Source: Yara match |
File source: 16.2.znlzneAxBVd.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 11.2.znlzneAxBVd.exe.3bc5828.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 11.2.znlzneAxBVd.exe.3b4cc08.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 16.2.znlzneAxBVd.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.tWitaq427K.exe.3d54be0.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.tWitaq427K.exe.3d54be0.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 11.2.znlzneAxBVd.exe.3bc5828.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 11.2.znlzneAxBVd.exe.3b4cc08.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000010.00000002.1407193789.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000A.00000002.3619364298.000000000299F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000A.00000002.3618263040.0000000000C07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000010.00000002.1399322984.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000B.00000002.1423814962.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.1377599355.0000000003CDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: tWitaq427K.exe PID: 7412, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: tWitaq427K.exe PID: 7964, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: znlzneAxBVd.exe PID: 8028, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: znlzneAxBVd.exe PID: 3168, type: MEMORYSTR |
Source: Yara match |
File source: C:\ProgramData\remcos\logs.dat, type: DROPPED |
Source: Yara match |
File source: 16.2.znlzneAxBVd.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 11.2.znlzneAxBVd.exe.3bc5828.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 11.2.znlzneAxBVd.exe.3b4cc08.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 16.2.znlzneAxBVd.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.tWitaq427K.exe.3d54be0.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.tWitaq427K.exe.3d54be0.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 11.2.znlzneAxBVd.exe.3bc5828.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 11.2.znlzneAxBVd.exe.3b4cc08.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000010.00000002.1399322984.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000B.00000002.1423814962.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.1377599355.0000000003CDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: tWitaq427K.exe PID: 7412, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: znlzneAxBVd.exe PID: 8028, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: znlzneAxBVd.exe PID: 3168, type: MEMORYSTR |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 10_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
10_2_100010F1 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 10_2_10006580 FindFirstFileExA, |
10_2_10006580 |
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe |
Code function: 16_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
16_2_00409253 |
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe |
Code function: 16_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, |
16_2_0041C291 |
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe |
Code function: 16_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, |
16_2_0040C34D |
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe |
Code function: 16_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
16_2_00409665 |
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe |
Code function: 16_2_0044E879 FindFirstFileExA, |
16_2_0044E879 |
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe |
Code function: 16_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, |
16_2_0040880C |
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe |
Code function: 16_2_0040783C FindFirstFileW,FindNextFileW, |
16_2_0040783C |
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe |
Code function: 16_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, |
16_2_00419AF5 |
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe |
Code function: 16_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
16_2_0040BB30 |
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe |
Code function: 16_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
16_2_0040BD37 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 17_2_0040AE51 FindFirstFileW,FindNextFileW, |
17_2_0040AE51 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 18_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen, |
18_2_00407EF8 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 19_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, |
19_2_00407898 |
Source: tWitaq427K.exe, 00000011.00000002.1416881594.00000000018ED000.00000004.00000020.00020000.00000000.sdmp, tWitaq427K.exe, 00000018.00000002.2133552021.000000000178D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: ://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook) |
Source: tWitaq427K.exe, 00000011.00000002.1416881594.00000000018ED000.00000004.00000020.00020000.00000000.sdmp, tWitaq427K.exe, 00000018.00000002.2133552021.000000000178D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: ://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo) |
Source: tWitaq427K.exe, 00000013.00000002.1402130022.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy) |
Source: tWitaq427K.exe, tWitaq427K.exe, 00000013.00000002.1402130022.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy) |
Source: tWitaq427K.exe |
String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook) |
Source: tWitaq427K.exe, 00000011.00000002.1415406769.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook) |
Source: tWitaq427K.exe, 00000011.00000002.1415406769.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo) |
Source: bhv6DEB.tmp.17.dr, bhv86CD.tmp.24.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0 |
Source: bhv6DEB.tmp.17.dr, bhv86CD.tmp.24.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B |
Source: tWitaq427K.exe, znlzneAxBVd.exe.2.dr |
String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q |
Source: tWitaq427K.exe, znlzneAxBVd.exe.2.dr |
String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t |
Source: CCSJ.exe, 0000001C.00000002.3798002095.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, CCSJ.exe, 0000001C.00000002.3806855705.000000000635A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.globalsign.com/gsrsaovsslca2018.crl0j |
Source: CCSJ.exe, 0000001C.00000002.3798002095.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, CCSJ.exe, 0000001C.00000002.3806855705.000000000635A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G |
Source: CCSJ.exe, 0000001C.00000002.3798002095.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, CCSJ.exe, 0000001C.00000002.3806855705.000000000635A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.globalsign.com/root.crl0G |
Source: bhv6DEB.tmp.17.dr, bhv86CD.tmp.24.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0 |
Source: bhv6DEB.tmp.17.dr, bhv86CD.tmp.24.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07 |
Source: bhv6DEB.tmp.17.dr, bhv86CD.tmp.24.dr |
String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0 |
Source: tWitaq427K.exe, 0000000A.00000002.3618263040.0000000000C39000.00000004.00000020.00020000.00000000.sdmp, znlzneAxBVd.exe |
String found in binary or memory: http://geoplugin.net/json.gp |
Source: tWitaq427K.exe, 00000002.00000002.1377599355.0000000003CDC000.00000004.00000800.00020000.00000000.sdmp, znlzneAxBVd.exe, 0000000B.00000002.1423814962.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp, znlzneAxBVd.exe, 00000010.00000002.1399322984.0000000000400000.00000040.00000400.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gp/C |
Source: tWitaq427K.exe, znlzneAxBVd.exe.2.dr |
String found in binary or memory: http://ocsp.comodoca.com0 |
Source: bhv6DEB.tmp.17.dr, bhv86CD.tmp.24.dr |
String found in binary or memory: http://ocsp.digicert.com0 |
Source: CCSJ.exe, 0000001C.00000002.3806855705.000000000635A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.globalsign.com/gsrs |
Source: CCSJ.exe, 0000001C.00000002.3798002095.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, CCSJ.exe, 0000001C.00000002.3806855705.000000000635A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.globalsign.com/gsrsaovsslca20180V |
Source: CCSJ.exe, 0000001C.00000002.3798002095.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, CCSJ.exe, 0000001C.00000002.3806855705.000000000635A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.globalsign.com/rootr103 |
Source: CCSJ.exe, 0000001C.00000002.3798002095.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, CCSJ.exe, 0000001C.00000002.3806855705.000000000635A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp2.globalsign.com/rootr306 |
Source: tWitaq427K.exe, 00000002.00000002.1374656010.0000000002CC4000.00000004.00000800.00020000.00000000.sdmp, znlzneAxBVd.exe, 0000000B.00000002.1421753774.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: CCSJ.exe, 0000001C.00000002.3806855705.000000000635A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://secure.globals |
Source: CCSJ.exe, 0000001C.00000002.3798002095.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, CCSJ.exe, 0000001C.00000002.3806855705.000000000635A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://secure.globalsign.com/cacert/gsrsaovsslca2018.crt07 |
Source: CCSJ.exe, 0000001C.00000002.3798002095.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://smtp.yandex.com |
Source: Amcache.hve.32.dr |
String found in binary or memory: http://upx.sf.net |
Source: tWitaq427K.exe, tWitaq427K.exe, 00000013.00000002.1402130022.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.ebuddy.com |
Source: tWitaq427K.exe, tWitaq427K.exe, 00000013.00000002.1402130022.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.imvu.com |
Source: tWitaq427K.exe, 00000013.00000002.1402130022.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com |
Source: tWitaq427K.exe, 00000013.00000002.1402130022.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.imvu.comr |
Source: tWitaq427K.exe, 00000011.00000002.1415778138.00000000012F4000.00000004.00000010.00020000.00000000.sdmp, tWitaq427K.exe, 00000018.00000002.2131692171.0000000001134000.00000004.00000010.00020000.00000000.sdmp |
String found in binary or memory: http://www.nirsoft.net |
Source: tWitaq427K.exe, 00000013.00000002.1402130022.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.nirsoft.net/ |
Source: CCSJ.exe, 0000001C.00000000.3251132725.00000000008F2000.00000002.00000001.01000000.0000000E.sdmp, CCSJ.exe.10.dr |
String found in binary or memory: https://account.dyn.com/ |
Source: tWitaq427K.exe, 00000011.00000002.1416153381.0000000001610000.00000004.00000020.00020000.00000000.sdmp, tWitaq427K.exe, 00000011.00000002.1416881594.00000000018ED000.00000004.00000020.00020000.00000000.sdmp, tWitaq427K.exe, 00000018.00000002.2132446707.0000000001368000.00000004.00000020.00020000.00000000.sdmp, tWitaq427K.exe, 00000018.00000002.2133552021.000000000178D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com: |
Source: tWitaq427K.exe, 00000011.00000002.1416153381.0000000001610000.00000004.00000020.00020000.00000000.sdmp, tWitaq427K.exe, 00000018.00000002.2132446707.0000000001368000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033 |
Source: tWitaq427K.exe, 00000011.00000002.1416153381.0000000001610000.00000004.00000020.00020000.00000000.sdmp, tWitaq427K.exe, 00000018.00000002.2132446707.0000000001368000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live |
Source: tWitaq427K.exe |
String found in binary or memory: https://login.yahoo.com/config/login |
Source: tWitaq427K.exe, znlzneAxBVd.exe.2.dr |
String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0 |
Source: CCSJ.exe, 0000001C.00000002.3806855705.000000000635A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.globalsign.com/r |
Source: CCSJ.exe, 0000001C.00000002.3798002095.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, CCSJ.exe, 0000001C.00000002.3806855705.000000000635A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.globalsign.com/repository/0 |
Source: tWitaq427K.exe, tWitaq427K.exe, 00000013.00000002.1402130022.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: https://www.google.com |
Source: tWitaq427K.exe |
String found in binary or memory: https://www.google.com/accounts/servicelogin |
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe |
Code function: 16_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, |
16_2_004168C1 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 17_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard, |
17_2_0040987A |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 17_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, |
17_2_004098E2 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 18_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, |
18_2_00406DFC |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 18_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard, |
18_2_00406E9F |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 19_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, |
19_2_004068B5 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 19_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard, |
19_2_004072B5 |
Source: Yara match |
File source: 16.2.znlzneAxBVd.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 11.2.znlzneAxBVd.exe.3bc5828.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 11.2.znlzneAxBVd.exe.3b4cc08.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 16.2.znlzneAxBVd.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.tWitaq427K.exe.3d54be0.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.tWitaq427K.exe.3d54be0.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 11.2.znlzneAxBVd.exe.3bc5828.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 11.2.znlzneAxBVd.exe.3b4cc08.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000010.00000002.1407193789.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000A.00000002.3619364298.000000000299F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000A.00000002.3618263040.0000000000C07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000010.00000002.1399322984.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000B.00000002.1423814962.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.1377599355.0000000003CDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: tWitaq427K.exe PID: 7412, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: tWitaq427K.exe PID: 7964, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: znlzneAxBVd.exe PID: 8028, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: znlzneAxBVd.exe PID: 3168, type: MEMORYSTR |
Source: Yara match |
File source: C:\ProgramData\remcos\logs.dat, type: DROPPED |
Source: 28.0.CCSJ.exe.8f0000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 16.2.znlzneAxBVd.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 16.2.znlzneAxBVd.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 16.2.znlzneAxBVd.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 11.2.znlzneAxBVd.exe.3bc5828.4.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 11.2.znlzneAxBVd.exe.3bc5828.4.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 11.2.znlzneAxBVd.exe.3bc5828.4.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 11.2.znlzneAxBVd.exe.3b4cc08.3.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 11.2.znlzneAxBVd.exe.3b4cc08.3.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 11.2.znlzneAxBVd.exe.3b4cc08.3.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 16.2.znlzneAxBVd.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 16.2.znlzneAxBVd.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 16.2.znlzneAxBVd.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 2.2.tWitaq427K.exe.3d54be0.2.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 2.2.tWitaq427K.exe.3d54be0.2.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 2.2.tWitaq427K.exe.3d54be0.2.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 2.2.tWitaq427K.exe.3d54be0.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 2.2.tWitaq427K.exe.3d54be0.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 11.2.znlzneAxBVd.exe.3bc5828.4.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 11.2.znlzneAxBVd.exe.3bc5828.4.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 11.2.znlzneAxBVd.exe.3b4cc08.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 11.2.znlzneAxBVd.exe.3b4cc08.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000010.00000002.1399322984.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000010.00000002.1399322984.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000010.00000002.1399322984.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0000000B.00000002.1423814962.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000002.00000002.1377599355.0000000003CDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: Process Memory Space: tWitaq427K.exe PID: 7412, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: Process Memory Space: znlzneAxBVd.exe PID: 8028, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: Process Memory Space: znlzneAxBVd.exe PID: 3168, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe, type: DROPPED |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 2_2_011ED5BC |
2_2_011ED5BC |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 2_2_05220006 |
2_2_05220006 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 2_2_05220040 |
2_2_05220040 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 2_2_0522F6BF |
2_2_0522F6BF |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 2_2_0522F6D0 |
2_2_0522F6D0 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 2_2_052AEF00 |
2_2_052AEF00 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 10_2_10017194 |
10_2_10017194 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 10_2_1000B5C1 |
10_2_1000B5C1 |
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe |
Code function: 11_2_0104D5BC |
11_2_0104D5BC |
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe |
Code function: 16_2_0043E0CC |
16_2_0043E0CC |
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe |
Code function: 16_2_0041F0FA |
16_2_0041F0FA |
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe |
Code function: 16_2_00454159 |
16_2_00454159 |
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe |
Code function: 16_2_00438168 |
16_2_00438168 |
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe |
Code function: 16_2_004461F0 |
16_2_004461F0 |
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe |
Code function: 16_2_0043E2FB |
16_2_0043E2FB |
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe |
Code function: 16_2_0045332B |
16_2_0045332B |
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe |
Code function: 16_2_0042739D |
16_2_0042739D |
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe |
Code function: 16_2_004374E6 |
16_2_004374E6 |
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe |
Code function: 16_2_0043E558 |
16_2_0043E558 |
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe |
Code function: 16_2_00438770 |
16_2_00438770 |
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe |
Code function: 16_2_004378FE |
16_2_004378FE |
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe |
Code function: 16_2_00433946 |
16_2_00433946 |
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe |
Code function: 16_2_0044D9C9 |
16_2_0044D9C9 |
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe |
Code function: 16_2_00427A46 |
16_2_00427A46 |
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe |
Code function: 16_2_0041DB62 |
16_2_0041DB62 |
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe |
Code function: 16_2_00427BAF |
16_2_00427BAF |
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe |
Code function: 16_2_00437D33 |
16_2_00437D33 |
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe |
Code function: 16_2_00435E5E |
16_2_00435E5E |
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe |
Code function: 16_2_00426E0E |
16_2_00426E0E |
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe |
Code function: 16_2_0043DE9D |
16_2_0043DE9D |
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe |
Code function: 16_2_00413FCA |
16_2_00413FCA |
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe |
Code function: 16_2_00436FEA |
16_2_00436FEA |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 17_2_0044B040 |
17_2_0044B040 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 17_2_0043610D |
17_2_0043610D |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 17_2_00447310 |
17_2_00447310 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 17_2_0044A490 |
17_2_0044A490 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 17_2_0040755A |
17_2_0040755A |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 17_2_0043C560 |
17_2_0043C560 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 17_2_0044B610 |
17_2_0044B610 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 17_2_0044D6C0 |
17_2_0044D6C0 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 17_2_004476F0 |
17_2_004476F0 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 17_2_0044B870 |
17_2_0044B870 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 17_2_0044081D |
17_2_0044081D |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 17_2_00414957 |
17_2_00414957 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 17_2_004079EE |
17_2_004079EE |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 17_2_00407AEB |
17_2_00407AEB |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 17_2_0044AA80 |
17_2_0044AA80 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 17_2_00412AA9 |
17_2_00412AA9 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 17_2_00404B74 |
17_2_00404B74 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 17_2_00404B03 |
17_2_00404B03 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 17_2_0044BBD8 |
17_2_0044BBD8 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 17_2_00404BE5 |
17_2_00404BE5 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 17_2_00404C76 |
17_2_00404C76 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 17_2_00415CFE |
17_2_00415CFE |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 17_2_00416D72 |
17_2_00416D72 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 17_2_00446D30 |
17_2_00446D30 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 17_2_00446D8B |
17_2_00446D8B |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 17_2_00406E8F |
17_2_00406E8F |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 18_2_00405038 |
18_2_00405038 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 18_2_0041208C |
18_2_0041208C |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 18_2_004050A9 |
18_2_004050A9 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 18_2_0040511A |
18_2_0040511A |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 18_2_0043C13A |
18_2_0043C13A |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 18_2_004051AB |
18_2_004051AB |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 18_2_00449300 |
18_2_00449300 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 18_2_0040D322 |
18_2_0040D322 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 18_2_0044A4F0 |
18_2_0044A4F0 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 18_2_0043A5AB |
18_2_0043A5AB |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 18_2_00413631 |
18_2_00413631 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 18_2_00446690 |
18_2_00446690 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 18_2_0044A730 |
18_2_0044A730 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 18_2_004398D8 |
18_2_004398D8 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 18_2_004498E0 |
18_2_004498E0 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 18_2_0044A886 |
18_2_0044A886 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 18_2_0043DA09 |
18_2_0043DA09 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 18_2_00438D5E |
18_2_00438D5E |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 18_2_00449ED0 |
18_2_00449ED0 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 18_2_0041FE83 |
18_2_0041FE83 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 18_2_00430F54 |
18_2_00430F54 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 19_2_004050C2 |
19_2_004050C2 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 19_2_004014AB |
19_2_004014AB |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 19_2_00405133 |
19_2_00405133 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 19_2_004051A4 |
19_2_004051A4 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 19_2_00401246 |
19_2_00401246 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 19_2_0040CA46 |
19_2_0040CA46 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 19_2_00405235 |
19_2_00405235 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 19_2_004032C8 |
19_2_004032C8 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 19_2_00401689 |
19_2_00401689 |
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: 19_2_00402F60 |
19_2_00402F60 |
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe |
Code function: 28_2_01079370 |
28_2_01079370 |
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe |
Code function: 28_2_01079B28 |
28_2_01079B28 |
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe |
Code function: 28_2_01074A98 |
28_2_01074A98 |
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe |
Code function: 28_2_0107CDB0 |
28_2_0107CDB0 |
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe |
Code function: 28_2_01073E80 |
28_2_01073E80 |
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe |
Code function: 28_2_010741C8 |
28_2_010741C8 |
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe |
Code function: 28_2_05738C6C |
28_2_05738C6C |
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe |
Code function: 28_2_0573DCE8 |
28_2_0573DCE8 |
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe |
Code function: 28_2_0573BCD0 |
28_2_0573BCD0 |
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe |
Code function: 28_2_05739AB8 |
28_2_05739AB8 |
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe |
Code function: 28_2_05733F38 |
28_2_05733F38 |
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe |
Code function: 28_2_05734FD8 |
28_2_05734FD8 |
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe |
Code function: 28_2_057356B8 |
28_2_057356B8 |
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe |
Code function: 28_2_05730040 |
28_2_05730040 |
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe |
Code function: 28_2_05733230 |
28_2_05733230 |
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe |
Code function: 28_2_05732AF0 |
28_2_05732AF0 |
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe |
Code function: String function: 00434E10 appears 54 times |
|
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe |
Code function: String function: 00402093 appears 50 times |
|
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe |
Code function: String function: 00434770 appears 41 times |
|
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe |
Code function: String function: 00401E65 appears 34 times |
|
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: String function: 004169A7 appears 87 times |
|
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: String function: 0044DB70 appears 41 times |
|
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: String function: 004165FF appears 35 times |
|
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: String function: 00422297 appears 42 times |
|
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: String function: 00444B5A appears 37 times |
|
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: String function: 00413025 appears 79 times |
|
Source: C:\Users\user\Desktop\tWitaq427K.exe |
Code function: String function: 00416760 appears 69 times |
|
Source: tWitaq427K.exe, 00000002.00000002.1388033148.0000000005550000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameRT.dll. vs tWitaq427K.exe |
Source: tWitaq427K.exe, 00000002.00000002.1373262134.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameclr.dllT vs tWitaq427K.exe |
Source: tWitaq427K.exe, 00000002.00000002.1374656010.0000000002C71000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameRT.dll. vs tWitaq427K.exe |
Source: tWitaq427K.exe, 00000002.00000002.1388460595.0000000005FF0000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameTyrone.dll8 vs tWitaq427K.exe |
Source: tWitaq427K.exe, 0000000A.00000002.3618904447.0000000000CE0000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamef408fa6d-534c-b vs tWitaq427K.exe |
Source: tWitaq427K.exe, 0000000A.00000002.3618904447.0000000000CE0000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamef408fa6d-52 vs tWitaq427K.exe |
Source: tWitaq427K.exe, 0000000A.00000002.3618263040.0000000000C6D000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamef408fa6d-534c-47bb-b201-cbe01ca64650.exe4 vs tWitaq427K.exe |
Source: tWitaq427K.exe |
Binary or memory string: OriginalFileName vs tWitaq427K.exe |
Source: tWitaq427K.exe, 00000013.00000002.1402130022.000000000041B000.00000040.80000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenamemspass.exe8 vs tWitaq427K.exe |
Source: tWitaq427K.exe |
Binary or memory string: OriginalFilenameiUuK.exen' vs tWitaq427K.exe |
Source: 28.0.CCSJ.exe.8f0000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 16.2.znlzneAxBVd.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 16.2.znlzneAxBVd.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 16.2.znlzneAxBVd.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 11.2.znlzneAxBVd.exe.3bc5828.4.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 11.2.znlzneAxBVd.exe.3bc5828.4.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 11.2.znlzneAxBVd.exe.3bc5828.4.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 11.2.znlzneAxBVd.exe.3b4cc08.3.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 11.2.znlzneAxBVd.exe.3b4cc08.3.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 11.2.znlzneAxBVd.exe.3b4cc08.3.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 16.2.znlzneAxBVd.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 16.2.znlzneAxBVd.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 16.2.znlzneAxBVd.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 2.2.tWitaq427K.exe.3d54be0.2.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 2.2.tWitaq427K.exe.3d54be0.2.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 2.2.tWitaq427K.exe.3d54be0.2.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 2.2.tWitaq427K.exe.3d54be0.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 2.2.tWitaq427K.exe.3d54be0.2.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 11.2.znlzneAxBVd.exe.3bc5828.4.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 11.2.znlzneAxBVd.exe.3bc5828.4.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 11.2.znlzneAxBVd.exe.3b4cc08.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 11.2.znlzneAxBVd.exe.3b4cc08.3.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 00000010.00000002.1399322984.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 00000010.00000002.1399322984.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 00000010.00000002.1399322984.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 0000000B.00000002.1423814962.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 00000002.00000002.1377599355.0000000003CDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: Process Memory Space: tWitaq427K.exe PID: 7412, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: Process Memory Space: znlzneAxBVd.exe PID: 8028, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: Process Memory Space: znlzneAxBVd.exe PID: 3168, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe, type: DROPPED |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: CCSJ.exe.10.dr, slKb.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: CCSJ.exe.10.dr, mAKJ.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: CCSJ.exe.10.dr, xQRSe0Fg.cs |
Cryptographic APIs: 'CreateDecryptor', 'TransformBlock' |
Source: CCSJ.exe.10.dr, n3rhMa.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: CCSJ.exe.10.dr, MQzE4FWn.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: CCSJ.exe.10.dr, nSmgRyX5a1.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: CCSJ.exe.10.dr, 6IMLmJtk.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: CCSJ.exe.10.dr, 6IMLmJtk.cs |
Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor' |
Source: CCSJ.exe.10.dr, 3HroK7qN.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: CCSJ.exe.10.dr, 3HroK7qN.cs |
Cryptographic APIs: 'TransformFinalBlock' |