Windows
Analysis Report
Cp91KTtA1I.exe
Overview
General Information
Sample name: | Cp91KTtA1I.exerenamed because original name is a hash value |
Original sample name: | 31e027003d640a1598d0e0501bebb595ea9407d74dbbc11e9d8a0779008b6eef.exe |
Analysis ID: | 1471677 |
MD5: | 3785429894a5a55d22e27a398a8d71e5 |
SHA1: | ff427e205d09bde3c5ecbe65c986edfdcddb5efb |
SHA256: | 31e027003d640a1598d0e0501bebb595ea9407d74dbbc11e9d8a0779008b6eef |
Tags: | exe |
Infos: | |
Detection
Remcos, GuLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected GuLoader
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Disables UAC (registry)
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Powershell drops PE file
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Use Short Name Path in Command Line
Sleep loop found (likely to delay execution)
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Classification
- System is w10x64
Cp91KTtA1I.exe (PID: 7260 cmdline:
"C:\Users\ user\Deskt op\Cp91KTt A1I.exe" MD5: 3785429894A5A55D22E27A398A8D71E5) powershell.exe (PID: 7336 cmdline:
"powershel l.exe" -wi ndowstyle hidden "$A ksemagters =Get-Conte nt 'C:\Use rs\user\Ap pData\Loca l\kilns\Un obtainably \Psychrome tres.Tel'; $Soonerdog =$Aksemagt ers.SubStr ing(4665,3 );.$Sooner dog($Aksem agters)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) conhost.exe (PID: 7344 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) Programdirektrer.exe (PID: 7880 cmdline:
"C:\Users\ user~1\App Data\Local \Temp\Prog ramdirektr er.exe" MD5: 3785429894A5A55D22E27A398A8D71E5) cmd.exe (PID: 8060 cmdline:
/k %windir %\System32 \reg.exe A DD HKLM\SO FTWARE\Mic rosoft\Win dows\Curre ntVersion\ Policies\S ystem /v E nableLUA / t REG_DWOR D /d 0 /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) conhost.exe (PID: 8084 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) reg.exe (PID: 8124 cmdline:
C:\Windows \System32\ reg.exe AD D HKLM\SOF TWARE\Micr osoft\Wind ows\Curren tVersion\P olicies\Sy stem /v En ableLUA /t REG_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C) Programdirektrer.exe (PID: 5484 cmdline:
C:\Users\u ser~1\AppD ata\Local\ Temp\Progr amdirektre r.exe /ste xt "C:\Use rs\user\Ap pData\Loca l\Temp\nkg riyijgstgf l" MD5: 3785429894A5A55D22E27A398A8D71E5) Programdirektrer.exe (PID: 2964 cmdline:
C:\Users\u ser~1\AppD ata\Local\ Temp\Progr amdirektre r.exe /ste xt "C:\Use rs\user\Ap pData\Loca l\Temp\xeu kirtlualli zflkm" MD5: 3785429894A5A55D22E27A398A8D71E5) Programdirektrer.exe (PID: 2992 cmdline:
C:\Users\u ser~1\AppD ata\Local\ Temp\Progr amdirektre r.exe /ste xt "C:\Use rs\user\Ap pData\Loca l\Temp\igz ujjdfqjdys fbpbxskn" MD5: 3785429894A5A55D22E27A398A8D71E5)
svchost.exe (PID: 7184 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Remcos, RemcosRAT | Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity. |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
{"Host:Port:Password": "a458386d9.duckdns.org:3256:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-7CSH4D", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
Click to see the 1 entries |
System Summary |
---|
Source: | Author: frack113, Nasreddine Bencherchali: |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Source: | Author: vburov: |
Stealing of Sensitive Information |
---|