Windows Analysis Report
jcXViWLNuc.exe

Overview

General Information

Sample name:	jcXViWLNuc.exe renamed because original name is a hash value
Original sample name:	a8ca71060dae68d7ae75ea3156301407.exe
Analysis ID:	1465914
MD5:	a8ca71060dae68d7ae75ea3156301407
SHA1:	9e116e2ce2a01fdbc2587725fa5261b26758fc77
SHA256:	9701b7e2c0cd3f562f2b817e94993309429963d2cec3424e7f77345f31ded0ae
Tags:	32exetrojan
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Remcos RAT

C2 URLs / IPs found in malware configuration

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (may stop execution after accessing registry keys)

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: jcXViWLNuc.exe

Avira: detected

Found malware configuration

Source: 1.2.jcXViWLNuc.exe.400000.0.unpack

Malware Configuration Extractor: Remcos {"Host:Port:Password": "127.0.0.1:2404", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-MG8NXC", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Multi AV Scanner detection for submitted file

Source: jcXViWLNuc.exe	Virustotal: Detection: 79%			Perma Link
Source: jcXViWLNuc.exe	ReversingLabs: Detection: 84%

Yara detected Remcos RAT

Source: Yara match	File source: jcXViWLNuc.exe, type: SAMPLE
Source: Yara match	File source: 1.0.jcXViWLNuc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jcXViWLNuc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.3817487536.000000000081E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.1374177573.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jcXViWLNuc.exe PID: 7836, type: MEMORYSTR

Machine Learning detection for sample

Source: jcXViWLNuc.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: 1_2_0042B19B CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

1_2_0042B19B

Source: jcXViWLNuc.exe, 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_fb53869e-d

Uses 32bit PE files

Source: jcXViWLNuc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_004081F9 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	1_2_004081F9
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_004072E5 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	1_2_004072E5
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0041474A FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	1_2_0041474A
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_00407733 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	1_2_00407733
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_00440A49 FindFirstFileExA,	1_2_00440A49
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_00404CF3 FindFirstFileW,FindNextFileW,	1_2_00404CF3
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_00405C8E __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	1_2_00405C8E
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_00407FDE FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	1_2_00407FDE

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: 1_2_0040511A SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

1_2_0040511A

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 127.0.0.1

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: 1_2_0040F4A7 SetEvent,GetTickCount,DeleteFileW,ExitProcess,Sleep,Sleep,URLDownloadToFileW,MessageBoxW,ExitWindowsEx,LoadLibraryA,GetProcAddress,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SetWindowTextW,StrToIntA,CreateThread,ShowWindow,SetForegroundWindow,ShowWindow,

1_2_0040F4A7

Source: jcXViWLNuc.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: jcXViWLNuc.exe	String found in binary or memory: http://geoplugin.net/json.gp/C

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

1_2_0040F4A7

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

1_2_0040F4A7

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

1_2_0040F4A7

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: jcXViWLNuc.exe, type: SAMPLE
Source: Yara match	File source: 1.0.jcXViWLNuc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jcXViWLNuc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.3817487536.000000000081E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.1374177573.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jcXViWLNuc.exe PID: 7836, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: 1_2_00414D34 SystemParametersInfoW,

1_2_00414D34

System Summary

Malicious sample detected (through community Yara rule)

Source: jcXViWLNuc.exe, type: SAMPLE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.0.jcXViWLNuc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.2.jcXViWLNuc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_00414085 OpenProcess,NtSuspendProcess,CloseHandle,		1_2_00414085
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_004140B1 OpenProcess,NtResumeProcess,CloseHandle,		1_2_004140B1

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

1_2_0040F4A7

Detected potential crypto function

Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0041601F	1_2_0041601F
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_00431217	1_2_00431217
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0042E220	1_2_0042E220
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0042B2A6	1_2_0042B2A6
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0044B470	1_2_0044B470
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_004304CE	1_2_004304CE
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_004454FB	1_2_004454FB
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0041F488	1_2_0041F488
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0040F4A7	1_2_0040F4A7
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_004175D6	1_2_004175D6
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0043164C	1_2_0043164C
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0043B680	1_2_0043B680
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_004476B8	1_2_004476B8
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0042D76E	1_2_0042D76E
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0043680C	1_2_0043680C
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_004309CA	1_2_004309CA
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0040D9A0	1_2_0040D9A0
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_00436A3B	1_2_00436A3B
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0041FB26	1_2_0041FB26
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0041FC69	1_2_0041FC69
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_00445C19	1_2_00445C19
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_00430DE2	1_2_00430DE2
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0041EF91	1_2_0041EF91

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: String function: 0042BE33 appears 34 times
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: String function: 0042C720 appears 50 times

Uses 32bit PE files

Source: jcXViWLNuc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: jcXViWLNuc.exe, type: SAMPLE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.0.jcXViWLNuc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.jcXViWLNuc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@2/1@0/1

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: 1_2_00410D25 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

1_2_00410D25

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: 1_2_0040A7FF CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

1_2_0040A7FF

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: 1_2_00413B3A FindResourceA,LoadResource,LockResource,SizeofResource,

1_2_00413B3A

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: 1_2_0041311D OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

1_2_0041311D

Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-MG8NXC
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7856:120:WilError_03

Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Command line argument: \~F	1_2_0040A1D6
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Command line argument: \~F	1_2_0040A1D6
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Command line argument: Software\	1_2_0040A1D6
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Command line argument: Rmc-MG8NXC	1_2_0040A1D6
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Command line argument: Exe	1_2_0040A1D6
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Command line argument: Exe	1_2_0040A1D6
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Command line argument: licence	1_2_0040A1D6
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Command line argument: Administrator	1_2_0040A1D6
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Command line argument: User	1_2_0040A1D6
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Command line argument: del	1_2_0040A1D6
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Command line argument: del	1_2_0040A1D6
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Command line argument: del	1_2_0040A1D6

Source: jcXViWLNuc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: jcXViWLNuc.exe	Virustotal: Detection: 79%
Source: jcXViWLNuc.exe	ReversingLabs: Detection: 84%

Source: unknown	Process created: C:\Users\user\Desktop\jcXViWLNuc.exe "C:\Users\user\Desktop\jcXViWLNuc.exe"
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Section loaded: mswsock.dll	Jump to behavior

Source: jcXViWLNuc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: jcXViWLNuc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: jcXViWLNuc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: jcXViWLNuc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: jcXViWLNuc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: jcXViWLNuc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: jcXViWLNuc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: jcXViWLNuc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: jcXViWLNuc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: jcXViWLNuc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: jcXViWLNuc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: jcXViWLNuc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: 1_2_00414EA2 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

1_2_00414EA2

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0044A5D6 push ecx; ret	1_2_0044A5E9
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0042C766 push ecx; ret	1_2_0042C779
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0044AE38 push eax; ret	1_2_0044AE56

Contains functionality to download and launch executables

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: 1_2_00404A3B ShellExecuteW,URLDownloadToFileW,

1_2_00404A3B

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: 1_2_0041311D OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

1_2_0041311D

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

1_2_00414EA2

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: 1_2_0040A6C0 Sleep,ExitProcess,

1_2_0040A6C0

Contains functionality to enumerate running services

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

1_2_00412E4B

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Window / User API: threadDelayed 4086			Jump to behavior
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Window / User API: threadDelayed 5862			Jump to behavior

Found evasive API chain (may stop execution after accessing registry keys)

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\jcXViWLNuc.exe TID: 7896	Thread sleep time: -12258000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\jcXViWLNuc.exe TID: 7896	Thread sleep time: -17586000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_004081F9 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	1_2_004081F9
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_004072E5 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	1_2_004072E5
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0041474A FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	1_2_0041474A
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_00407733 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	1_2_00407733
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_00440A49 FindFirstFileExA,	1_2_00440A49
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_00404CF3 FindFirstFileW,FindNextFileW,	1_2_00404CF3
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_00405C8E __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	1_2_00405C8E
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_00407FDE FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	1_2_00407FDE

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: 1_2_0040511A SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

1_2_0040511A

Source: jcXViWLNuc.exe, 00000001.00000002.3817487536.000000000081E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: 1_2_004320EC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_004320EC

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

1_2_00414EA2

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: 1_2_004389B4 mov eax, dword ptr fs:[00000030h]

1_2_004389B4

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: 1_2_0040CB6C SetLastError,GetNativeSystemInfo,GetProcessHeap,HeapAlloc,SetLastError,

1_2_0040CB6C

Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_004320EC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_004320EC
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0042C52B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0042C52B
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0042C6BD SetUnhandledExceptionFilter,	1_2_0042C6BD
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0042C8EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0042C8EC

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: 1_2_004124EF mouse_event,

1_2_004124EF

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: 1_2_0042C37B cpuid

1_2_0042C37B

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: EnumSystemLocalesW,	1_2_0044416B
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: EnumSystemLocalesW,	1_2_00444120
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: EnumSystemLocalesW,	1_2_00444206
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	1_2_00444293
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: GetLocaleInfoW,	1_2_0043D31C
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: GetLocaleInfoW,	1_2_004444E3
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_0044460C
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: GetLocaleInfoW,	1_2_00444713
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: GetLocaleInfoA,	1_2_0040A7D3
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_004447E0
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	1_2_00443EA8
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: EnumSystemLocalesW,	1_2_0043CEB5

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: 1_2_00413B81 GetLocalTime,

1_2_00413B81

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: 1_2_00413C9F CreateThread,GetComputerNameExW,GetUserNameW,

1_2_00413C9F

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: jcXViWLNuc.exe, type: SAMPLE
Source: Yara match	File source: 1.0.jcXViWLNuc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jcXViWLNuc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.3817487536.000000000081E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.1374177573.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jcXViWLNuc.exe PID: 7836, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

1_2_00407EC0

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		1_2_00407FDE
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: \key3.db		1_2_00407FDE

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-MG8NXC

Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: jcXViWLNuc.exe, type: SAMPLE
Source: Yara match	File source: 1.0.jcXViWLNuc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jcXViWLNuc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.3817487536.000000000081E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.1374177573.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jcXViWLNuc.exe PID: 7836, type: MEMORYSTR

Contains functionality to launch a control a shell (cmd.exe)

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: cmd.exe

1_2_00403B0B

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
127.0.0.1

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
127.0.0.1	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: jcXViWLNuc.exe

Avira: detected

Found malware configuration

Source: 1.2.jcXViWLNuc.exe.400000.0.unpack

Multi AV Scanner detection for submitted file

Source: jcXViWLNuc.exe	Virustotal: Detection: 79%			Perma Link
Source: jcXViWLNuc.exe	ReversingLabs: Detection: 84%

Yara detected Remcos RAT

Source: Yara match	File source: jcXViWLNuc.exe, type: SAMPLE
Source: Yara match	File source: 1.0.jcXViWLNuc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jcXViWLNuc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.3817487536.000000000081E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.1374177573.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jcXViWLNuc.exe PID: 7836, type: MEMORYSTR

Machine Learning detection for sample

Source: jcXViWLNuc.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: 1_2_0042B19B CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

1_2_0042B19B

Source: jcXViWLNuc.exe, 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_fb53869e-d

Uses 32bit PE files

Source: jcXViWLNuc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_004081F9 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	1_2_004081F9
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_004072E5 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	1_2_004072E5
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0041474A FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	1_2_0041474A
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_00407733 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	1_2_00407733
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_00440A49 FindFirstFileExA,	1_2_00440A49
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_00404CF3 FindFirstFileW,FindNextFileW,	1_2_00404CF3
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_00405C8E __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	1_2_00405C8E
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_00407FDE FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	1_2_00407FDE

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: 1_2_0040511A SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

1_2_0040511A

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 127.0.0.1

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

1_2_0040F4A7

Source: jcXViWLNuc.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: jcXViWLNuc.exe	String found in binary or memory: http://geoplugin.net/json.gp/C

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

1_2_0040F4A7

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

1_2_0040F4A7

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

1_2_0040F4A7

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: jcXViWLNuc.exe, type: SAMPLE
Source: Yara match	File source: 1.0.jcXViWLNuc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jcXViWLNuc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.3817487536.000000000081E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.1374177573.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jcXViWLNuc.exe PID: 7836, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: 1_2_00414D34 SystemParametersInfoW,

1_2_00414D34

System Summary

Malicious sample detected (through community Yara rule)

Source: jcXViWLNuc.exe, type: SAMPLE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.0.jcXViWLNuc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.2.jcXViWLNuc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_00414085 OpenProcess,NtSuspendProcess,CloseHandle,		1_2_00414085
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_004140B1 OpenProcess,NtResumeProcess,CloseHandle,		1_2_004140B1

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

1_2_0040F4A7

Detected potential crypto function

Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0041601F	1_2_0041601F
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_00431217	1_2_00431217
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0042E220	1_2_0042E220
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0042B2A6	1_2_0042B2A6
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0044B470	1_2_0044B470
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_004304CE	1_2_004304CE
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_004454FB	1_2_004454FB
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0041F488	1_2_0041F488
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0040F4A7	1_2_0040F4A7
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_004175D6	1_2_004175D6
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0043164C	1_2_0043164C
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0043B680	1_2_0043B680
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_004476B8	1_2_004476B8
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0042D76E	1_2_0042D76E
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0043680C	1_2_0043680C
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_004309CA	1_2_004309CA
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0040D9A0	1_2_0040D9A0
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_00436A3B	1_2_00436A3B
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0041FB26	1_2_0041FB26
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0041FC69	1_2_0041FC69
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_00445C19	1_2_00445C19
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_00430DE2	1_2_00430DE2
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0041EF91	1_2_0041EF91

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: String function: 0042BE33 appears 34 times
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: String function: 0042C720 appears 50 times

Uses 32bit PE files

Source: jcXViWLNuc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: jcXViWLNuc.exe, type: SAMPLE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.0.jcXViWLNuc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.jcXViWLNuc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@2/1@0/1

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: 1_2_00410D25 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

1_2_00410D25

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: 1_2_0040A7FF CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

1_2_0040A7FF

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: 1_2_00413B3A FindResourceA,LoadResource,LockResource,SizeofResource,

1_2_00413B3A

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: 1_2_0041311D OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

1_2_0041311D

Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-MG8NXC
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7856:120:WilError_03

Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Command line argument: \~F	1_2_0040A1D6
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Command line argument: \~F	1_2_0040A1D6
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Command line argument: Software\	1_2_0040A1D6
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Command line argument: Rmc-MG8NXC	1_2_0040A1D6
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Command line argument: Exe	1_2_0040A1D6
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Command line argument: Exe	1_2_0040A1D6
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Command line argument: licence	1_2_0040A1D6
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Command line argument: Administrator	1_2_0040A1D6
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Command line argument: User	1_2_0040A1D6
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Command line argument: del	1_2_0040A1D6
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Command line argument: del	1_2_0040A1D6
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Command line argument: del	1_2_0040A1D6

Source: jcXViWLNuc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: jcXViWLNuc.exe	Virustotal: Detection: 79%
Source: jcXViWLNuc.exe	ReversingLabs: Detection: 84%

Source: unknown	Process created: C:\Users\user\Desktop\jcXViWLNuc.exe "C:\Users\user\Desktop\jcXViWLNuc.exe"
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Section loaded: mswsock.dll	Jump to behavior

Source: jcXViWLNuc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: jcXViWLNuc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: jcXViWLNuc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: jcXViWLNuc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: jcXViWLNuc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: jcXViWLNuc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: jcXViWLNuc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: jcXViWLNuc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: jcXViWLNuc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: jcXViWLNuc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: jcXViWLNuc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: jcXViWLNuc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

1_2_00414EA2

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0044A5D6 push ecx; ret	1_2_0044A5E9
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0042C766 push ecx; ret	1_2_0042C779
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0044AE38 push eax; ret	1_2_0044AE56

Contains functionality to download and launch executables

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: 1_2_00404A3B ShellExecuteW,URLDownloadToFileW,

1_2_00404A3B

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: 1_2_0041311D OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

1_2_0041311D

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

1_2_00414EA2

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: 1_2_0040A6C0 Sleep,ExitProcess,

1_2_0040A6C0

Contains functionality to enumerate running services

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

1_2_00412E4B

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Window / User API: threadDelayed 4086			Jump to behavior
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Window / User API: threadDelayed 5862			Jump to behavior

Found evasive API chain (may stop execution after accessing registry keys)

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\jcXViWLNuc.exe TID: 7896	Thread sleep time: -12258000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\jcXViWLNuc.exe TID: 7896	Thread sleep time: -17586000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_004081F9 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	1_2_004081F9
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_004072E5 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	1_2_004072E5
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0041474A FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	1_2_0041474A
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_00407733 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	1_2_00407733
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_00440A49 FindFirstFileExA,	1_2_00440A49
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_00404CF3 FindFirstFileW,FindNextFileW,	1_2_00404CF3
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_00405C8E __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	1_2_00405C8E
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_00407FDE FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	1_2_00407FDE

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: 1_2_0040511A SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

1_2_0040511A

Source: jcXViWLNuc.exe, 00000001.00000002.3817487536.000000000081E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: 1_2_004320EC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_004320EC

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

1_2_00414EA2

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: 1_2_004389B4 mov eax, dword ptr fs:[00000030h]

1_2_004389B4

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: 1_2_0040CB6C SetLastError,GetNativeSystemInfo,GetProcessHeap,HeapAlloc,SetLastError,

1_2_0040CB6C

Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_004320EC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_004320EC
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0042C52B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0042C52B
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0042C6BD SetUnhandledExceptionFilter,	1_2_0042C6BD
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: 1_2_0042C8EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0042C8EC

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: 1_2_004124EF mouse_event,

1_2_004124EF

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: 1_2_0042C37B cpuid

1_2_0042C37B

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: EnumSystemLocalesW,	1_2_0044416B
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: EnumSystemLocalesW,	1_2_00444120
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: EnumSystemLocalesW,	1_2_00444206
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	1_2_00444293
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: GetLocaleInfoW,	1_2_0043D31C
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: GetLocaleInfoW,	1_2_004444E3
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_0044460C
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: GetLocaleInfoW,	1_2_00444713
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: GetLocaleInfoA,	1_2_0040A7D3
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_004447E0
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	1_2_00443EA8
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: EnumSystemLocalesW,	1_2_0043CEB5

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: 1_2_00413B81 GetLocalTime,

1_2_00413B81

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: 1_2_00413C9F CreateThread,GetComputerNameExW,GetUserNameW,

1_2_00413C9F

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: jcXViWLNuc.exe, type: SAMPLE
Source: Yara match	File source: 1.0.jcXViWLNuc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jcXViWLNuc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.3817487536.000000000081E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.1374177573.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jcXViWLNuc.exe PID: 7836, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

1_2_00407EC0

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		1_2_00407FDE
Source: C:\Users\user\Desktop\jcXViWLNuc.exe	Code function: \key3.db		1_2_00407FDE

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-MG8NXC

Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: jcXViWLNuc.exe, type: SAMPLE
Source: Yara match	File source: 1.0.jcXViWLNuc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jcXViWLNuc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.3817487536.000000000081E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3817171743.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.1374177573.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jcXViWLNuc.exe PID: 7836, type: MEMORYSTR

Contains functionality to launch a control a shell (cmd.exe)

Source: C:\Users\user\Desktop\jcXViWLNuc.exe

Code function: cmd.exe

1_2_00403B0B

ID:	1465914
Product:	CloudBasic
Start time:	08:24:48
Start date:	02.07.2024
Sample:	jcXViWLNuc.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	a8ca71060dae68d7ae75ea3156301407
SHA1:	9e116e2ce2a01fdbc2587725fa5261b26758fc77
SHA256:	9701b7e2c0cd3f562f2b817e94993309429963d2cec3424e7f77345f31ded0ae
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
jcXViWLNuc.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted URLs

Windows Analysis Report jcXViWLNuc.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted URLs

Windows Analysis Report
jcXViWLNuc.exe

Malware Threat Intel
Provided by