Edit tour

Windows Analysis Report
172082094700db9e9091b6a6dbee178a20f02e04b0e858330e4aa6383213e7388d36089f4b506.dat-decoded.exe

Overview

General Information

Sample name:	172082094700db9e9091b6a6dbee178a20f02e04b0e858330e4aa6383213e7388d36089f4b506.dat-decoded.exe
Analysis ID:	1472507
MD5:	fb827555c8ef70538f5a02fd7d970fef
SHA1:	2b208bd4d060a487afd936b4fe2d76213317f9c4
SHA256:	c9197ccebccea890b5dd438e3bd1a735038d697ddb8d94bb262e6568a0e6ef40
Tags:	base64-decodedexe
Infos:
Errors No process behavior to analyse as no analysis process or sample was found Corrupt sample or wrongly selected analyzer. Details: The image file %1 is valid, but is for a machine type other than the current machine.

Detection

Remcos

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Yara signature match

Classification

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
172082094700db9e9091b6a6dbee178a20f02e04b0e858330e4aa6383213e7388d36089f4b506.dat-decoded.exe	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
172082094700db9e9091b6a6dbee178a20f02e04b0e858330e4aa6383213e7388d36089f4b506.dat-decoded.exe	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
172082094700db9e9091b6a6dbee178a20f02e04b0e858330e4aa6383213e7388d36089f4b506.dat-decoded.exe	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x71b16:$a1: Remcos restarted by watchdog! 0x7208e:$a3: %02i:%02i:%02i:%03i
172082094700db9e9091b6a6dbee178a20f02e04b0e858330e4aa6383213e7388d36089f4b506.dat-decoded.exe	REMCOS_RAT_variants	unknown	unknown	0x6b8f4:$str_a1: C:\Windows\System32\cmd.exe 0x6b870:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x6b870:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x6bd70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x6c5a0:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6b964:$str_b2: Executing file: 0x6c9f3:$str_b3: GetDirectListeningPort 0x6c390:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x6c510:$str_b7: \update.vbs 0x6b98c:$str_b9: Downloaded file: 0x6b978:$str_b10: Downloading file: 0x6ba1c:$str_b12: Failed to upload file: 0x6c9bb:$str_b13: StartForward 0x6c9db:$str_b14: StopForward 0x6c468:$str_b15: fso.DeleteFile " 0x6c3fc:$str_b16: On Error Resume Next 0x6c498:$str_b17: fso.DeleteFolder " 0x6ba0c:$str_b18: Uploaded file: 0x6b9cc:$str_b19: Unable to delete: 0x6c430:$str_b20: while fso.FileExists(" 0x6bea9:$str_c0: [Firefox StoredLogins not found]
172082094700db9e9091b6a6dbee178a20f02e04b0e858330e4aa6383213e7388d36089f4b506.dat-decoded.exe	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x6b7e0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6b774:$s1: CoGetObject 0x6b788:$s1: CoGetObject 0x6b7a4:$s1: CoGetObject 0x75a90:$s1: CoGetObject 0x6b734:$s2: Elevation:Administrator!new:

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Yara detected Remcos RAT

Source: Yara match

File source: 172082094700db9e9091b6a6dbee178a20f02e04b0e858330e4aa6383213e7388d36089f4b506.dat-decoded.exe, type: SAMPLE

Source: 172082094700db9e9091b6a6dbee178a20f02e04b0e858330e4aa6383213e7388d36089f4b506.dat-decoded.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_2f1d640d-c

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match

File source: 172082094700db9e9091b6a6dbee178a20f02e04b0e858330e4aa6383213e7388d36089f4b506.dat-decoded.exe, type: SAMPLE

Source: 172082094700db9e9091b6a6dbee178a20f02e04b0e858330e4aa6383213e7388d36089f4b506.dat-decoded.exe

String found in binary or memory: http://geoplugin.net/json.gp/C

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match

File source: 172082094700db9e9091b6a6dbee178a20f02e04b0e858330e4aa6383213e7388d36089f4b506.dat-decoded.exe, type: SAMPLE

System Summary

Malicious sample detected (through community Yara rule)

Source: 172082094700db9e9091b6a6dbee178a20f02e04b0e858330e4aa6383213e7388d36089f4b506.dat-decoded.exe, type: SAMPLE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 172082094700db9e9091b6a6dbee178a20f02e04b0e858330e4aa6383213e7388d36089f4b506.dat-decoded.exe, type: SAMPLE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 172082094700db9e9091b6a6dbee178a20f02e04b0e858330e4aa6383213e7388d36089f4b506.dat-decoded.exe, type: SAMPLE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen

Source: 172082094700db9e9091b6a6dbee178a20f02e04b0e858330e4aa6383213e7388d36089f4b506.dat-decoded.exe, type: SAMPLE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 172082094700db9e9091b6a6dbee178a20f02e04b0e858330e4aa6383213e7388d36089f4b506.dat-decoded.exe, type: SAMPLE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 172082094700db9e9091b6a6dbee178a20f02e04b0e858330e4aa6383213e7388d36089f4b506.dat-decoded.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Source: classification engine

Classification label: mal64.troj.expl.winEXE@0/0@0/0

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match

File source: 172082094700db9e9091b6a6dbee178a20f02e04b0e858330e4aa6383213e7388d36089f4b506.dat-decoded.exe, type: SAMPLE

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match

File source: 172082094700db9e9091b6a6dbee178a20f02e04b0e858330e4aa6383213e7388d36089f4b506.dat-decoded.exe, type: SAMPLE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	1 System Information Discovery	Remote Services	1 Archive Collected Data	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
http://geoplugin.net/json.gp/C	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://geoplugin.net/json.gp/C	172082094700db9e9091b6a6dbee178a20f02e04b0e858330e4aa6383213e7388d36089f4b506.dat-decoded.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1472507
Start date and time:	2024-07-12 23:50:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	172082094700db9e9091b6a6dbee178a20f02e04b0e858330e4aa6383213e7388d36089f4b506.dat-decoded.exe
Detection:	MAL
Classification:	mal64.troj.expl.winEXE@0/0@0/0
Cookbook Comments:	Found application associated with file extension: .exe Unable to launch sample, stop analysis

Errors

No process behavior to analyse as no analysis process or sample was found
Corrupt sample or wrongly selected analyzer. Details: The image file %1 is valid, but is for a machine type other than the current machine.

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 93.184.221.240
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, login.live.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, ocsp.edge.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, wu.azureedge.net
VT rate limit hit for: 172082094700db9e9091b6a6dbee178a20f02e04b0e858330e4aa6383213e7388d36089f4b506.dat-decoded.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	https://ik.imagekit.io/gxpn0jo1s/tgearwtyetgwaetgwa4t6w4a6yytyseztsetsetserte.html?updatedAt=3047319305?0595vfs0snhw3jn#4XoKCq127845cDyC289vehxtterqj1617VXBGKGZCTGTHTMC44244/256826q14	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://sherwoodhomeshow.com	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://www.americanexpress.com/us/cmkyc/	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://rise.articulate.com/share/P1iJp0yB_bTh32WFRRy74LcbPLqlelKL#/lessons/B8YD5iyNY6mhPG043RiexudIPbtOgtU2	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	http://d705v.crent365.com	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://t.apemail.net/c/nqkqka2ukicqmbqgdicq6aaedibqcvibdihqmbaedjkaoa2uaecqkdqcaiavkfi3audqkaypa4dbwaabbydqcaqobynq4byoaedqeaipamnqogyvpf3bkgyvafkambqpkikwu-nqdbwfkcivnrkgyvpf3bkgygamaa4bqedmcagbahdmcqabibamdqggyfaycqiaibainqkbyfamhqobq3aubq4aypaadqggyvaubviuqfaydamgqfb4aaigqdafkqcgqpaycaigsua4bviaifauhaeaqbkukrwdqhbyaqoaqbb4brwfl3ijmvmrixpfjeaf3okjlekfy2c4dqefy7mzbf4vc4c5sfewktdykrwflfojqx44tacunqaaioa4aqedqodmkv6q2di5ca2gaykzbu4vsrdfnu4gcwircfeq2ecunugrkckinqaaqcdmkxs5qvdnmuew23dnmuew23dnmuew23dnmuew23dmkqcvagayhveflk	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://www.newsmaxinvest.com	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://venteon.com	Get hash	malicious	Unknown	Browse	192.229.221.95
	SecuriteInfo.com.Win32.RATX-gen.28387.25625.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	192.229.221.95
	http://www.ashlardev.com	Get hash	malicious	Unknown	Browse	192.229.221.95

File type:	MS-DOS executable
Entropy (8bit):	6.676027952027281
TrID:	Generic Win/DOS Executable (2004/3) 49.94% DOS Executable Generic (2002/1) 49.89% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.17%
File name:	172082094700db9e9091b6a6dbee178a20f02e04b0e858330e4aa6383213e7388d36089f4b506.dat-decoded.exe
File size:	525'414 bytes
MD5:	fb827555c8ef70538f5a02fd7d970fef
SHA1:	2b208bd4d060a487afd936b4fe2d76213317f9c4
SHA256:	c9197ccebccea890b5dd438e3bd1a735038d697ddb8d94bb262e6568a0e6ef40
SHA512:	739e204433882dde575eb9fcd472a78a29f6ce720f9bef26df56ad295f964ff31141dda30fc2506e4e993676a9bc4b25ccbb2abb4da71a63cf646fe5ad99e332
SSDEEP:	6144:Z7BJulkWSG6QdqI2DBQ/l0/U6fsjLw84xToJs5iAuMcNDje104ZV7Xocy6Tdc:ZVJuKWd21Ea/U4sj084x8qVxZVLZc
TLSH:	61B48D11AA91C031E8F71E300E2AEE72FEBABC5015214C6B77DD0C7ABD715407A25EE6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........-H..~H..~H...z.C.:..f$~[..~.f&C.:....~.f'~V...z.C.:.A.Q~I..~.Z.C.:.J..~....R...z.C.:.....r..~....j..~A.F~Q...z.C.:.H..~u..~.

File Icon


Icon Hash:	00928e8e8686b000

Network Behavior

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 12, 2024 23:51:20.121433973 CEST	53	65080	1.1.1.1	192.168.2.5

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 12, 2024 23:51:15.818140984 CEST	1.1.1.1	192.168.2.5	0x88ca	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 12, 2024 23:51:15.818140984 CEST	1.1.1.1	192.168.2.5	0x88ca	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 172082094700db9e9091b6a6dbee178a20f02e04b0e858330e4aa6383213e7388d36089f4b506.dat-decoded.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Networking

E-Banking Fraud

System Summary

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Errors

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

UDP Packets

DNS Answers

Statistics

System Behavior

Disassembly

Windows Analysis Report
172082094700db9e9091b6a6dbee178a20f02e04b0e858330e4aa6383213e7388d36089f4b506.dat-decoded.exe