Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1720820945b98a33634332b5b04d2d5eefc45211062a00fb2a41a5d44d2d51e9cf8e375a78335.dat-decoded.exe

Overview

General Information

Sample name:1720820945b98a33634332b5b04d2d5eefc45211062a00fb2a41a5d44d2d51e9cf8e375a78335.dat-decoded.exe
Analysis ID:1472512
MD5:0233b4ec1bb0b86ce25e1101620b5b90
SHA1:9be1a169d206400bbecad6a90517b58d0bfdeeaf
SHA256:e35f290abe0cb23deff221cb58026c8e27e0594361507df9ed095aee48c99480
Tags:base64-decodedexe
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: The image file %1 is valid, but is for a machine type other than the current machine.

Detection

Remcos
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara signature match

Classification

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
1720820945b98a33634332b5b04d2d5eefc45211062a00fb2a41a5d44d2d51e9cf8e375a78335.dat-decoded.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
    1720820945b98a33634332b5b04d2d5eefc45211062a00fb2a41a5d44d2d51e9cf8e375a78335.dat-decoded.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      1720820945b98a33634332b5b04d2d5eefc45211062a00fb2a41a5d44d2d51e9cf8e375a78335.dat-decoded.exeWindows_Trojan_Remcos_b296e965unknownunknown
      • 0x71b16:$a1: Remcos restarted by watchdog!
      • 0x7208e:$a3: %02i:%02i:%02i:%03i
      1720820945b98a33634332b5b04d2d5eefc45211062a00fb2a41a5d44d2d51e9cf8e375a78335.dat-decoded.exeREMCOS_RAT_variantsunknownunknown
      • 0x6b8f4:$str_a1: C:\Windows\System32\cmd.exe
      • 0x6b870:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x6b870:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x6bd70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
      • 0x6c5a0:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
      • 0x6b964:$str_b2: Executing file:
      • 0x6c9f3:$str_b3: GetDirectListeningPort
      • 0x6c390:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
      • 0x6c510:$str_b7: \update.vbs
      • 0x6b98c:$str_b9: Downloaded file:
      • 0x6b978:$str_b10: Downloading file:
      • 0x6ba1c:$str_b12: Failed to upload file:
      • 0x6c9bb:$str_b13: StartForward
      • 0x6c9db:$str_b14: StopForward
      • 0x6c468:$str_b15: fso.DeleteFile "
      • 0x6c3fc:$str_b16: On Error Resume Next
      • 0x6c498:$str_b17: fso.DeleteFolder "
      • 0x6ba0c:$str_b18: Uploaded file:
      • 0x6b9cc:$str_b19: Unable to delete:
      • 0x6c430:$str_b20: while fso.FileExists("
      • 0x6bea9:$str_c0: [Firefox StoredLogins not found]
      1720820945b98a33634332b5b04d2d5eefc45211062a00fb2a41a5d44d2d51e9cf8e375a78335.dat-decoded.exeINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
      • 0x6b7e0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
      • 0x6b774:$s1: CoGetObject
      • 0x6b788:$s1: CoGetObject
      • 0x6b7a4:$s1: CoGetObject
      • 0x75a90:$s1: CoGetObject
      • 0x6b734:$s2: Elevation:Administrator!new:

      Sigma Signatures

      No Sigma rule has matched

      Snort Signatures

      No Snort rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Yara detected Remcos RAT
      Source: Yara matchFile source: 1720820945b98a33634332b5b04d2d5eefc45211062a00fb2a41a5d44d2d51e9cf8e375a78335.dat-decoded.exe, type: SAMPLE
      Source: 1720820945b98a33634332b5b04d2d5eefc45211062a00fb2a41a5d44d2d51e9cf8e375a78335.dat-decoded.exeBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_e6f43c37-6

      Exploits

      barindex
      Yara detected UAC Bypass using CMSTP
      Source: Yara matchFile source: 1720820945b98a33634332b5b04d2d5eefc45211062a00fb2a41a5d44d2d51e9cf8e375a78335.dat-decoded.exe, type: SAMPLE
      Source: 1720820945b98a33634332b5b04d2d5eefc45211062a00fb2a41a5d44d2d51e9cf8e375a78335.dat-decoded.exeString found in binary or memory: http://geoplugin.net/json.gp/C

      E-Banking Fraud

      barindex
      Yara detected Remcos RAT
      Source: Yara matchFile source: 1720820945b98a33634332b5b04d2d5eefc45211062a00fb2a41a5d44d2d51e9cf8e375a78335.dat-decoded.exe, type: SAMPLE

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 1720820945b98a33634332b5b04d2d5eefc45211062a00fb2a41a5d44d2d51e9cf8e375a78335.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
      Source: 1720820945b98a33634332b5b04d2d5eefc45211062a00fb2a41a5d44d2d51e9cf8e375a78335.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
      Source: 1720820945b98a33634332b5b04d2d5eefc45211062a00fb2a41a5d44d2d51e9cf8e375a78335.dat-decoded.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
      Source: 1720820945b98a33634332b5b04d2d5eefc45211062a00fb2a41a5d44d2d51e9cf8e375a78335.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
      Source: 1720820945b98a33634332b5b04d2d5eefc45211062a00fb2a41a5d44d2d51e9cf8e375a78335.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
      Source: 1720820945b98a33634332b5b04d2d5eefc45211062a00fb2a41a5d44d2d51e9cf8e375a78335.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
      Source: classification engineClassification label: mal64.troj.expl.winEXE@0/0@0/0

      Stealing of Sensitive Information

      barindex
      Yara detected Remcos RAT
      Source: Yara matchFile source: 1720820945b98a33634332b5b04d2d5eefc45211062a00fb2a41a5d44d2d51e9cf8e375a78335.dat-decoded.exe, type: SAMPLE

      Remote Access Functionality

      barindex
      Yara detected Remcos RAT
      Source: Yara matchFile source: 1720820945b98a33634332b5b04d2d5eefc45211062a00fb2a41a5d44d2d51e9cf8e375a78335.dat-decoded.exe, type: SAMPLE

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping1
      System Information Discovery      		Remote Services1
      Archive Collected Data      		Data ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      No Antivirus matches

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://geoplugin.net/json.gp/C0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      No contacted domains info

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://geoplugin.net/json.gp/C1720820945b98a33634332b5b04d2d5eefc45211062a00fb2a41a5d44d2d51e9cf8e375a78335.dat-decoded.exefalse
      • URL Reputation: safe
      		unknown

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox version:40.0.0 Tourmaline
      Analysis ID:1472512
      Start date and time:2024-07-12 23:50:19 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 2m 2s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:1
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:1720820945b98a33634332b5b04d2d5eefc45211062a00fb2a41a5d44d2d51e9cf8e375a78335.dat-decoded.exe
      Detection:MAL
      Classification:mal64.troj.expl.winEXE@0/0@0/0
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Unable to launch sample, stop analysis

      Errors

      • No process behavior to analyse as no analysis process or sample was found
      • Corrupt sample or wrongly selected analyzer. Details: The image file %1 is valid, but is for a machine type other than the current machine.

      Warnings

      • Exclude process from analysis (whitelisted): dllhost.exe
      • VT rate limit hit for: 1720820945b98a33634332b5b04d2d5eefc45211062a00fb2a41a5d44d2d51e9cf8e375a78335.dat-decoded.exe

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      No created / dropped files found

      Static File Info

      General

      File type:MS-DOS executable
      Entropy (8bit):6.675833894948408
      TrID:
      • Generic Win/DOS Executable (2004/3) 49.94%
      • DOS Executable Generic (2002/1) 49.89%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.17%
      File name:1720820945b98a33634332b5b04d2d5eefc45211062a00fb2a41a5d44d2d51e9cf8e375a78335.dat-decoded.exe
      File size:525'435 bytes
      MD5:0233b4ec1bb0b86ce25e1101620b5b90
      SHA1:9be1a169d206400bbecad6a90517b58d0bfdeeaf
      SHA256:e35f290abe0cb23deff221cb58026c8e27e0594361507df9ed095aee48c99480
      SHA512:86c13697d6d3670eff198a0e7e51556c53b84c060856501018135f66591337b1d1cfb3a59bdda11cd04fab65e145d9b1c26afba86d50bfd147d9246531c56a87
      SSDEEP:6144:X7BJulkWSG6QdqI2DBQ/l0/U6fsjLw84xToJs5iAuMcNDje104ZC7XUcyKTdc:XVJuKWd21Ea/U4sj084x8qVxZC1Zc
      TLSH:A9B48D11AA91C031E8F71E300E2AEE72FEBABC5015214D6B77DD0C7ABD715407A25EE6
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........-H..~H..~H...z.C.:..f$~[..~.f&C.:....~.f'~V...z.C.:.A.Q~I..~.Z.C.:.J..~....R...z.C.:.....r..~....j..~A.F~Q...z.C.:.H..~u..~.

      File Icon

      Icon Hash:90cececece8e8eb0

      Network Behavior

      No network behavior found

      Statistics

      No statistics

      System Behavior

      No system behavior

      Disassembly

      No disassembly