Yara matchFile source: 1736984347ea2e5f31dec96d559398ef022940c65b7dbf898b88f872c9a695d467d574b77f522.dat-decoded.exe, type: SAMPLE

        E-Banking Fraud

        barindex
        Yara detected Remcos RAT
        Source: Yara matchFile source: 1736984347ea2e5f31dec96d559398ef022940c65b7dbf898b88f872c9a695d467d574b77f522.dat-decoded.exe, type: SAMPLE

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 1736984347ea2e5f31dec96d559398ef022940c65b7dbf898b88f872c9a695d467d574b77f522.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
        Source: 1736984347ea2e5f31dec96d559398ef022940c65b7dbf898b88f872c9a695d467d574b77f522.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
        Source: 1736984347ea2e5f31dec96d559398ef022940c65b7dbf898b88f872c9a695d467d574b77f522.dat-decoded.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
        Source: 1736984347ea2e5f31dec96d559398ef022940c65b7dbf898b88f872c9a695d467d574b77f522.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
        Source: 1736984347ea2e5f31dec96d559398ef022940c65b7dbf898b88f872c9a695d467d574b77f522.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 1736984347ea2e5f31dec96d559398ef022940c65b7dbf898b88f872c9a695d467d574b77f522.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
        Source: classification engineClassification label: mal64.troj.expl.winEXE@0/0@0/0

        Stealing of Sensitive Information

        barindex
        Yara detected Remcos RAT
        Source: Yara matchFile source: 1736984347ea2e5f31dec96d559398ef022940c65b7dbf898b88f872c9a695d467d574b77f522.dat-decoded.exe, type: SAMPLE

        Remote Access Functionality

        barindex
        Yara detected Remcos RAT
        Source: Yara matchFile source: 1736984347ea2e5f31dec96d559398ef022940c65b7dbf898b88f872c9a695d467d574b77f522.dat-decoded.exe, type: SAMPLE

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping1
        System Information Discovery        		Remote Services1
        Archive Collected Data        		Data ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        No Antivirus matches

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        No contacted domains info

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://geoplugin.net/json.gp/C1736984347ea2e5f31dec96d559398ef022940c65b7dbf898b88f872c9a695d467d574b77f522.dat-decoded.exefalse
          		high

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox version:42.0.0 Malachite
          Analysis ID:1592275
          Start date and time:2025-01-16 00:40:09 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 1m 52s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:1
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:1736984347ea2e5f31dec96d559398ef022940c65b7dbf898b88f872c9a695d467d574b77f522.dat-decoded.exe
          Detection:MAL
          Classification:mal64.troj.expl.winEXE@0/0@0/0
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Unable to launch sample, stop analysis

          Errors

          • No process behavior to analyse as no analysis process or sample was found
          • Corrupt sample or wrongly selected analyzer. Details: The image file %1 is valid, but is for a machine type other than the current machine.

          Warnings

          • Exclude process from analysis (whitelisted): dllhost.exe

          Simulations

          Behavior and APIs

          No simulations

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          No created / dropped files found

          Static File Info

          General

          File type:MS-DOS executable
          Entropy (8bit):6.664319106886378
          TrID:
          • Generic Win/DOS Executable (2004/3) 49.94%
          • DOS Executable Generic (2002/1) 49.89%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.17%
          File name:1736984347ea2e5f31dec96d559398ef022940c65b7dbf898b88f872c9a695d467d574b77f522.dat-decoded.exe
          File size:523'565 bytes
          MD5:d59189bb834af4ca4e6b6dbe3bf53c09
          SHA1:4a84ef29e1f1227982f1276f50c350a7117640e9
          SHA256:2ecfdb89f16c1535e6cc6a83275bd9fbd1e0d8e86db04c04f826146b49d3f691
          SHA512:440e9b3832be714b0c93ffd6d8e1bc439f4c1839e627cd13cf3758461966254957a2692a138bcb69e8047e02b39e881f2a7424540d96b685207b2ab520cc83e2
          SSDEEP:12288:BSEAX2AdZFy6uRadTIlYK2MRPx1tghCCeepZQnn:PAX2AZFy6u0dklYYtghCVMZ6
          TLSH:DAB48D11A691C072E8F75E300A2AEEB2FEBABC1014254C7B77DE0C76BDB15407625EA1
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)...H...H...H....(..H....*..H....+..H...0]..H..&....H..8... ...H... ...H... ...H...0J..H...H...I...!...H...!&..H...!...H..Rich

          File Icon

          Icon Hash:00928e8e8686b000

          Network Behavior

          No network behavior found

          Statistics

          No statistics

          System Behavior

          No system behavior

          Disassembly

          No disassembly