Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

172200150645e30715396b41ed298fc2fc05d94f3a962536daa72f2c5d72e7d784323a4055802.dat-decoded.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.599731323334534
Filename:	172200150645e30715396b41ed298fc2fc05d94f3a962536daa72f2c5d72e7d784323a4055802.dat-decoded.exe
Filesize:	494592
MD5:	2b985c758a227407855e1d8e14f8863d
SHA1:	993301bbe17c097debb66c6dec278d4f74063b41
SHA256:	1b7645def29702c924a9cff0a5234b8a697f6d89be75593a725cf8f7da8c7288
SHA512:	258627a5105f0d03f2cdf3f3980adc64f740fa0557a2e46e216e45ed8bf51424008aa2945795b8f215ae7ce8c83ff253ac0ef3a8b104c4a3beabc5c052eae0d9
SSDEEP:	6144:QXIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZoAX0cNz5Gv:QX7tPMK8ctGe4Dzl4h2QnuPs/ZoGcv
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........-H..~H..~H..~.f$~[..~.f&~...~.f'~V..~A.Q~I..~.Z.~J..~....R..~....r..~....j..~A.F~Q..~H..~u..~....,..~..*~I..~....I..~RichH..

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Contains functionality to bypass UAC (CMSTPLUA)	Privilege Escalation	Bypass User Account Control Access Token Manipulation
Detected Remcos RAT	Remote Access Functionality	Remote Access Software
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Malicious sample detected (through community Yara rule)	System Summary
Contains functionality to inject code into remote processes	HIPS / PFW / Operating System Protection Evasion	Clipboard Data
Contains functionality to register a low level keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to steal Chrome passwords or cookies	Stealing of Sensitive Information	OS Credential Dumping Credentials In Files Account Discovery System Owner/User Discovery
Contains functionality to steal Firefox passwords or cookies	Stealing of Sensitive Information	Access Token Manipulation System Time Discovery
Contains functionalty to change the wallpaper	Spam, unwanted Advertisements and Ransom Demands	Defacement
Delayed program exit found	Malware Analysis System Evasion	Access Token Manipulation
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Access Token Manipulation Input Capture
Machine Learning detection for sample	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	Data from Local System
Tries to steal Instant Messenger accounts or passwords	Stealing of Sensitive Information	Credentials in Registry
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Tries to steal Mail credentials (via file registry)	Stealing of Sensitive Information
Abnormal high CPU Usage	System Summary	Access Token Manipulation
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to call native functions	System Summary
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)	Malware Analysis System Evasion, Anti Debugging
Contains functionality to download and launch executables	Persistence and Installation Behavior	Access Token Manipulation
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)	HIPS / PFW / Operating System Protection Evasion	Access Token Manipulation
Contains functionality to enumerate running services	Malware Analysis System Evasion	System Service Discovery Ingress Tool Transfer
Contains functionality to launch a control a shell (cmd.exe)	Remote Access Functionality	Command and Scripting Interpreter Access Token Manipulation Account Discovery System Owner/User Discovery
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Access Token Manipulation
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	Access Token Manipulation System Shutdown/Reboot
Contains functionality to read the PEB	Anti Debugging	Access Token Manipulation
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to shutdown / reboot the system	System Summary	Access Token Manipulation System Shutdown/Reboot
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion	Masquerading
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Access Token Manipulation System Time Discovery
Enables debug privileges	Anti Debugging
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found decision node followed by non-executed suspicious APIs	Malware Analysis System Evasion	Access Token Manipulation System Time Discovery
Found large amount of non-executed APIs	Malware Analysis System Evasion	Access Token Manipulation System Time Discovery
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion File and Directory Discovery
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	Native API System Information Discovery
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography	Encrypted Channel
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary
Contains functionality for error logging	System Summary	Access Token Manipulation
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to check free disk space	System Summary
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enum processes or threads	System Summary	Access Token Manipulation
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to modify services (start/stop/modify)	System Summary	Service Execution Windows Service Access Token Manipulation
Contains functionality to modify the execution of threads in other processes		Access Token Manipulation Security Software Discovery
Contains functionality to query local / system time	Language, Device and Operating System Detection	Access Token Manipulation
Contains functionality to query local drives	Spreading, Malware Analysis System Evasion
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection	Access Token Manipulation System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Contains functionality to start windows services	Boot Survival	Access Token Manipulation
Creates files inside the user directory	System Summary	Masquerading
Creates mutexes	System Summary	Access Token Manipulation
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Found strings which match to known social media urls	Networking
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
Might use command line arguments	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Program exit points	Malware Analysis System Evasion
Public key (encryption) found	Cryptography	Account Discovery System Owner/User Discovery Archive Collected Data
Queries a list of all open handles	System Summary	Process Discovery
Queries a list of all running processes	Malware Analysis System Evasion
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	Access Token Manipulation
Reads ini files	System Summary
Reads software policies	System Summary	Access Token Manipulation
SQL strings found in memory and binary data	System Summary	File and Directory Discovery
Sample requires command line parameters (based on API chain)	System Summary	Security Software Discovery
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
PE file contains a valid data directory to section mapping	System Summary	Security Software Discovery
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Checks if Microsoft Office is installed	System Summary	Access Token Manipulation
Tries to open an application configuration file (.cfg)	System Summary	Access Token Manipulation

C:\Users\user\AppData\Local\Temp\Notepo\logs.dat

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Notepo\logs.dat
Category:	dropped
Dump:	logs.dat.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\172200150645e30715396b41ed298fc2fc05d94f3a962536daa72f2c5d72e7d784323a4055802.dat-decoded.exe
Type:	data
Entropy:	3.402054886640339
Encrypted:	false
Ssdeep:	3:rhlKlVjfPlaLcl5JWRal2Jl+7R0DAlBG45klovDl6v:6lVn5YcIeeDAlOWAv
Size:	144
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

JSON data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json
Category:	dropped
Dump:	json[1].json.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\172200150645e30715396b41ed298fc2fc05d94f3a962536daa72f2c5d72e7d784323a4055802.dat-decoded.exe
Type:	JSON data
Entropy:	5.013811273052389
Encrypted:	false
Ssdeep:	12:tklu+mnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlu+KdRNuKyGX85jvXhNlT3/7AcV9Wro
Size:	962
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

C:\Users\user\AppData\Local\Temp\bhvE9F8.tmp

Extensible storage engine DataBase, version 0x620, checksum 0x29d2e728, page size 32768, DirtyShutdown, Windows version 10.0

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\bhvE9F8.tmp
Category:	dropped
Dump:	bhvE9F8.tmp.2.dr
ID:	dr_2
Target ID:	2
Process:	C:\Users\user\Desktop\172200150645e30715396b41ed298fc2fc05d94f3a962536daa72f2c5d72e7d784323a4055802.dat-decoded.exe
Type:	Extensible storage engine DataBase, version 0x620, checksum 0x29d2e728, page size 32768, DirtyShutdown, Windows version 10.0
Entropy:	0.8011971060712025
Encrypted:	false
Ssdeep:	6144:KdfjZb5aXEY2waXEY24URlMe4APXAP5APzAPwbndOO8pHAP6JnTJnTbnSotnBQ+z:IVS4e81ySaKKjLrONseWe
Size:	17301504
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\fdyvulym

Unicode text, UTF-16, little-endian text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\fdyvulym
Category:	dropped
Dump:	fdyvulym.2.dr
ID:	dr_3
Target ID:	2
Process:	C:\Users\user\Desktop\172200150645e30715396b41ed298fc2fc05d94f3a962536daa72f2c5d72e7d784323a4055802.dat-decoded.exe
Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Entropy:	1.0
Encrypted:	false
Ssdeep:	3:Qn:Qn
Size:	2
Whitelisted:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\172200150645e30715396b41ed298fc2fc05d94f3a962536daa72f2c5d72e7d784323a4055802.dat-decoded.exe

"C:\Users\user\Desktop\172200150645e30715396b41ed298fc2fc05d94f3a962536daa72f2c5d72e7d784323a4055802.dat-decoded.exe"

Details

Is windows:	false
Is dropped:	false
PID:	180
Target ID:	0
Parent PID:	1028
Name:	172200150645e30715396b41ed298fc2fc05d94f3a962536daa72f2c5d72e7d784323a4055802.dat-decoded.exe
Path:	C:\Users\user\Desktop\172200150645e30715396b41ed298fc2fc05d94f3a962536daa72f2c5d72e7d784323a4055802.dat-decoded.exe
Commandline:	"C:\Users\user\Desktop\172200150645e30715396b41ed298fc2fc05d94f3a962536daa72f2c5d72e7d784323a4055802.dat-decoded.exe"
Size:	494592
MD5:	2B985C758A227407855E1D8E14F8863D
Time:	09:46:51
Date:	26/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	532480
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Sigma detected: Remcos	Stealing of Sensitive Information
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected WebBrowserPassView password recovery tool	Stealing of Sensitive Information
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Found strings which match to known social media urls	Networking
PE file has an executable .text section and no other executable section	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\Users\user\Desktop\172200150645e30715396b41ed298fc2fc05d94f3a962536daa72f2c5d72e7d784323a4055802.dat-decoded.exe

C:\Users\user\Desktop\172200150645e30715396b41ed298fc2fc05d94f3a962536daa72f2c5d72e7d784323a4055802.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\fdyvulym"

Details

Is windows:	false
Is dropped:	false
PID:	5628
Target ID:	2
Parent PID:	180
Name:	172200150645e30715396b41ed298fc2fc05d94f3a962536daa72f2c5d72e7d784323a4055802.dat-decoded.exe
Path:	C:\Users\user\Desktop\172200150645e30715396b41ed298fc2fc05d94f3a962536daa72f2c5d72e7d784323a4055802.dat-decoded.exe
Commandline:	C:\Users\user\Desktop\172200150645e30715396b41ed298fc2fc05d94f3a962536daa72f2c5d72e7d784323a4055802.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\fdyvulym"
Size:	494592
MD5:	2B985C758A227407855E1D8E14F8863D
Time:	09:46:57
Date:	26/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	491520
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Sigma detected: Remcos	Stealing of Sensitive Information
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected WebBrowserPassView password recovery tool	Stealing of Sensitive Information
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Found strings which match to known social media urls	Networking
PE file has an executable .text section and no other executable section	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\Users\user\Desktop\172200150645e30715396b41ed298fc2fc05d94f3a962536daa72f2c5d72e7d784323a4055802.dat-decoded.exe

C:\Users\user\Desktop\172200150645e30715396b41ed298fc2fc05d94f3a962536daa72f2c5d72e7d784323a4055802.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\pgegndrngmr"

Details

Is windows:	false
Is dropped:	false
PID:	2316
Target ID:	3
Parent PID:	180
Name:	172200150645e30715396b41ed298fc2fc05d94f3a962536daa72f2c5d72e7d784323a4055802.dat-decoded.exe
Path:	C:\Users\user\Desktop\172200150645e30715396b41ed298fc2fc05d94f3a962536daa72f2c5d72e7d784323a4055802.dat-decoded.exe
Commandline:	C:\Users\user\Desktop\172200150645e30715396b41ed298fc2fc05d94f3a962536daa72f2c5d72e7d784323a4055802.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\pgegndrngmr"
Size:	494592
MD5:	2B985C758A227407855E1D8E14F8863D
Time:	09:46:57
Date:	26/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	401408
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Sigma detected: Remcos	Stealing of Sensitive Information
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected WebBrowserPassView password recovery tool	Stealing of Sensitive Information
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Found strings which match to known social media urls	Networking
PE file has an executable .text section and no other executable section	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\Users\user\Desktop\172200150645e30715396b41ed298fc2fc05d94f3a962536daa72f2c5d72e7d784323a4055802.dat-decoded.exe

C:\Users\user\Desktop\172200150645e30715396b41ed298fc2fc05d94f3a962536daa72f2c5d72e7d784323a4055802.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\rajyovchuujkyh"

Details

Is windows:	false
Is dropped:	false
PID:	4408
Target ID:	4
Parent PID:	180
Name:	172200150645e30715396b41ed298fc2fc05d94f3a962536daa72f2c5d72e7d784323a4055802.dat-decoded.exe
Path:	C:\Users\user\Desktop\172200150645e30715396b41ed298fc2fc05d94f3a962536daa72f2c5d72e7d784323a4055802.dat-decoded.exe
Commandline:	C:\Users\user\Desktop\172200150645e30715396b41ed298fc2fc05d94f3a962536daa72f2c5d72e7d784323a4055802.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\rajyovchuujkyh"
Size:	494592
MD5:	2B985C758A227407855E1D8E14F8863D
Time:	09:46:57
Date:	26/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	147456
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Sigma detected: Remcos	Stealing of Sensitive Information
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected WebBrowserPassView password recovery tool	Stealing of Sensitive Information
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Found strings which match to known social media urls	Networking
PE file has an executable .text section and no other executable section	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

URLs

Name

Malicious

maveing.duckdns.org

https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P

unknown

https://www.office.com/

unknown

http://www.imvu.comr

unknown

http://geoplugin.net/json.gp%

unknown

http://geoplugin.net/json.gpl

unknown

https://fp-afd.azurefd.us/apc/trans.gif?0cf92be82316943650f2ee723bc6949e

unknown

http://www.imvu.com

unknown

http://www.nirsoft.net

unknown

https://aefd.nelreports.net/api/report?cat=bingaotak

unknown

https://deff.nelreports.net/api/report?cat=msn

unknown

http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com

unknown

http://geoplugin.net/json.gp

178.237.33.50

https://www.google.com

unknown

https://fp-afd.azurefd.us/apc/trans.gif?94fb5ac9609bcb4cda0bf8acf1827073

unknown

https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5a&FrontEnd=AF

unknown

http://geoplugin.net/

unknown

https://aefd.nelreports.net/api/report?cat=bingaot

unknown

http://geoplugin.net/json.gp/C

unknown

https://maps.windows.com/windows-app-web-link

unknown

http://geoplugin.net/json.gpJ

unknown

https://aefd.nelreports.net/api/report?cat=bingrms

unknown

https://www.google.com/accounts/servicelogin

unknown

https://login.yahoo.com/config/login

unknown

http://www.nirsoft.net/

unknown

http://www.imvu.comata

unknown

http://www.ebuddy.com

unknown

There are 17 hidden URLs, click here to show them.

Domains

Name

Malicious

maveing.duckdns.org

192.3.101.142

Details

Name:	maveing.duckdns.org
IP:	192.3.101.142
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses dynamic DNS services	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

geoplugin.net

178.237.33.50

Details

Name:	geoplugin.net
IP:	178.237.33.50
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

192.3.101.142

maveing.duckdns.org

United States

178.237.33.50

geoplugin.net

Netherlands

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Rmc-F4JFYD

exepath

Details

TargetID:	0
Path:	HKEY_CURRENT_USER\SOFTWARE\Rmc-F4JFYD
Value name:	exepath
Value data:	EA C8 31 73 B7 22 BF 86 79 B7 29 9B A9 FC 94 10 75 D8 FE 78 E6 45 43 54 2B A5 D7 58 3B 0D 4E C3 2D D3 2D 79 00 6F AA E6 FB 88 09 0F 0A D0 97 E3 EB F7 4F 72 FE 64 BE D4 0A 92 27 6C 48 20 BA BC 73 C8 56 36 CF 95 62 CB 53 36 4A 63 02 57 D8 38 7D 31 67 8E 11 F0 BF 86 ED 8F 3F 5D C7 B7 5A 7A E5 80 72 3B 22 1C 6C 55 D4 11 4A C4 72 6E E5 F3 AC B3 D2 EB 32 5A 3C 4C D1 E8 10 C3 68 11 DD FE AF F1 E7 2C 7D 9C E7 BB 16 5E 89 1C EE 91 B6 A1 81 B4 34 35 20 D9 17 02 B2 E4 30 BB 77 7B DC 61 36 5B AD 28 F7 E4 21 1E 97 F2 A6 22 5B 77 29 67 85 F4 52 BE 36 47 97 BC FF D7 29 6D 8F CB 52 FA 43 A0 ED 39 8F 12 DB 83 C9 B5 54 30 4C BD E6 BE 9A 95 DC BF 5C 03 CA 1A 53 62 AC 38 DF 9D F6 13 ED 10 15 EB B0 12 D8 A4 85 12 9B E7

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Remcos	Stealing of Sensitive Information

HKEY_CURRENT_USER\SOFTWARE\Rmc-F4JFYD

licence

HKEY_CURRENT_USER\SOFTWARE\Rmc-F4JFYD

time

Memdumps

Base Address

Regiontype

Protect

Malicious

459000

unkown

page readonly

6EE000

heap

page read and write

459000

unkown

page readonly

459000

unkown

page readonly

459000

unkown

page readonly

459000

unkown

page readonly

400000

system

page execute and read and write

624000

heap

page read and write

2233000

heap

page read and write

732000

heap

page read and write

3660000

heap

page read and write

384B000

heap

page read and write

3847000

heap

page read and write

745000

heap

page read and write

21DE000

heap

page read and write

625000

heap

page read and write

758000

heap

page read and write

21F1000

heap

page read and write

3752000

heap

page read and write

625000

heap

page read and write

21D0000

heap

page read and write

3859000

heap

page read and write

3859000

heap

page read and write

401000

unkown

page execute read

19A000

stack

page read and write

624000

heap

page read and write

25D0000

heap

page read and write

21B1000

heap

page read and write

21D1000

heap

page read and write

2233000

heap

page read and write

754000

heap

page read and write

21BF000

heap

page read and write

5B7000

heap

page read and write

21D1000

heap

page read and write

4C0000

heap

page read and write

21D0000

heap

page read and write

732000

heap

page read and write

21C0000

heap

page read and write

21CC000

heap

page read and write

9EE000

heap

page read and write

21BE000

heap

page read and write

2990000

trusted library allocation

page read and write

754000

heap

page read and write

624000

heap

page read and write

745000

heap

page read and write

2290000

trusted library allocation

page read and write

624000

heap

page read and write

2BE6000

heap

page read and write

723000

heap

page read and write

3661000

heap

page read and write

910000

heap

page read and write

471000

unkown

page write copy

21F1000

heap

page read and write

9ED000

heap

page read and write

21B1000

heap

page read and write

3847000

heap

page read and write

21B1000

heap

page read and write

385D000

heap

page read and write

754000

heap

page read and write

21D0000

heap

page read and write

2791000

heap

page read and write

21D0000

heap

page read and write

248F000

stack

page read and write

5F3000

heap

page read and write

624000

heap

page read and write

2340000

heap

page read and write

471000

unkown

page read and write

21BE000

heap

page read and write

76D000

heap

page read and write

46E000

stack

page read and write

21EA000

heap

page read and write

478000

unkown

page readonly

758000

heap

page read and write

471000

unkown

page write copy

4BE000

stack

page read and write

732000

heap

page read and write

8FF000

stack

page read and write

624000

heap

page read and write

5B0000

heap

page read and write

2D03000

heap

page read and write

1F0000

heap

page read and write

234F000

stack

page read and write

745000

heap

page read and write

2990000

trusted library allocation

page read and write

21D0000

heap

page read and write

21EB000

heap

page read and write

471000

unkown

page write copy

9C000

stack

page read and write

768000

heap

page read and write

21B1000

heap

page read and write

2990000

trusted library allocation

page read and write

2A70000

heap

page read and write

9C000

stack

page read and write

3867000

heap

page read and write

4C4000

heap

page read and write

2AEA000

heap

page read and write

21C5000

heap

page read and write

9EE000

heap

page read and write

25A0000

heap

page read and write

21CB000

heap

page read and write

2AE9000

heap

page read and write

913000

heap

page read and write

21A0000

heap

page read and write

4C4000

heap

page read and write

2802000

heap

page read and write

5D0000

heap

page read and write

5C0000

heap

page read and write

4C4000

heap

page read and write

1F0000

heap

page read and write

745000

heap

page read and write

6EA000

heap

page read and write

723000

heap

page read and write

401000

unkown

page execute read

21C5000

heap

page read and write

473000

system

page execute and read and write

8CF000

stack

page read and write

21B1000

heap

page read and write

625000

heap

page read and write

732000

heap

page read and write

625000

heap

page read and write

528000

heap

page read and write

21B1000

heap

page read and write

395D000

unclassified section

page execute and read and write

2250000

heap

page read and write

4C4000

heap

page read and write

4C4000

heap

page read and write

4AE000

stack

page read and write

21D1000

heap

page read and write

21C2000

heap

page read and write

5C0000

heap

page read and write

238C000

stack

page read and write

2215000

heap

page read and write

400000

unkown

page readonly

39D6000

unclassified section

page execute and read and write

2798000

heap

page read and write

21C0000

heap

page read and write

624000

heap

page read and write

723000

heap

page read and write

37FC000

heap

page read and write

21BC000

heap

page read and write

3980000

unclassified section

page execute and read and write

3847000

heap

page read and write

299D000

heap

page read and write

21C5000

heap

page read and write

21B8000

heap

page read and write

21AC000

heap

page read and write

459000

system

page execute and read and write

21C0000

heap

page read and write

732000

heap

page read and write

21F7000

heap

page read and write

21D3000

heap

page read and write

4C4000

heap

page read and write

474000

unkown

page read and write

2990000

trusted library allocation

page read and write

21D0000

heap

page read and write

21D2000

heap

page read and write

5CD000

heap

page read and write

3847000

heap

page read and write

272F000

stack

page read and write

21C0000

heap

page read and write

21CC000

heap

page read and write

401000

unkown

page execute read

21E9000

heap

page read and write

322F000

stack

page read and write

20FE000

stack

page read and write

25A1000

heap

page read and write

21CC000

heap

page read and write

754000

heap

page read and write

401000

unkown

page execute read

732000

heap

page read and write

21B9000

heap

page read and write

500000

heap

page read and write

269F000

stack

page read and write

21BC000

heap

page read and write

223C000

stack

page read and write

2799000

heap

page read and write

2AD3000

heap

page read and write

625000

heap

page read and write

5CD000

heap

page read and write

780000

heap

page read and write

5D7000

heap

page read and write

21C0000

heap

page read and write

9BC000

heap

page read and write

312E000

stack

page read and write

384B000

heap

page read and write

2088000

heap

page read and write

4BE000

stack

page read and write

745000

heap

page read and write

758000

heap

page read and write

25CF000

stack

page read and write

2691000

heap

page read and write

21BC000

heap

page read and write

21D5000

heap

page read and write

400000

unkown

page readonly

384B000

heap

page read and write

7A9000

heap

page read and write

754000

heap

page read and write

21CC000

heap

page read and write

624000

heap

page read and write

21BE000

heap

page read and write

21E9000

heap

page read and write

4C4000

heap

page read and write

21C2000

heap

page read and write

4B0000

heap

page read and write

923000

heap

page read and write

758000

heap

page read and write

758000

heap

page read and write

7FF000

stack

page read and write

3845000

heap

page read and write

21D2000

heap

page read and write

745000

heap

page read and write

21F1000

heap

page read and write

3753000

heap

page read and write

732000

heap

page read and write

21E2000

heap

page read and write

21C0000

heap

page read and write

21B1000

heap

page read and write

25A1000

heap

page read and write

3973000

unclassified section

page execute and read and write

21AD000

heap

page read and write

400000

unkown

page readonly

920000

trusted library allocation

page read and write

10001000

direct allocation

page execute and read and write

21D3000

heap

page read and write

4C4000

heap

page read and write

21D0000

heap

page read and write

21B1000

heap

page read and write

780000

heap

page read and write

21BC000

heap

page read and write

19C000

stack

page read and write

21AE000

heap

page read and write

3845000

heap

page read and write

2B62000

heap

page read and write

768000

heap

page read and write

4C4000

heap

page read and write

768000

heap

page read and write

17C000

stack

page read and write

45C000

system

page execute and read and write

3845000

heap

page read and write

76B000

heap

page read and write

624000

heap

page read and write

21BC000

heap

page read and write

754000

heap

page read and write

21C0000

heap

page read and write

21E8000

heap

page read and write

21B8000

heap

page read and write

401000

unkown

page execute read

2A71000

heap

page read and write

620000

heap

page read and write

768000

heap

page read and write

478000

unkown

page readonly

21C0000

heap

page read and write

2990000

trusted library allocation

page read and write

2AE8000

heap

page read and write

76B000

heap

page read and write

3847000

heap

page read and write

4C4000

heap

page read and write

39F0000

unclassified section

page execute and read and write

21D2000

heap

page read and write

5F1000

heap

page read and write

21D3000

heap

page read and write

262E000

stack

page read and write

21BE000

heap

page read and write

21D0000

heap

page read and write

2803000

heap

page read and write

384B000

heap

page read and write

3959000

unclassified section

page execute and read and write

758000

heap

page read and write

21B4000

heap

page read and write

745000

heap

page read and write

774000

heap

page read and write

21D0000

heap

page read and write

754000

heap

page read and write

21E2000

heap

page read and write

478000

unkown

page readonly

384B000

heap

page read and write

456000

system

page execute and read and write

21D2000

heap

page read and write

1F0000

heap

page read and write

3900000

unclassified section

page execute and read and write

754000

heap

page read and write

723000

heap

page read and write

758000

heap

page read and write

9C000

stack

page read and write

21D3000

heap

page read and write

21C5000

heap

page read and write

530000

heap

page read and write

4C4000

heap

page read and write

21BE000

heap

page read and write

21F7000

heap

page read and write

21C1000

heap

page read and write

758000

heap

page read and write

4C4000

heap

page read and write

207F000

stack

page read and write

21D0000

heap

page read and write

21B1000

heap

page read and write

400000

system

page execute and read and write

41B000

system

page execute and read and write

2691000

heap

page read and write

10016000

direct allocation

page execute and read and write

625000

heap

page read and write

624000

heap

page read and write

598000

heap

page read and write

37FB000

heap

page read and write

21D0000

heap

page read and write

21C8000

heap

page read and write

21C0000

heap

page read and write

21C0000

heap

page read and write

723000

heap

page read and write

39DC000

unclassified section

page execute and read and write

21B9000

heap

page read and write

9B0000

heap

page read and write

3753000

heap

page read and write

732000

heap

page read and write

21D0000

heap

page read and write

21B1000

heap

page read and write

2CF2000

heap

page read and write

470000

heap

page read and write

21D0000

heap

page read and write

625000

heap

page read and write

2790000

heap

page read and write

9B3000

heap

page read and write

21D0000

heap

page read and write

85F000

stack

page read and write

768000

heap

page read and write

21C0000

heap

page read and write

9E6000

heap

page read and write

732000

heap

page read and write

21EF000

heap

page read and write

177000

stack

page read and write

478000

unkown

page readonly

2699000

heap

page read and write

624000

heap

page read and write

4C4000

heap

page read and write

2802000

heap

page read and write

2799000

heap

page read and write

21C0000

heap

page read and write

36DA000

heap

page read and write

745000

heap

page read and write

1F0000

heap

page read and write

400000

unkown

page readonly

57E000

stack

page read and write

299D000

heap

page read and write

774000

heap

page read and write

3661000

heap

page read and write

929000

heap

page read and write

2ADE000

heap

page read and write

24CE000

stack

page read and write

21DA000

heap

page read and write

21C1000

heap

page read and write

21CC000

heap

page read and write

4C4000

heap

page read and write

2AE8000

heap

page read and write

18F000

stack

page read and write

21AC000

heap

page read and write

723000

heap

page read and write

21D0000

heap

page read and write

21D5000

heap

page read and write

21B1000

heap

page read and write

21D0000

heap

page read and write

21F1000

heap

page read and write

754000

heap

page read and write

21D2000

heap

page read and write

21FF000

stack

page read and write

3845000

heap

page read and write

9BC000

heap

page read and write

758000

heap

page read and write

560000

heap

page read and write

6E0000

heap

page read and write

2990000

trusted library allocation

page read and write

745000

heap

page read and write

745000

heap

page read and write

220D000

heap

page read and write

19C000

stack

page read and write

780000

heap

page read and write

21D0000

heap

page read and write

624000

heap

page read and write

37CB000

heap

page read and write

2209000

heap

page read and write

21B1000

heap

page read and write

383B000

heap

page read and write

9C000

stack

page read and write

768000

heap

page read and write

21F7000

heap

page read and write

21D1000

heap

page read and write

4C4000

heap

page read and write

21C1000

heap

page read and write

3A0B000

unclassified section

page execute and read and write

4FE000

stack

page read and write

768000

heap

page read and write

2803000

heap

page read and write

21BC000

heap

page read and write

400000

system

page execute and read and write

471000

unkown

page write copy

754000

heap

page read and write

384B000

heap

page read and write

624000

heap

page read and write

758000

heap

page read and write

624000

heap

page read and write

10000000

direct allocation

page read and write

768000

heap

page read and write

2240000

heap

page read and write

590000

heap

page read and write

45D000

system

page execute and read and write

21B9000

heap

page read and write

2233000

heap

page read and write

758000

heap

page read and write

2ADA000

heap

page read and write

2A71000

heap

page read and write

21C2000

heap

page read and write

21DA000

heap

page read and write

21C0000

heap

page read and write

8E0000

heap

page read and write

400000

unkown

page readonly

625000

heap

page read and write

2AEA000

heap

page read and write

21F3000

heap

page read and write

21C2000

heap

page read and write

21F1000

heap

page read and write

2690000

heap

page read and write

21AC000

heap

page read and write

4C4000

heap

page read and write

7CD000

stack

page read and write

520000

heap

page read and write

3845000

heap

page read and write

21BE000

heap

page read and write

21C0000

heap

page read and write

21C5000

heap

page read and write

37CB000

heap

page read and write

774000

heap

page read and write

21C0000

heap

page read and write

768000

heap

page read and write

2B62000

heap

page read and write

745000

heap

page read and write

21AC000

heap

page read and write

774000

heap

page read and write

768000

heap

page read and write

9E0000

heap

page read and write

21DA000

heap

page read and write

21B1000

heap

page read and write

76D000

heap

page read and write

768000

heap

page read and write

723000

heap

page read and write

2AD9000

heap

page read and write

21C1000

heap

page read and write

2190000

heap

page read and write

21C0000

heap

page read and write

727000

heap

page read and write

380B000

heap

page read and write

72B000

heap

page read and write

221C000

heap

page read and write

2BF4000

heap

page read and write

21D0000

heap

page read and write

754000

heap

page read and write

5AE000

stack

page read and write

5C3000

heap

page read and write

478000

unkown

page readonly

3847000

heap

page read and write

624000

heap

page read and write

21D3000

heap

page read and write

774000

heap

page read and write

21C0000

heap

page read and write

4C4000

heap

page read and write

2691000

heap

page read and write

3845000

heap

page read and write

624000

heap

page read and write

76D000

heap

page read and write

21D0000

heap

page read and write

21C0000

heap

page read and write

193000

stack

page read and write

There are 460 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
172200150645e30715396b41ed298fc2fc05d94f3a962536daa72f2c5d72e7d784323a4055802.dat-decoded.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report172200150645e30715396b41ed298fc2fc05d94f3a962536daa72f2c5d72e7d784323a4055802.dat-decoded.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
172200150645e30715396b41ed298fc2fc05d94f3a962536daa72f2c5d72e7d784323a4055802.dat-decoded.exe