Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\1vQ6RSHmz5.exe

"C:\Users\user\Desktop\1vQ6RSHmz5.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6664
Target ID:	0
Parent PID:	4056
Name:	1vQ6RSHmz5.exe
Path:	C:\Users\user\Desktop\1vQ6RSHmz5.exe
Commandline:	"C:\Users\user\Desktop\1vQ6RSHmz5.exe"
Size:	24576
MD5:	566705AFEB33D5A977708328CDA48F1C
Time:	02:24:37
Date:	02/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	24576
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary contains paths to development resources	System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6856
Target ID:	2
Parent PID:	6664
Name:	iexplore.exe
Class:	iexplore
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Commandline:	"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
Size:	828368
MD5:	6F0F06D6AB125A99E43335427066A4A1
Time:	02:24:39
Date:	02/07/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xdd0000
Modulesize:	835584
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Remcos	Stealing of Sensitive Information
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sample uses process hollowing technique	HIPS / PFW / Operating System Protection Evasion	Shared Modules Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

URLs

Name

Malicious

narutochwan.duckdns.org

Details

Name:	narutochwan.duckdns.org
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\1vQ6RSHmz5.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses dynamic DNS services	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

http://176.223.134.190/

unknown

http://geoplugin.net/json.gp

unknown

http://176.223.134.190/:D

unknown

http://176.223.134.190/x/re.txt__vbaFreeVarList__vbaObjVarjC:

unknown

http://176.223.134.190/x/re.txt

unknown

Details

Name:	http://176.223.134.190/x/re.txt
TargetID:	-1
From Memory:	true
Source:	1vQ6RSHmz5.exe, 1vQ6RSHmz5.exe, 00000000.00000003.1239052882.000000000048B000.00000004.00000020.00020000.00000000.sdmp, 1vQ6RSHmz5.exe, 00000000.00000002.1240839275.000000000043E000.00000004.00000020.00020000.00000000.sdmp, 1vQ6RSHmz5.exe, 00000000.00000003.1239123601.000000000048D000.00000004.00000020.00020000.00000000.sdmp, 1vQ6RSHmz5.exe, 00000000.00000002.1240979742.000000000048F000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://geoplugin.net/json.gp/C

unknown

http://176.223.134.190:80/x/re.txt

unknown

http://176.223.134.190/mD

unknown

Domains

Name

Malicious

narutochwan.duckdns.org

91.92.242.76

Details

Name:	narutochwan.duckdns.org
IP:	91.92.242.76
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses dynamic DNS services	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

91.92.242.76

narutochwan.duckdns.org

Bulgaria

Details

IP:	91.92.242.76
TargetID:	2
Current Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Country:	Bulgaria
Countrycode:	BGR
ASN number:	34368
ASN name:	THEZONEBG
Private:	false
Domain:	narutochwan.duckdns.org

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

176.223.134.190

unknown

Lithuania

Details

IP:	176.223.134.190
TargetID:	0
Current Path:	C:\Users\user\Desktop\1vQ6RSHmz5.exe
Country:	Lithuania
Countrycode:	LTU
ASN number:	62282
ASN name:	RACKRAYUABRakrejusLT
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Rmc-1VT363

exepath

HKEY_CURRENT_USER\SOFTWARE\Rmc-1VT363

licence

HKEY_CURRENT_USER\SOFTWARE\Rmc-1VT363

time

Memdumps

Base Address

Regiontype

Protect

Malicious

C4B000

heap

page read and write

3051000

heap

page read and write

400000

remote allocation

page execute and read and write

453000

heap

page read and write

C00000

heap

page read and write

2080000

heap

page read and write

77E000

stack

page read and write

299E000

stack

page read and write

2070000

heap

page read and write

43A000

heap

page read and write

410000

heap

page read and write

48B000

heap

page read and write

2860000

heap

page read and write

73F000

stack

page read and write

51A000

heap

page read and write

2100000

remote allocation

page read and write

BB0000

heap

page read and write

430000

heap

page read and write

2120000

trusted library allocation

page read and write

2100000

remote allocation

page read and write

9B000

stack

page read and write

49E000

heap

page read and write

BFE000

stack

page read and write

3141000

heap

page read and write

329F000

stack

page read and write

29DE000

stack

page read and write

401000

unkown

page execute read

B40000

heap

page read and write

4A3000

heap

page read and write

474000

heap

page read and write

400000

unkown

page readonly

77C000

stack

page read and write

2040000

trusted library allocation

page execute read

87F000

stack

page read and write

2C00000

heap

page read and write

420000

heap

page read and write

2F4E000

stack

page read and write

512F000

stack

page read and write

400000

unkown

page readonly

51A000

heap

page read and write

2B2E000

stack

page read and write

46E000

heap

page read and write

B3E000

stack

page read and write

3050000

heap

page read and write

20D0000

heap

page read and write

2F0F000

stack

page read and write

1E0000

heap

page read and write

2A1E000

stack

page read and write

2110000

heap

page read and write

474000

heap

page read and write

2A29000

heap

page read and write

48B000

heap

page read and write

49E000

heap

page read and write

48B000

heap

page read and write

46B000

heap

page read and write

1E5000

heap

page read and write

404000

unkown

page read and write

518000

heap

page read and write

32B0000

direct allocation

page execute and read and write

45D000

heap

page read and write

4A0F000

stack

page read and write

20C0000

heap

page read and write

AFC000

stack

page read and write

46B000

heap

page read and write

43E000

heap

page read and write

304F000

stack

page read and write

49E000

heap

page read and write

DBE000

stack

page read and write

48D000

heap

page read and write

51A000

heap

page read and write

401000

unkown

page execute read

C40000

heap

page read and write

474000

remote allocation

page execute and read and write

453000

heap

page read and write

319E000

stack

page read and write

7E0000

heap

page read and write

502F000

stack

page read and write

2E0F000

stack

page read and write

48F000

heap

page read and write

405000

unkown

page readonly

470000

heap

page read and write

4A4000

heap

page read and write

474000

heap

page read and write

4A4E000

stack

page read and write

45A000

heap

page read and write

7F0000

heap

page readonly

2D0D000

stack

page read and write

44C000

heap

page read and write

2A20000

heap

page read and write

405000

unkown

page readonly

2B6E000

stack

page read and write

478000

remote allocation

page execute and read and write

306F000

stack

page read and write

19C000

stack

page read and write

4AE0000

heap

page read and write

518000

heap

page read and write

63E000

stack

page read and write

BB5000

heap

page read and write

2100000

remote allocation

page read and write

There are 89 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
1vQ6RSHmz5.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report1vQ6RSHmz5.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
1vQ6RSHmz5.exe