Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
NE5hFhU6mt.exe

Overview

General Information

Sample name:NE5hFhU6mt.exe
renamed because original name is a hash value
Original sample name:win_remcos_ba0ebdbc3867696b266eed6a797b9ca9d7c7b9ae88e6190dcc62c9ba88d9eb8a.exe
Analysis ID:1431548
MD5:ae88072b3a34f52af18b1f67ebb8a123
SHA1:44245e20a33f771fa393ed862c134df57700f198
SHA256:ba0ebdbc3867696b266eed6a797b9ca9d7c7b9ae88e6190dcc62c9ba88d9eb8a
Tags:exeremcos
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Remcos
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Machine Learning detection for sample
Yara signature match

Classification

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
NE5hFhU6mt.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
    NE5hFhU6mt.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      NE5hFhU6mt.exeWindows_Trojan_Remcos_b296e965unknownunknown
      • 0x6c4a8:$a1: Remcos restarted by watchdog!
      • 0x6ca20:$a3: %02i:%02i:%02i:%03i
      NE5hFhU6mt.exeREMCOS_RAT_variantsunknownunknown
      • 0x664fc:$str_a1: C:\Windows\System32\cmd.exe
      • 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
      • 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
      • 0x6656c:$str_b2: Executing file:
      • 0x675ec:$str_b3: GetDirectListeningPort
      • 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
      • 0x67118:$str_b7: \update.vbs
      • 0x66594:$str_b9: Downloaded file:
      • 0x66580:$str_b10: Downloading file:
      • 0x66624:$str_b12: Failed to upload file:
      • 0x675b4:$str_b13: StartForward
      • 0x675d4:$str_b14: StopForward
      • 0x67070:$str_b15: fso.DeleteFile "
      • 0x67004:$str_b16: On Error Resume Next
      • 0x670a0:$str_b17: fso.DeleteFolder "
      • 0x66614:$str_b18: Uploaded file:
      • 0x665d4:$str_b19: Unable to delete:
      • 0x67038:$str_b20: while fso.FileExists("
      • 0x66ab1:$str_c0: [Firefox StoredLogins not found]
      NE5hFhU6mt.exeINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
      • 0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
      • 0x6637c:$s1: CoGetObject
      • 0x66390:$s1: CoGetObject
      • 0x663ac:$s1: CoGetObject
      • 0x70338:$s1: CoGetObject
      • 0x6633c:$s2: Elevation:Administrator!new:

      Sigma Signatures

      No Sigma rule has matched

      Snort Signatures

      No Snort rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus detection for URL or domain
      Source: http://geoplugin.net/json.gp/CURL Reputation: Label: phishing
      Multi AV Scanner detection for submitted file
      Source: NE5hFhU6mt.exeReversingLabs: Detection: 63%
      Source: NE5hFhU6mt.exeVirustotal: Detection: 66%Perma Link
      Yara detected Remcos RAT
      Source: Yara matchFile source: NE5hFhU6mt.exe, type: SAMPLE
      Machine Learning detection for sample
      Source: NE5hFhU6mt.exeJoe Sandbox ML: detected
      Source: NE5hFhU6mt.exeBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_d83f6b0b-e

      Exploits

      barindex
      Yara detected UAC Bypass using CMSTP
      Source: Yara matchFile source: NE5hFhU6mt.exe, type: SAMPLE
      Source: NE5hFhU6mt.exeString found in binary or memory: http://geoplugin.net/json.gp/C

      E-Banking Fraud

      barindex
      Yara detected Remcos RAT
      Source: Yara matchFile source: NE5hFhU6mt.exe, type: SAMPLE

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: NE5hFhU6mt.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
      Source: NE5hFhU6mt.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
      Source: NE5hFhU6mt.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
      Source: NE5hFhU6mt.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
      Source: NE5hFhU6mt.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
      Source: NE5hFhU6mt.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
      Source: classification engineClassification label: mal84.troj.expl.winEXE@0/0@0/0
      Source: NE5hFhU6mt.exeReversingLabs: Detection: 63%
      Source: NE5hFhU6mt.exeVirustotal: Detection: 66%

      Stealing of Sensitive Information

      barindex
      Yara detected Remcos RAT
      Source: Yara matchFile source: NE5hFhU6mt.exe, type: SAMPLE

      Remote Access Functionality

      barindex
      Yara detected Remcos RAT
      Source: Yara matchFile source: NE5hFhU6mt.exe, type: SAMPLE

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential DumpingSystem Service DiscoveryRemote Services1
      Archive Collected Data      		Data ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      NE5hFhU6mt.exe63%ReversingLabsWin32.Trojan.Remcos
      NE5hFhU6mt.exe66%VirustotalBrowse
      NE5hFhU6mt.exe100%Joe Sandbox ML

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://geoplugin.net/json.gp/C100%URL Reputationphishing

      Domains and IPs

      Contacted Domains

      No contacted domains info

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://geoplugin.net/json.gp/CNE5hFhU6mt.exetrue
      • URL Reputation: phishing
      		unknown

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox version:40.0.0 Tourmaline
      Analysis ID:1431548
      Start date and time:2024-04-25 12:23:06 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 1m 48s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:0
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:NE5hFhU6mt.exe
      renamed because original name is a hash value
      Original Sample Name:win_remcos_ba0ebdbc3867696b266eed6a797b9ca9d7c7b9ae88e6190dcc62c9ba88d9eb8a.exe
      Detection:MAL
      Classification:mal84.troj.expl.winEXE@0/0@0/0
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Unable to launch sample, stop analysis

      Errors

      • No process behavior to analyse as no analysis process or sample was found
      • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      No created / dropped files found

      Static File Info

      General

      File type:PE32 executable (GUI) Intel 80386, for MS Windows
      Entropy (8bit):6.297702867039243
      TrID:
      • Win32 Executable (generic) a (10002005/4) 99.96%
      • Generic Win/DOS Executable (2004/3) 0.02%
      • DOS Executable Generic (2002/1) 0.02%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:NE5hFhU6mt.exe
      File size:532'480 bytes
      MD5:ae88072b3a34f52af18b1f67ebb8a123
      SHA1:44245e20a33f771fa393ed862c134df57700f198
      SHA256:ba0ebdbc3867696b266eed6a797b9ca9d7c7b9ae88e6190dcc62c9ba88d9eb8a
      SHA512:d7318d6bdd0b03e13bc6dd4890498c00efdcd7091880ccffd2c0b781c932418199e767e55945e49dd0f28fe96373662be6d85cfeb125f95b184968ffcd768841
      SSDEEP:6144:eXIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZDAXYcNf5Gv:eX7tPMK8ctGe4Dzl4h2QnuPs/ZD+cv
      TLSH:88B49E01BAD1C072D57514300D36F776EAB8BD2028364A7BB3D61D5BFE31190B62A6B7
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........-H..~H..~H..~.f$~[..~.f&~...~.f'~V..~A.Q~I..~.Z.~J..~....R..~....r..~....j..~A.F~Q..~H..~u..~....,..~..*~I..~....I..~RichH..

      File Icon

      Icon Hash:90cececece8e8eb0

      Network Behavior

      No network behavior found

      Statistics

      No statistics

      System Behavior

      No system behavior

      Disassembly

      No disassembly