Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
3lvdjItxde.exe

Overview

General Information

Sample name:3lvdjItxde.exe
renamed because original name is a hash value
Original sample name:win_remcos_3ec2af4b5c9bb02513b905dfa7217efdcec08dce2c3d9621bd4792d50e548cf1.exe
Analysis ID:1431549
MD5:d3ccea4baebe97ae4b7adf2c95ce4e20
SHA1:2c2436357a6d2fa47fb895a6ff0a64ed2c6a1af3
SHA256:3ec2af4b5c9bb02513b905dfa7217efdcec08dce2c3d9621bd4792d50e548cf1
Tags:exeremcos
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Remcos
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Machine Learning detection for sample
Yara signature match

Classification

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
3lvdjItxde.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
    3lvdjItxde.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      3lvdjItxde.exeWindows_Trojan_Remcos_b296e965unknownunknown
      • 0x6c4a8:$a1: Remcos restarted by watchdog!
      • 0x6ca20:$a3: %02i:%02i:%02i:%03i
      3lvdjItxde.exeREMCOS_RAT_variantsunknownunknown
      • 0x664fc:$str_a1: C:\Windows\System32\cmd.exe
      • 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
      • 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
      • 0x6656c:$str_b2: Executing file:
      • 0x675ec:$str_b3: GetDirectListeningPort
      • 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
      • 0x67118:$str_b7: \update.vbs
      • 0x66594:$str_b9: Downloaded file:
      • 0x66580:$str_b10: Downloading file:
      • 0x66624:$str_b12: Failed to upload file:
      • 0x675b4:$str_b13: StartForward
      • 0x675d4:$str_b14: StopForward
      • 0x67070:$str_b15: fso.DeleteFile "
      • 0x67004:$str_b16: On Error Resume Next
      • 0x670a0:$str_b17: fso.DeleteFolder "
      • 0x66614:$str_b18: Uploaded file:
      • 0x665d4:$str_b19: Unable to delete:
      • 0x67038:$str_b20: while fso.FileExists("
      • 0x66ab1:$str_c0: [Firefox StoredLogins not found]
      3lvdjItxde.exeINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
      • 0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
      • 0x6637c:$s1: CoGetObject
      • 0x66390:$s1: CoGetObject
      • 0x663ac:$s1: CoGetObject
      • 0x70338:$s1: CoGetObject
      • 0x6633c:$s2: Elevation:Administrator!new:

      Sigma Signatures

      No Sigma rule has matched

      Snort Signatures

      No Snort rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus detection for URL or domain
      Source: http://geoplugin.net/json.gp/CURL Reputation: Label: phishing
      Multi AV Scanner detection for submitted file
      Source: 3lvdjItxde.exeReversingLabs: Detection: 63%
      Source: 3lvdjItxde.exeVirustotal: Detection: 64%Perma Link
      Yara detected Remcos RAT
      Source: Yara matchFile source: 3lvdjItxde.exe, type: SAMPLE
      Machine Learning detection for sample
      Source: 3lvdjItxde.exeJoe Sandbox ML: detected
      Source: 3lvdjItxde.exeBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_45c9232e-0

      Exploits

      barindex
      Yara detected UAC Bypass using CMSTP
      Source: Yara matchFile source: 3lvdjItxde.exe, type: SAMPLE
      Source: 3lvdjItxde.exeString found in binary or memory: http://geoplugin.net/json.gp/C

      E-Banking Fraud

      barindex
      Yara detected Remcos RAT
      Source: Yara matchFile source: 3lvdjItxde.exe, type: SAMPLE

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 3lvdjItxde.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
      Source: 3lvdjItxde.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
      Source: 3lvdjItxde.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
      Source: 3lvdjItxde.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
      Source: 3lvdjItxde.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
      Source: 3lvdjItxde.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
      Source: classification engineClassification label: mal84.troj.expl.winEXE@0/0@0/0
      Source: 3lvdjItxde.exeReversingLabs: Detection: 63%
      Source: 3lvdjItxde.exeVirustotal: Detection: 64%

      Stealing of Sensitive Information

      barindex
      Yara detected Remcos RAT
      Source: Yara matchFile source: 3lvdjItxde.exe, type: SAMPLE

      Remote Access Functionality

      barindex
      Yara detected Remcos RAT
      Source: Yara matchFile source: 3lvdjItxde.exe, type: SAMPLE

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential DumpingSystem Service DiscoveryRemote Services1
      Archive Collected Data      		Data ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      3lvdjItxde.exe63%ReversingLabsWin32.Trojan.Remcos
      3lvdjItxde.exe65%VirustotalBrowse
      3lvdjItxde.exe100%Joe Sandbox ML

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://geoplugin.net/json.gp/C100%URL Reputationphishing

      Domains and IPs

      Contacted Domains

      No contacted domains info

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://geoplugin.net/json.gp/C3lvdjItxde.exetrue
      • URL Reputation: phishing
      		unknown

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox version:40.0.0 Tourmaline
      Analysis ID:1431549
      Start date and time:2024-04-25 12:23:08 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 1m 52s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:1
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:3lvdjItxde.exe
      renamed because original name is a hash value
      Original Sample Name:win_remcos_3ec2af4b5c9bb02513b905dfa7217efdcec08dce2c3d9621bd4792d50e548cf1.exe
      Detection:MAL
      Classification:mal84.troj.expl.winEXE@0/0@0/0
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Unable to launch sample, stop analysis

      Errors

      • No process behavior to analyse as no analysis process or sample was found
      • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

      Warnings

      • Exclude process from analysis (whitelisted): dllhost.exe

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      No created / dropped files found

      Static File Info

      General

      File type:PE32 executable (GUI) Intel 80386, for MS Windows
      Entropy (8bit):6.110253129634026
      TrID:
      • Win32 Executable (generic) a (10002005/4) 99.96%
      • Generic Win/DOS Executable (2004/3) 0.02%
      • DOS Executable Generic (2002/1) 0.02%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:3lvdjItxde.exe
      File size:532'480 bytes
      MD5:d3ccea4baebe97ae4b7adf2c95ce4e20
      SHA1:2c2436357a6d2fa47fb895a6ff0a64ed2c6a1af3
      SHA256:3ec2af4b5c9bb02513b905dfa7217efdcec08dce2c3d9621bd4792d50e548cf1
      SHA512:756c509c7b3bc9690a7172e8929ee46c26ae346c0777b47497d042c32263ddd13babb7cb4ea605fbb19861dcc2324c8246936e803cc06bdc3909c9fd706b4f4a
      SSDEEP:6144:AXIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZsAX4cN:AX7tPMK8ctGe4Dzl4h2QnuPs/Zs
      TLSH:96B4AF01BAD1C072D57514300D36E776EAB8BD2128364A7FB3D61D5BFE30190B63AAB6
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d..- ..~ ..~ ..~.f$~3..~.f&~...~.f'~>..~).Q~!..~.Z.~"..~....:..~.......~.......~).F~9..~ ..~...~....D..~..*~!..~....!..~Rich ..

      File Icon

      Icon Hash:00928e8e8686b000

      Network Behavior

      No network behavior found

      Statistics

      No statistics

      System Behavior

      No system behavior

      Disassembly

      No disassembly