Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
cKAfpUFqZ7.exe

Overview

General Information

Sample name:cKAfpUFqZ7.exe
renamed because original name is a hash value
Original sample name:28d8408ad6ae09d1d703b0b8ca78d670N.exe
Analysis ID:1472669
MD5:28d8408ad6ae09d1d703b0b8ca78d670
SHA1:75645b81c0b05b4527c5cafeb1f5cd5c21b3f475
SHA256:1da8b868bd5d60050d40adae98482f1310d3679948dd1cee7a1b4a8ef9a396f0
Tags:exeRATRemcos
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Snort IDS alert for network traffic
Yara detected Remcos RAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara signature match

Classification

  • System is w10x64
  • cKAfpUFqZ7.exe (PID: 4720 cmdline: "C:\Users\user\Desktop\cKAfpUFqZ7.exe" MD5: 28D8408AD6AE09D1D703B0B8CA78D670)
    • sbietrcl.exe (PID: 7280 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe" MD5: B93D0E4262339620BAA9866CF0880980)
      • sbietrcl.exe (PID: 7324 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe" MD5: B93D0E4262339620BAA9866CF0880980)
  • sbietrcl.exe (PID: 7592 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe" MD5: B93D0E4262339620BAA9866CF0880980)
    • sbietrcl.exe (PID: 7684 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe" MD5: B93D0E4262339620BAA9866CF0880980)
  • sbietrcl.exe (PID: 7736 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe" MD5: B93D0E4262339620BAA9866CF0880980)
    • sbietrcl.exe (PID: 7772 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe" MD5: B93D0E4262339620BAA9866CF0880980)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
{"Host:Port:Password": "213.183.58.19:4000", "Assigned name": "Host", "Connect interval": "5", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "remcos", "Hide file": "Disable", "Mutex": "remcos_sccafsoidz", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "read.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screens", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "audio", "Connect delay": "0", "Copy folder": "remcos", "Keylog folder": "CastC"}
SourceRuleDescriptionAuthorStrings
00000006.00000002.2216897108.0000000003BDA000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000006.00000002.2216897108.0000000003BDA000.00000004.00000800.00020000.00000000.sdmpRemcosdetect Remcos in memoryJPCERT/CC Incident Response Group
    • 0x11554:$remcos: Remcos
    • 0x11dc8:$remcos: Remcos
    • 0x11e00:$url: Breaking-Security.Net
    • 0x1660a:$resource: SETTINGS
    00000008.00000002.2299691163.0000000003F98000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000008.00000002.2299691163.0000000003F98000.00000004.00000800.00020000.00000000.sdmpRemcosdetect Remcos in memoryJPCERT/CC Incident Response Group
      • 0x11b14:$remcos: Remcos
      • 0x12388:$remcos: Remcos
      • 0x123c0:$url: Breaking-Security.Net
      • 0x16bca:$resource: SETTINGS
      00000007.00000002.2210506466.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        Click to see the 17 entries
        SourceRuleDescriptionAuthorStrings
        3.2.sbietrcl.exe.4558a50.5.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
          3.2.sbietrcl.exe.4558a50.5.raw.unpackREMCOS_RAT_variantsunknownunknown
          • 0x114dc:$funcs1: autogetofflinelogs
          • 0x114c0:$funcs2: clearlogins
          • 0x114f0:$funcs3: getofflinelogs
          • 0x11578:$funcs4: execcom
          • 0x114cc:$funcs5: deletekeylog
          • 0x11798:$funcs6: remscriptexecd
          • 0x115bc:$funcs7: getwindows
          • 0x10da0:$funcs8: fundlldata
          • 0x10d78:$funcs9: getfunlib
          • 0x107ec:$funcs10: autofflinelogs
          • 0x113b8:$funcs11: getclipboard
          • 0x114b4:$funcs12: getscrslist
          • 0x107e0:$funcs13: offlinelogs
          • 0x105c8:$funcs14: getcamsingleframe
          • 0x116e4:$funcs15: listfiles
          • 0x115e0:$funcs16: getproclist
          • 0x10828:$funcs17: onlinelogs
          • 0x11700:$funcs18: getdrives
          • 0x11784:$funcs19: remscriptsuccess
          • 0x10600:$funcs20: getcamframe
          • 0x1115c:$str_a1: C:\Windows\System32\cmd.exe
          3.2.sbietrcl.exe.4558a50.5.raw.unpackRemcos_1Remcos Payloadkevoreilly
          • 0x11034:$name: Remcos
          • 0x118a8:$name: Remcos
          • 0x118fb:$name: REMCOS
          • 0x10688:$time: %02i:%02i:%02i:%03i
          • 0x11320:$time: %02i:%02i:%02i:%03i
          • 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 06 47 3B 7D 0C 72
          3.2.sbietrcl.exe.4558a50.5.raw.unpackRemcosdetect Remcos in memoryJPCERT/CC Incident Response Group
          • 0x11034:$remcos: Remcos
          • 0x118a8:$remcos: Remcos
          • 0x118e0:$url: Breaking-Security.Net
          • 0x160ea:$resource: SETTINGS
          3.2.sbietrcl.exe.4558a50.5.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewerdetects Windows exceutables potentially bypassing UAC using eventvwr.exeditekSHen
          • 0x10738:$s1: \Classes\mscfile\shell\open\command
          • 0x10720:$s2: eventvwr.exe