Windows
Analysis Report
cKAfpUFqZ7.exe
Overview
General Information
Sample name: | cKAfpUFqZ7.exerenamed because original name is a hash value |
Original sample name: | 28d8408ad6ae09d1d703b0b8ca78d670N.exe |
Analysis ID: | 1472669 |
MD5: | 28d8408ad6ae09d1d703b0b8ca78d670 |
SHA1: | 75645b81c0b05b4527c5cafeb1f5cd5c21b3f475 |
SHA256: | 1da8b868bd5d60050d40adae98482f1310d3679948dd1cee7a1b4a8ef9a396f0 |
Tags: | exeRATRemcos |
Infos: | |
Detection
Remcos
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Snort IDS alert for network traffic
Yara detected Remcos RAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara signature match
Classification
- System is w10x64
cKAfpUFqZ7.exe (PID: 4720 cmdline:
"C:\Users\ user\Deskt op\cKAfpUF qZ7.exe" MD5: 28D8408AD6AE09D1D703B0B8CA78D670) sbietrcl.exe (PID: 7280 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Microsoft \Windows\T emplates\s bietrcl.ex e" MD5: B93D0E4262339620BAA9866CF0880980) sbietrcl.exe (PID: 7324 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Microsoft \Windows\T emplates\s bietrcl.ex e" MD5: B93D0E4262339620BAA9866CF0880980)
sbietrcl.exe (PID: 7592 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Microsoft \Windows\T emplates\s bietrcl.ex e" MD5: B93D0E4262339620BAA9866CF0880980) sbietrcl.exe (PID: 7684 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Microsoft \Windows\T emplates\s bietrcl.ex e" MD5: B93D0E4262339620BAA9866CF0880980)
sbietrcl.exe (PID: 7736 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Microsoft \Windows\T emplates\s bietrcl.ex e" MD5: B93D0E4262339620BAA9866CF0880980) sbietrcl.exe (PID: 7772 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Microsoft \Windows\T emplates\s bietrcl.ex e" MD5: B93D0E4262339620BAA9866CF0880980)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Remcos, RemcosRAT | Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity. |
{"Host:Port:Password": "213.183.58.19:4000", "Assigned name": "Host", "Connect interval": "5", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "remcos", "Hide file": "Disable", "Mutex": "remcos_sccafsoidz", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "read.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screens", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "audio", "Connect delay": "0", "Copy folder": "remcos", "Keylog folder": "CastC"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
Remcos | detect Remcos in memory | JPCERT/CC Incident Response Group |
| |
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
Remcos | detect Remcos in memory | JPCERT/CC Incident Response Group |
| |
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
Click to see the 17 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
REMCOS_RAT_variants | unknown | unknown |
| |
Remcos_1 | Remcos Payload | kevoreilly |
| |
Remcos | detect Remcos in memory | JPCERT/CC Incident Response Group |
| |
INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer | detects Windows exceutables potentially bypassing UAC using eventvwr.exe | ditekSHen |
|