Windows Analysis Report
BANK LETTER INDICATION.exe

Overview

General Information

Sample name: BANK LETTER INDICATION.exe
Analysis ID: 1467081
MD5: b0fd67ec3db079fd398d7f2fa7ad45bc
SHA1: a8bfe4c1fc745e35cde2acf1164c9ed92363df7d
SHA256: 89d5d25cd020213d6426f13296765683202542062cdcfb10b611d46a65d38d0f
Tags: exe
Infos:

Detection

Remcos
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

AV Detection
barindex
Found malware configuration
Source: 3.2.BANK LETTER INDICATION.exe.400000.0.unpack Malware Configuration Extractor: Remcos {"Version": "5.1.0 Pro", "Host:Port:Password": "192.3.64.149:2888", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-7Q1GRN", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Multi AV Scanner detection for submitted file
Source: BANK LETTER INDICATION.exe ReversingLabs: Detection: 31%
Yara detected Remcos RAT
Source: Yara match File source: 0.2.BANK LETTER INDICATION.exe.4075888.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.BANK LETTER INDICATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BANK LETTER INDICATION.exe.3ffcc68.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.BANK LETTER INDICATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BANK LETTER INDICATION.exe.4075888.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BANK LETTER INDICATION.exe.3ffcc68.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1245435166.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BANK LETTER INDICATION.exe PID: 6988, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BANK LETTER INDICATION.exe PID: 3212, type: MEMORYSTR
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: BANK LETTER INDICATION.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 3_2_00433837
Source: BANK LETTER INDICATION.exe, 00000000.00000002.1245435166.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_0cd51a1d-1

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 0.2.BANK LETTER INDICATION.exe.4075888.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.BANK LETTER INDICATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BANK LETTER INDICATION.exe.3ffcc68.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.BANK LETTER INDICATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BANK LETTER INDICATION.exe.4075888.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BANK LETTER INDICATION.exe.3ffcc68.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1245435166.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BANK LETTER INDICATION.exe PID: 6988, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BANK LETTER INDICATION.exe PID: 3212, type: MEMORYSTR

Privilege Escalation
barindex
Contains functionality to bypass UAC (CMSTPLUA)
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_004074FD _wcslen,CoGetObject, 3_2_004074FD
Uses 32bit PE files
Source: BANK LETTER INDICATION.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: BANK LETTER INDICATION.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: VcJr.pdb source: BANK LETTER INDICATION.exe
Source: Binary string: VcJr.pdbSHA256{ source: BANK LETTER INDICATION.exe
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 3_2_00409253
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 3_2_0041C291
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 3_2_0040C34D
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 3_2_00409665
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0044E879 FindFirstFileExA, 3_2_0044E879
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 3_2_0040880C
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0040783C FindFirstFileW,FindNextFileW, 3_2_0040783C
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, 3_2_00419AF5
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 3_2_0040BB30
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 3_2_0040BD37
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 3_2_00407C97
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 4x nop then jmp 02CF3CEAh 0_2_02CF351C

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 192.3.64.149
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 3_2_0041B380
Source: BANK LETTER INDICATION.exe String found in binary or memory: http://geoplugin.net/json.gp
Source: BANK LETTER INDICATION.exe, 00000000.00000002.1245435166.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, BANK LETTER INDICATION.exe, 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp/C

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,00000000 3_2_0040A2B8
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard, 3_2_0040B70E
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 3_2_004168C1
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard, 3_2_0040B70E
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx, 3_2_0040A3E0

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 0.2.BANK LETTER INDICATION.exe.4075888.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.BANK LETTER INDICATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BANK LETTER INDICATION.exe.3ffcc68.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.BANK LETTER INDICATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BANK LETTER INDICATION.exe.4075888.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BANK LETTER INDICATION.exe.3ffcc68.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1245435166.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BANK LETTER INDICATION.exe PID: 6988, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BANK LETTER INDICATION.exe PID: 3212, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands
barindex
Contains functionalty to change the wallpaper
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0041C9E2 SystemParametersInfoW, 3_2_0041C9E2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.BANK LETTER INDICATION.exe.4075888.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.BANK LETTER INDICATION.exe.4075888.3.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.BANK LETTER INDICATION.exe.4075888.3.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.BANK LETTER INDICATION.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.BANK LETTER INDICATION.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.BANK LETTER INDICATION.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.BANK LETTER INDICATION.exe.3ffcc68.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.BANK LETTER INDICATION.exe.3ffcc68.6.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.BANK LETTER INDICATION.exe.3ffcc68.6.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.BANK LETTER INDICATION.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.BANK LETTER INDICATION.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.BANK LETTER INDICATION.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.BANK LETTER INDICATION.exe.4075888.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.BANK LETTER INDICATION.exe.4075888.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.BANK LETTER INDICATION.exe.3ffcc68.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.BANK LETTER INDICATION.exe.3ffcc68.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.1245435166.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: BANK LETTER INDICATION.exe PID: 6988, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: BANK LETTER INDICATION.exe PID: 3212, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
.NET source code contains very large array initializations
Source: 0.2.BANK LETTER INDICATION.exe.7b40000.7.raw.unpack, -Module-.cs Large array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
Source: 0.2.BANK LETTER INDICATION.exe.2f18850.2.raw.unpack, -Module-.cs Large array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
Contains functionality to call native functions
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_004180EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError, 3_2_004180EF
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress, 3_2_004167B4
Detected potential crypto function
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 0_2_02CF68B8 0_2_02CF68B8
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 0_2_02CF5998 0_2_02CF5998
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 0_2_02CF16C0 0_2_02CF16C0
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 0_2_02CF0D90 0_2_02CF0D90
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 0_2_02E5D364 0_2_02E5D364
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 0_2_02E5B4C8 0_2_02E5B4C8
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 0_2_053C7D58 0_2_053C7D58
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 0_2_053C7FB0 0_2_053C7FB0
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 0_2_053C0006 0_2_053C0006
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 0_2_053C0040 0_2_053C0040
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 0_2_053CAEB0 0_2_053CAEB0
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 0_2_053C7FA1 0_2_053C7FA1
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 0_2_054EF718 0_2_054EF718
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 0_2_054EBB70 0_2_054EBB70
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 0_2_054EF6CE 0_2_054EF6CE
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 0_2_054EBB60 0_2_054EBB60
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 0_2_054EFBC8 0_2_054EFBC8
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 0_2_054EFBBC 0_2_054EFBBC
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 0_2_078F1060 0_2_078F1060
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 0_2_078F7F28 0_2_078F7F28
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 0_2_078F3D50 0_2_078F3D50
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 0_2_078F8788 0_2_078F8788
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 0_2_078F877B 0_2_078F877B
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 0_2_078FF680 0_2_078FF680
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 0_2_078F2450 0_2_078F2450
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 0_2_078F2460 0_2_078F2460
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 0_2_078FF248 0_2_078FF248
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 0_2_078F0F89 0_2_078F0F89
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 0_2_078F7F18 0_2_078F7F18
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 0_2_078F3EE3 0_2_078F3EE3
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 0_2_078F3D42 0_2_078F3D42
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 0_2_078F1A98 0_2_078F1A98
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 0_2_078F190A 0_2_078F190A
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 0_2_078F1918 0_2_078F1918
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 0_2_078F7967 0_2_078F7967
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 0_2_078F7978 0_2_078F7978
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0043E0CC 3_2_0043E0CC
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0041F0FA 3_2_0041F0FA
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_00454159 3_2_00454159
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_00438168 3_2_00438168
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_004461F0 3_2_004461F0
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0043E2FB 3_2_0043E2FB
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0045332B 3_2_0045332B
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0042739D 3_2_0042739D
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_004374E6 3_2_004374E6
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0043E558 3_2_0043E558
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_00438770 3_2_00438770
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_004378FE 3_2_004378FE
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_00433946 3_2_00433946
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0044D9C9 3_2_0044D9C9
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_00427A46 3_2_00427A46
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0041DB62 3_2_0041DB62
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_00427BAF 3_2_00427BAF
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_00437D33 3_2_00437D33
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_00435E5E 3_2_00435E5E
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_00426E0E 3_2_00426E0E
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0043DE9D 3_2_0043DE9D
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_00413FCA 3_2_00413FCA
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_00436FEA 3_2_00436FEA
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: String function: 00434E10 appears 54 times
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: String function: 00402093 appears 50 times
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: String function: 00434770 appears 41 times
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: String function: 00401E65 appears 34 times
Sample file is different than original file name gathered from version info
Source: BANK LETTER INDICATION.exe, 00000000.00000002.1249242251.0000000007B40000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameRT.dll. vs BANK LETTER INDICATION.exe
Source: BANK LETTER INDICATION.exe, 00000000.00000000.1226432287.0000000000B44000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameVcJr.exe> vs BANK LETTER INDICATION.exe
Source: BANK LETTER INDICATION.exe, 00000000.00000002.1240360095.000000000114E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs BANK LETTER INDICATION.exe
Source: BANK LETTER INDICATION.exe, 00000000.00000002.1249348344.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs BANK LETTER INDICATION.exe
Source: BANK LETTER INDICATION.exe, 00000000.00000002.1244372928.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRT.dll. vs BANK LETTER INDICATION.exe
Source: BANK LETTER INDICATION.exe Binary or memory string: OriginalFilenameVcJr.exe> vs BANK LETTER INDICATION.exe
Uses 32bit PE files
Source: BANK LETTER INDICATION.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.BANK LETTER INDICATION.exe.4075888.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.BANK LETTER INDICATION.exe.4075888.3.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.BANK LETTER INDICATION.exe.4075888.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.BANK LETTER INDICATION.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.BANK LETTER INDICATION.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.BANK LETTER INDICATION.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.BANK LETTER INDICATION.exe.3ffcc68.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.BANK LETTER INDICATION.exe.3ffcc68.6.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.BANK LETTER INDICATION.exe.3ffcc68.6.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.BANK LETTER INDICATION.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.BANK LETTER INDICATION.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.BANK LETTER INDICATION.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.BANK LETTER INDICATION.exe.4075888.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.BANK LETTER INDICATION.exe.4075888.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.BANK LETTER INDICATION.exe.3ffcc68.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.BANK LETTER INDICATION.exe.3ffcc68.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.1245435166.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: BANK LETTER INDICATION.exe PID: 6988, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: BANK LETTER INDICATION.exe PID: 3212, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: BANK LETTER INDICATION.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, USyfnruxiiNouZmwZZ.cs Security API names: _0020.SetAccessControl
Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, USyfnruxiiNouZmwZZ.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, USyfnruxiiNouZmwZZ.cs Security API names: _0020.AddAccessRule
Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, USyfnruxiiNouZmwZZ.cs Security API names: _0020.SetAccessControl
Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, USyfnruxiiNouZmwZZ.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, USyfnruxiiNouZmwZZ.cs Security API names: _0020.AddAccessRule
Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, kFNYiTIpTfii78o21e.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, kFNYiTIpTfii78o21e.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, USyfnruxiiNouZmwZZ.cs Security API names: _0020.SetAccessControl
Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, USyfnruxiiNouZmwZZ.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, USyfnruxiiNouZmwZZ.cs Security API names: _0020.AddAccessRule
Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, kFNYiTIpTfii78o21e.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@5/1@0/0
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 3_2_00417952
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle, 3_2_0040F474
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource, 3_2_0041B4A8
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 3_2_0041AA4A
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BANK LETTER INDICATION.exe.log Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Mutant created: NULL
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Mutant created: \Sessions\1\BaseNamedObjects\Rmc-7Q1GRN
Source: BANK LETTER INDICATION.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: BANK LETTER INDICATION.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: BANK LETTER INDICATION.exe ReversingLabs: Detection: 31%
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe File read: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\BANK LETTER INDICATION.exe "C:\Users\user\Desktop\BANK LETTER INDICATION.exe"
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process created: C:\Users\user\Desktop\BANK LETTER INDICATION.exe "C:\Users\user\Desktop\BANK LETTER INDICATION.exe"
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "c:\program files (x86)\internet explorer\iexplore.exe"
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process created: C:\Users\user\Desktop\BANK LETTER INDICATION.exe "C:\Users\user\Desktop\BANK LETTER INDICATION.exe" Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "c:\program files (x86)\internet explorer\iexplore.exe" Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: BANK LETTER INDICATION.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: BANK LETTER INDICATION.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: BANK LETTER INDICATION.exe Static file information: File size 1210368 > 1048576
Source: BANK LETTER INDICATION.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x121000
Source: BANK LETTER INDICATION.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: BANK LETTER INDICATION.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: VcJr.pdb source: BANK LETTER INDICATION.exe
Source: Binary string: VcJr.pdbSHA256{ source: BANK LETTER INDICATION.exe

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: BANK LETTER INDICATION.exe, mainscreen.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, USyfnruxiiNouZmwZZ.cs .Net Code: a07XMowFoP System.Reflection.Assembly.Load(byte[])
Source: 0.2.BANK LETTER INDICATION.exe.7b40000.7.raw.unpack, -Module-.cs .Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.BANK LETTER INDICATION.exe.7b40000.7.raw.unpack, PingPong.cs .Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, USyfnruxiiNouZmwZZ.cs .Net Code: a07XMowFoP System.Reflection.Assembly.Load(byte[])
Source: 0.2.BANK LETTER INDICATION.exe.2f18850.2.raw.unpack, -Module-.cs .Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.BANK LETTER INDICATION.exe.2f18850.2.raw.unpack, PingPong.cs .Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, USyfnruxiiNouZmwZZ.cs .Net Code: a07XMowFoP System.Reflection.Assembly.Load(byte[])
Binary contains a suspicious time stamp
Source: BANK LETTER INDICATION.exe Static PE information: 0xF4642AC9 [Sun Dec 6 01:54:17 2099 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 3_2_0041CB50
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 0_2_054EEFD5 push esp; retf 0_2_054EEFDC
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 0_2_054E084A pushfd ; ret 0_2_054E0851
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 0_2_078F3AD7 push ebx; retf 0_2_078F3ADA
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_00457106 push ecx; ret 3_2_00457119
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0045B11A push esp; ret 3_2_0045B141
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0045E54D push esi; ret 3_2_0045E556
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_00457A28 push eax; ret 3_2_00457A46
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_00434E56 push ecx; ret 3_2_00434E69
Source: BANK LETTER INDICATION.exe Static PE information: section name: .text entropy: 7.983846811568236
Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, UhWlHV8ilu8c5OKuiT.cs High entropy of concatenated method names: 'O3ryO6Zxuw', 'd5JyN2pU3g', 'FpEyMwKeCw', 'GsDyC9RbA9', 'ACayRpG92R', 'KNqywOC3m1', 'T8TyJSAHBw', 'tIryI3pht2', 'C4qyiy96Lg', 'euYynUNE7E'
Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, zmp1RbqNBb9Chb4FIJ.cs High entropy of concatenated method names: 'rWSbKjcvSP', 'XgWbED73sx', 'ToString', 'ouhbpc0ShF', 'SjebAIjLZw', 'f4sbFrFe8p', 'xXCbo5hVOO', 'WtablafgFX', 'GC3byPAumv', 'RbNbuGx8Jx'
Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, faXMxiTgJrofCnucov.cs High entropy of concatenated method names: 'A5nM60ZMi', 'br4C5KypS', 'qa5w3DrAX', 'Iy7J9RauQ', 'HCxiDl6mD', 'fqRntLFRs', 'badCV00KNgWKkkPWvV', 'i4xsN2IbvqbBprnfwF', 'bbiaIfCG7', 'M0BcmwgJs'
Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, Us2EPTvVHm95rOGEiv.cs High entropy of concatenated method names: 'sH5Bop9tOHOLndJ5eXU', 'OCMgn795AHwW2lILHRE', 'FW9kfE9krPJVrYiKPpl', 'xBflaaxLNt', 'Fb8l6Dx2Nc', 'yPClcTJRDv', 'DCBhEb9R0jIvr0ghfti', 'EmKhnV9TkL62utNEeTH'
Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, yfoh7wXsID2Kr7PUiv.cs High entropy of concatenated method names: 'DG5GyFNYiT', 'fTfGuii78o', 'eWrGK4TVUI', 'OfsGEDIVAh', 'CbdGWbCYfi', 'cVOGxCNqjq', 'yQS7RLYbdCrR75Lfx8', 'L2yDQ1xkLV9j5gB8WB', 'lmTGG9i6x6', 'XVHGkvrJiR'
Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, YfikVOtCNqjqoRIwC6.cs High entropy of concatenated method names: 'Mf0ld8yhS6', 'MdclAo97vx', 'aKmloc84Hu', 'xpclyqOJS5', 'NDalu1O9Me', 'g2roHDpblV', 'bTPoSocp3U', 'EtUoQs3iiQ', 'DX8ogh5De5', 'eBUo0IN2wn'
Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, nL1hwcSIVJlMqDRIuZ.cs High entropy of concatenated method names: 'qaMbgfpPAu', 'gCobY7PUby', 'XejaBJAQyR', 'OswaGCwR5M', 'VnPbme3GEp', 'Muwb7hc63d', 'DhkbruwnE0', 'Yt2bVFr1w3', 'UFhb1CKMqB', 'bXhbsADkEh'
Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, u1vZusAkCoRsMkmLV0.cs High entropy of concatenated method names: 'Dispose', 'DsuG04eRDk', 'rdvTvpIQNX', 'lGkxxa89YE', 'fEDGYC106e', 'LH4GzY63nY', 'ProcessDialogKey', 'mmpTByhesp', 'aaZTGLJLqV', 'v8tTT109do'
Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, NS6k6QGkGS1yoLa0kJQ.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UbxcV3Ks7W', 'hTmc1GDbMY', 'WOkcsckGc8', 'DIQcqWgOmM', 'JIrcHgOMr4', 'DSjcSDVv0W', 'WFVcQRaPn8'
Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, JVkWLXiWr4TVUImfsD.cs High entropy of concatenated method names: 'IhRFCSAUTK', 'UC9FwKjd0V', 'PIiFIuleOe', 'epDFivJiEw', 'HXcFWrhjwT', 'RQkFxKd5rb', 'rbRFbhTy5C', 'pHpFaAfrAr', 'GGbF68YY8A', 'DlYFcVjllN'
Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, fyhesp0BaZLJLqV38t.cs High entropy of concatenated method names: 'Glfatqfcdx', 'f1FavLZhcf', 'q8ja9G3mSh', 'C3Wa2NfPiP', 'QG8aVJDoHS', 'QcoahlU8ZG', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, i1CxnMDtf7Z4XDkeIp.cs High entropy of concatenated method names: 'vscypeDsYe', 'FkryFO0aaV', 'ChJylKjrJ6', 'JM6lYUXWEQ', 'nyblzL211s', 'zVJyBDk4uA', 'gKcyGlVDnd', 'PslyTqlE3L', 'awxykFStmA', 'xioyXoLP01'
Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, USyfnruxiiNouZmwZZ.cs High entropy of concatenated method names: 'WZ7kdSPJ6O', 'BqhkpLq2b4', 'unokAOKNa6', 'd5dkFUkdkI', 'kJ4kooAmYc', 'JDJklTOe9b', 'fStkyq4Dbh', 'qjckuKwf46', 'tXqk5cY9db', 'ecjkKpGPU8'
Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, T7HIrKGBXsoNjHLmmUi.cs High entropy of concatenated method names: 'cUg6O32us5', 'BAe6NWvgtt', 'vNF6Mr4LOn', 'Cyk6CvWZqA', 'gAS6RgQeYe', 'JKG6wpGM2E', 'mTR6JwcKrt', 'KqM6IyfRcQ', 'nme6i5kdrC', 'dvU6njMkEX'
Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, R6nN6WrWJpaIfPt4NY.cs High entropy of concatenated method names: 'mQGfIKxEuN', 'GqPfibf4GF', 'zvPftvP2sk', 'y4rfv81lvT', 'N8bf243OLU', 'sl3fhyACU0', 'HQYfD2Nfk1', 'boKfeQM9ou', 'kJlfPIAMmP', 'Mi2fmcaYCP'
Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, R09dohYLb0ViIQb8a3.cs High entropy of concatenated method names: 'D3Z6G8v7fo', 'Ylk6kKJuv3', 'n7x6XovKuQ', 'kSR6pKOuGq', 'gdu6Aht6WD', 'B8Q6ojk7eX', 'fWp6liXOV0', 'dVaaQDg7Ss', 'TDkag3Q8hK', 'cD8a0T8Z5Z'
Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, DhdG8XVr3HrxhiuhNC.cs High entropy of concatenated method names: 'llFWPt1Dfk', 'JcLW76QjRD', 'TIvWVDac01', 'gK2W19D7Kc', 'FiTWvYCN3t', 'LAbW9xiTDa', 'vviW2ym8Cf', 'RG2Whe21t0', 'BMQWUZHI5X', 'ROfWDGxsDi'
Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, EVAhlqnC6pIITJbdbC.cs High entropy of concatenated method names: 'hLuoRIGaVL', 'aIkoJ8PfPe', 'urPF99jxBn', 'TGIF2LK7UT', 'p7aFhBIfJl', 'qKBFUm8pv4', 'bHIFDEwaNt', 'iGgFeXPZg4', 'NhsF8vAt6L', 'jk4FPmS4cm'
Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, kFNYiTIpTfii78o21e.cs High entropy of concatenated method names: 'BA4AVAkLKt', 'mbeA1GVcfZ', 'DkRAsfPOF9', 'eXWAqEy5WK', 'YHTAHe5iGi', 'aVLASkuVO7', 'CTwAQgPso1', 'EieAgoMUUG', 'Rv5A0WosAN', 'Di8AYY0xyI'
Source: 0.2.BANK LETTER INDICATION.exe.43e2d00.5.raw.unpack, nDC106geDH4Y63nYKm.cs High entropy of concatenated method names: 'drrapZDh8q', 'P94aAq7Slu', 'sfxaFSFw8a', 'sYtaoA1U0F', 'YKvalFj4AM', 'lTWayfWAKe', 'NluauLrokk', 'NiWa5X0GDp', 'v90aKWdYok', 'j2yaECyfdi'
Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, UhWlHV8ilu8c5OKuiT.cs High entropy of concatenated method names: 'O3ryO6Zxuw', 'd5JyN2pU3g', 'FpEyMwKeCw', 'GsDyC9RbA9', 'ACayRpG92R', 'KNqywOC3m1', 'T8TyJSAHBw', 'tIryI3pht2', 'C4qyiy96Lg', 'euYynUNE7E'
Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, zmp1RbqNBb9Chb4FIJ.cs High entropy of concatenated method names: 'rWSbKjcvSP', 'XgWbED73sx', 'ToString', 'ouhbpc0ShF', 'SjebAIjLZw', 'f4sbFrFe8p', 'xXCbo5hVOO', 'WtablafgFX', 'GC3byPAumv', 'RbNbuGx8Jx'
Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, faXMxiTgJrofCnucov.cs High entropy of concatenated method names: 'A5nM60ZMi', 'br4C5KypS', 'qa5w3DrAX', 'Iy7J9RauQ', 'HCxiDl6mD', 'fqRntLFRs', 'badCV00KNgWKkkPWvV', 'i4xsN2IbvqbBprnfwF', 'bbiaIfCG7', 'M0BcmwgJs'
Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, Us2EPTvVHm95rOGEiv.cs High entropy of concatenated method names: 'sH5Bop9tOHOLndJ5eXU', 'OCMgn795AHwW2lILHRE', 'FW9kfE9krPJVrYiKPpl', 'xBflaaxLNt', 'Fb8l6Dx2Nc', 'yPClcTJRDv', 'DCBhEb9R0jIvr0ghfti', 'EmKhnV9TkL62utNEeTH'
Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, yfoh7wXsID2Kr7PUiv.cs High entropy of concatenated method names: 'DG5GyFNYiT', 'fTfGuii78o', 'eWrGK4TVUI', 'OfsGEDIVAh', 'CbdGWbCYfi', 'cVOGxCNqjq', 'yQS7RLYbdCrR75Lfx8', 'L2yDQ1xkLV9j5gB8WB', 'lmTGG9i6x6', 'XVHGkvrJiR'
Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, YfikVOtCNqjqoRIwC6.cs High entropy of concatenated method names: 'Mf0ld8yhS6', 'MdclAo97vx', 'aKmloc84Hu', 'xpclyqOJS5', 'NDalu1O9Me', 'g2roHDpblV', 'bTPoSocp3U', 'EtUoQs3iiQ', 'DX8ogh5De5', 'eBUo0IN2wn'
Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, nL1hwcSIVJlMqDRIuZ.cs High entropy of concatenated method names: 'qaMbgfpPAu', 'gCobY7PUby', 'XejaBJAQyR', 'OswaGCwR5M', 'VnPbme3GEp', 'Muwb7hc63d', 'DhkbruwnE0', 'Yt2bVFr1w3', 'UFhb1CKMqB', 'bXhbsADkEh'
Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, u1vZusAkCoRsMkmLV0.cs High entropy of concatenated method names: 'Dispose', 'DsuG04eRDk', 'rdvTvpIQNX', 'lGkxxa89YE', 'fEDGYC106e', 'LH4GzY63nY', 'ProcessDialogKey', 'mmpTByhesp', 'aaZTGLJLqV', 'v8tTT109do'
Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, NS6k6QGkGS1yoLa0kJQ.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UbxcV3Ks7W', 'hTmc1GDbMY', 'WOkcsckGc8', 'DIQcqWgOmM', 'JIrcHgOMr4', 'DSjcSDVv0W', 'WFVcQRaPn8'
Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, JVkWLXiWr4TVUImfsD.cs High entropy of concatenated method names: 'IhRFCSAUTK', 'UC9FwKjd0V', 'PIiFIuleOe', 'epDFivJiEw', 'HXcFWrhjwT', 'RQkFxKd5rb', 'rbRFbhTy5C', 'pHpFaAfrAr', 'GGbF68YY8A', 'DlYFcVjllN'
Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, fyhesp0BaZLJLqV38t.cs High entropy of concatenated method names: 'Glfatqfcdx', 'f1FavLZhcf', 'q8ja9G3mSh', 'C3Wa2NfPiP', 'QG8aVJDoHS', 'QcoahlU8ZG', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, i1CxnMDtf7Z4XDkeIp.cs High entropy of concatenated method names: 'vscypeDsYe', 'FkryFO0aaV', 'ChJylKjrJ6', 'JM6lYUXWEQ', 'nyblzL211s', 'zVJyBDk4uA', 'gKcyGlVDnd', 'PslyTqlE3L', 'awxykFStmA', 'xioyXoLP01'
Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, USyfnruxiiNouZmwZZ.cs High entropy of concatenated method names: 'WZ7kdSPJ6O', 'BqhkpLq2b4', 'unokAOKNa6', 'd5dkFUkdkI', 'kJ4kooAmYc', 'JDJklTOe9b', 'fStkyq4Dbh', 'qjckuKwf46', 'tXqk5cY9db', 'ecjkKpGPU8'
Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, T7HIrKGBXsoNjHLmmUi.cs High entropy of concatenated method names: 'cUg6O32us5', 'BAe6NWvgtt', 'vNF6Mr4LOn', 'Cyk6CvWZqA', 'gAS6RgQeYe', 'JKG6wpGM2E', 'mTR6JwcKrt', 'KqM6IyfRcQ', 'nme6i5kdrC', 'dvU6njMkEX'
Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, R6nN6WrWJpaIfPt4NY.cs High entropy of concatenated method names: 'mQGfIKxEuN', 'GqPfibf4GF', 'zvPftvP2sk', 'y4rfv81lvT', 'N8bf243OLU', 'sl3fhyACU0', 'HQYfD2Nfk1', 'boKfeQM9ou', 'kJlfPIAMmP', 'Mi2fmcaYCP'
Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, R09dohYLb0ViIQb8a3.cs High entropy of concatenated method names: 'D3Z6G8v7fo', 'Ylk6kKJuv3', 'n7x6XovKuQ', 'kSR6pKOuGq', 'gdu6Aht6WD', 'B8Q6ojk7eX', 'fWp6liXOV0', 'dVaaQDg7Ss', 'TDkag3Q8hK', 'cD8a0T8Z5Z'
Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, DhdG8XVr3HrxhiuhNC.cs High entropy of concatenated method names: 'llFWPt1Dfk', 'JcLW76QjRD', 'TIvWVDac01', 'gK2W19D7Kc', 'FiTWvYCN3t', 'LAbW9xiTDa', 'vviW2ym8Cf', 'RG2Whe21t0', 'BMQWUZHI5X', 'ROfWDGxsDi'
Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, EVAhlqnC6pIITJbdbC.cs High entropy of concatenated method names: 'hLuoRIGaVL', 'aIkoJ8PfPe', 'urPF99jxBn', 'TGIF2LK7UT', 'p7aFhBIfJl', 'qKBFUm8pv4', 'bHIFDEwaNt', 'iGgFeXPZg4', 'NhsF8vAt6L', 'jk4FPmS4cm'
Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, kFNYiTIpTfii78o21e.cs High entropy of concatenated method names: 'BA4AVAkLKt', 'mbeA1GVcfZ', 'DkRAsfPOF9', 'eXWAqEy5WK', 'YHTAHe5iGi', 'aVLASkuVO7', 'CTwAQgPso1', 'EieAgoMUUG', 'Rv5A0WosAN', 'Di8AYY0xyI'
Source: 0.2.BANK LETTER INDICATION.exe.42ecee0.4.raw.unpack, nDC106geDH4Y63nYKm.cs High entropy of concatenated method names: 'drrapZDh8q', 'P94aAq7Slu', 'sfxaFSFw8a', 'sYtaoA1U0F', 'YKvalFj4AM', 'lTWayfWAKe', 'NluauLrokk', 'NiWa5X0GDp', 'v90aKWdYok', 'j2yaECyfdi'
Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, UhWlHV8ilu8c5OKuiT.cs High entropy of concatenated method names: 'O3ryO6Zxuw', 'd5JyN2pU3g', 'FpEyMwKeCw', 'GsDyC9RbA9', 'ACayRpG92R', 'KNqywOC3m1', 'T8TyJSAHBw', 'tIryI3pht2', 'C4qyiy96Lg', 'euYynUNE7E'
Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, zmp1RbqNBb9Chb4FIJ.cs High entropy of concatenated method names: 'rWSbKjcvSP', 'XgWbED73sx', 'ToString', 'ouhbpc0ShF', 'SjebAIjLZw', 'f4sbFrFe8p', 'xXCbo5hVOO', 'WtablafgFX', 'GC3byPAumv', 'RbNbuGx8Jx'
Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, faXMxiTgJrofCnucov.cs High entropy of concatenated method names: 'A5nM60ZMi', 'br4C5KypS', 'qa5w3DrAX', 'Iy7J9RauQ', 'HCxiDl6mD', 'fqRntLFRs', 'badCV00KNgWKkkPWvV', 'i4xsN2IbvqbBprnfwF', 'bbiaIfCG7', 'M0BcmwgJs'
Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, Us2EPTvVHm95rOGEiv.cs High entropy of concatenated method names: 'sH5Bop9tOHOLndJ5eXU', 'OCMgn795AHwW2lILHRE', 'FW9kfE9krPJVrYiKPpl', 'xBflaaxLNt', 'Fb8l6Dx2Nc', 'yPClcTJRDv', 'DCBhEb9R0jIvr0ghfti', 'EmKhnV9TkL62utNEeTH'
Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, yfoh7wXsID2Kr7PUiv.cs High entropy of concatenated method names: 'DG5GyFNYiT', 'fTfGuii78o', 'eWrGK4TVUI', 'OfsGEDIVAh', 'CbdGWbCYfi', 'cVOGxCNqjq', 'yQS7RLYbdCrR75Lfx8', 'L2yDQ1xkLV9j5gB8WB', 'lmTGG9i6x6', 'XVHGkvrJiR'
Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, YfikVOtCNqjqoRIwC6.cs High entropy of concatenated method names: 'Mf0ld8yhS6', 'MdclAo97vx', 'aKmloc84Hu', 'xpclyqOJS5', 'NDalu1O9Me', 'g2roHDpblV', 'bTPoSocp3U', 'EtUoQs3iiQ', 'DX8ogh5De5', 'eBUo0IN2wn'
Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, nL1hwcSIVJlMqDRIuZ.cs High entropy of concatenated method names: 'qaMbgfpPAu', 'gCobY7PUby', 'XejaBJAQyR', 'OswaGCwR5M', 'VnPbme3GEp', 'Muwb7hc63d', 'DhkbruwnE0', 'Yt2bVFr1w3', 'UFhb1CKMqB', 'bXhbsADkEh'
Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, u1vZusAkCoRsMkmLV0.cs High entropy of concatenated method names: 'Dispose', 'DsuG04eRDk', 'rdvTvpIQNX', 'lGkxxa89YE', 'fEDGYC106e', 'LH4GzY63nY', 'ProcessDialogKey', 'mmpTByhesp', 'aaZTGLJLqV', 'v8tTT109do'
Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, NS6k6QGkGS1yoLa0kJQ.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UbxcV3Ks7W', 'hTmc1GDbMY', 'WOkcsckGc8', 'DIQcqWgOmM', 'JIrcHgOMr4', 'DSjcSDVv0W', 'WFVcQRaPn8'
Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, JVkWLXiWr4TVUImfsD.cs High entropy of concatenated method names: 'IhRFCSAUTK', 'UC9FwKjd0V', 'PIiFIuleOe', 'epDFivJiEw', 'HXcFWrhjwT', 'RQkFxKd5rb', 'rbRFbhTy5C', 'pHpFaAfrAr', 'GGbF68YY8A', 'DlYFcVjllN'
Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, fyhesp0BaZLJLqV38t.cs High entropy of concatenated method names: 'Glfatqfcdx', 'f1FavLZhcf', 'q8ja9G3mSh', 'C3Wa2NfPiP', 'QG8aVJDoHS', 'QcoahlU8ZG', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, i1CxnMDtf7Z4XDkeIp.cs High entropy of concatenated method names: 'vscypeDsYe', 'FkryFO0aaV', 'ChJylKjrJ6', 'JM6lYUXWEQ', 'nyblzL211s', 'zVJyBDk4uA', 'gKcyGlVDnd', 'PslyTqlE3L', 'awxykFStmA', 'xioyXoLP01'
Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, USyfnruxiiNouZmwZZ.cs High entropy of concatenated method names: 'WZ7kdSPJ6O', 'BqhkpLq2b4', 'unokAOKNa6', 'd5dkFUkdkI', 'kJ4kooAmYc', 'JDJklTOe9b', 'fStkyq4Dbh', 'qjckuKwf46', 'tXqk5cY9db', 'ecjkKpGPU8'
Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, T7HIrKGBXsoNjHLmmUi.cs High entropy of concatenated method names: 'cUg6O32us5', 'BAe6NWvgtt', 'vNF6Mr4LOn', 'Cyk6CvWZqA', 'gAS6RgQeYe', 'JKG6wpGM2E', 'mTR6JwcKrt', 'KqM6IyfRcQ', 'nme6i5kdrC', 'dvU6njMkEX'
Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, R6nN6WrWJpaIfPt4NY.cs High entropy of concatenated method names: 'mQGfIKxEuN', 'GqPfibf4GF', 'zvPftvP2sk', 'y4rfv81lvT', 'N8bf243OLU', 'sl3fhyACU0', 'HQYfD2Nfk1', 'boKfeQM9ou', 'kJlfPIAMmP', 'Mi2fmcaYCP'
Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, R09dohYLb0ViIQb8a3.cs High entropy of concatenated method names: 'D3Z6G8v7fo', 'Ylk6kKJuv3', 'n7x6XovKuQ', 'kSR6pKOuGq', 'gdu6Aht6WD', 'B8Q6ojk7eX', 'fWp6liXOV0', 'dVaaQDg7Ss', 'TDkag3Q8hK', 'cD8a0T8Z5Z'
Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, DhdG8XVr3HrxhiuhNC.cs High entropy of concatenated method names: 'llFWPt1Dfk', 'JcLW76QjRD', 'TIvWVDac01', 'gK2W19D7Kc', 'FiTWvYCN3t', 'LAbW9xiTDa', 'vviW2ym8Cf', 'RG2Whe21t0', 'BMQWUZHI5X', 'ROfWDGxsDi'
Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, EVAhlqnC6pIITJbdbC.cs High entropy of concatenated method names: 'hLuoRIGaVL', 'aIkoJ8PfPe', 'urPF99jxBn', 'TGIF2LK7UT', 'p7aFhBIfJl', 'qKBFUm8pv4', 'bHIFDEwaNt', 'iGgFeXPZg4', 'NhsF8vAt6L', 'jk4FPmS4cm'
Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, kFNYiTIpTfii78o21e.cs High entropy of concatenated method names: 'BA4AVAkLKt', 'mbeA1GVcfZ', 'DkRAsfPOF9', 'eXWAqEy5WK', 'YHTAHe5iGi', 'aVLASkuVO7', 'CTwAQgPso1', 'EieAgoMUUG', 'Rv5A0WosAN', 'Di8AYY0xyI'
Source: 0.2.BANK LETTER INDICATION.exe.7ca0000.8.raw.unpack, nDC106geDH4Y63nYKm.cs High entropy of concatenated method names: 'drrapZDh8q', 'P94aAq7Slu', 'sfxaFSFw8a', 'sYtaoA1U0F', 'YKvalFj4AM', 'lTWayfWAKe', 'NluauLrokk', 'NiWa5X0GDp', 'v90aKWdYok', 'j2yaECyfdi'
Contains functionality to download and launch executables
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_00406EB0 ShellExecuteW,URLDownloadToFileW, 3_2_00406EB0
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 3_2_0041AA4A
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 3_2_0041CB50
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: BANK LETTER INDICATION.exe PID: 6988, type: MEMORYSTR
Delayed program exit found
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0040F7A7 Sleep,ExitProcess, 3_2_0040F7A7
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Memory allocated: 2C60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Memory allocated: 2EF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Memory allocated: 2C60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Memory allocated: 7CA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Memory allocated: 8CA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Memory allocated: 8E50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Memory allocated: 9E50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Memory allocated: A1B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Memory allocated: B1B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Memory allocated: 8E50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Memory allocated: A1B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Memory allocated: B1B0000 memory reserve | memory write watch Jump to behavior
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 3_2_0041A748
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe TID: 6944 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 3_2_00409253
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 3_2_0041C291
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 3_2_0040C34D
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 3_2_00409665
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0044E879 FindFirstFileExA, 3_2_0044E879
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 3_2_0040880C
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0040783C FindFirstFileW,FindNextFileW, 3_2_0040783C
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, 3_2_00419AF5
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 3_2_0040BB30
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 3_2_0040BD37
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 3_2_00407C97
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_004349F9
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 3_2_0041CB50
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_004432B5 mov eax, dword ptr fs:[00000030h] 3_2_004432B5
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_00412077 GetProcessHeap,HeapFree, 3_2_00412077
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_004349F9
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_00434B47 SetUnhandledExceptionFilter, 3_2_00434B47
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0043BB22
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00434FDC
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_004180EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError, 3_2_004180EF
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Memory written: C:\Users\user\Desktop\BANK LETTER INDICATION.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Section loaded: NULL target: C:\Program Files (x86)\Internet Explorer\iexplore.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 2A45008 Jump to behavior
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 3_2_004120F7
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_00419627 mouse_event, 3_2_00419627
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process created: C:\Users\user\Desktop\BANK LETTER INDICATION.exe "C:\Users\user\Desktop\BANK LETTER INDICATION.exe" Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "c:\program files (x86)\internet explorer\iexplore.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_00434C52 cpuid 3_2_00434C52
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: EnumSystemLocalesW, 3_2_00452036
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 3_2_004520C3
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: GetLocaleInfoW, 3_2_00452313
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: EnumSystemLocalesW, 3_2_00448404
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 3_2_0045243C
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: GetLocaleInfoW, 3_2_00452543
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 3_2_00452610
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: GetLocaleInfoA, 3_2_0040F8D1
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: GetLocaleInfoW, 3_2_004488ED
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 3_2_00451CD8
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: EnumSystemLocalesW, 3_2_00451F50
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: EnumSystemLocalesW, 3_2_00451F9B
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Queries volume information: C:\Users\user\Desktop\BANK LETTER INDICATION.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0040B164 GetLocalTime,wsprintfW, 3_2_0040B164
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_0041B60D GetUserNameW, 3_2_0041B60D
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: 3_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 3_2_00449190
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 0.2.BANK LETTER INDICATION.exe.4075888.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.BANK LETTER INDICATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BANK LETTER INDICATION.exe.3ffcc68.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.BANK LETTER INDICATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BANK LETTER INDICATION.exe.4075888.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BANK LETTER INDICATION.exe.3ffcc68.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1245435166.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BANK LETTER INDICATION.exe PID: 6988, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BANK LETTER INDICATION.exe PID: 3212, type: MEMORYSTR
Contains functionality to steal Chrome passwords or cookies
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 3_2_0040BA12
Contains functionality to steal Firefox passwords or cookies
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 3_2_0040BB30
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: \key3.db 3_2_0040BB30

Remote Access Functionality
barindex
Detected Remcos RAT
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-7Q1GRN Jump to behavior
Yara detected Remcos RAT
Source: Yara match File source: 0.2.BANK LETTER INDICATION.exe.4075888.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.BANK LETTER INDICATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BANK LETTER INDICATION.exe.3ffcc68.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.BANK LETTER INDICATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BANK LETTER INDICATION.exe.4075888.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BANK LETTER INDICATION.exe.3ffcc68.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.1239346208.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1245435166.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BANK LETTER INDICATION.exe PID: 6988, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BANK LETTER INDICATION.exe PID: 3212, type: MEMORYSTR
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Users\user\Desktop\BANK LETTER INDICATION.exe Code function: cmd.exe 3_2_0040569A
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1467081 Sample: BANK LETTER INDICATION.exe Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 18 Found malware configuration 2->18 20 Malicious sample detected (through community Yara rule) 2->20 22 Multi AV Scanner detection for submitted file 2->22 24 16 other signatures 2->24 7 BANK LETTER INDICATION.exe 3 2->7         started        process3 file4 16 C:\Users\...\BANK LETTER INDICATION.exe.log, ASCII 7->16 dropped 26 Injects a PE file into a foreign processes 7->26 11 BANK LETTER INDICATION.exe 2 7->11         started        signatures5 process6 signatures7 28 Detected Remcos RAT 11->28 30 Writes to foreign memory regions 11->30 32 Maps a DLL or memory area into another process 11->32 14 iexplore.exe 11->14         started        process8
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
192.3.64.149 true
  • Avira URL Cloud: safe
 unknown