Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe

"C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5272
Target ID:	1
Parent PID:	4004
Name:	1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe
Path:	C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe
Commandline:	"C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe"
Size:	493056
MD5:	68011A26BB98D3B77DE9594AE7624358
Time:	08:11:17
Date:	06/12/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	520192
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Sigma detected: Remcos	Stealing of Sensitive Information
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
Yara detected Keylogger Generic	Key, Mouse, Clipboard, Microphone and Screen Capturing
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

URLs

Name

Malicious

http://geoplugin.net/json.gp

unknown

Details

Name:	http://geoplugin.net/json.gp
TargetID:	1
From Memory:	true
Current Path:	C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe
Source:	1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://geoplugin.net/json.gp/C

unknown

Details

Name:	http://geoplugin.net/json.gp/C
TargetID:	1
From Memory:	true
Current Path:	C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe
Source:	1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

104.243.246.120

unknown

United States

Details

IP:	104.243.246.120
TargetID:	1
Current Path:	C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe
Country:	United States
Countrycode:	USA
ASN number:	3223
ASN name:	VOXILITYGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Rmc-4NJUM7

exepath

Details

TargetID:	1
Path:	HKEY_CURRENT_USER\SOFTWARE\Rmc-4NJUM7
Value name:	exepath
Value data:	33 01 89 C1 1C 52 5C 82 B2 E1 37 BF 6F 6A AF 94 7B 15 D0 1A 8C AB 60 67 17 23 3C 40 AB 7C A9 9F 5C 7E 31 A1 25 95 37 D7 33 24 59 76 3D 76 6F 7E B6 F5 1D E5 49 7C 92 12 E0 B0 33 A6 12 32 71 44 52 93 6F 8A C3 E4 32 99 44 76 3B B6 3B F4 32 62 14 EF 16 5F A6 A3 FD B3 72 B5 71 14 40 87 5A FC A9 8E C3 AD 4E 39 D9 12 D1 5A E6 92 36 BF 0E 15 4D 1B 64 3F E1 4A 32 DA 83 02 0F 42 61 37 7B E0 4E DC 34 56 D9 59 71 A7 A7 EE 96 1E 84 ED 17 76 8A 02 AB 63 1D 03 D1 EB CC 8F 42 E8 E6 53 DD 81 65 2B 32 46 CD 65 1E A2 10 4A 72 88 7D 07 F4 92 79 A8 60 16 2A 52 A6 E3 3E 9A 6D 2D 66 81 5C 6F 9F 6A 1A 2E 17 1F 2A 61 14 5F 9F 81 CF 61 7D B0 E5 90 B4 CB 1C 1C E3 0A 21 C0 61 06 A4 5D 83 27 91 FA 62 6E 70 04 A4 DA 9E D3 92 17 9D AA 83 AB

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Remcos	Stealing of Sensitive Information

HKEY_CURRENT_USER\SOFTWARE\Rmc-4NJUM7

licence

HKEY_CURRENT_USER\SOFTWARE\Rmc-4NJUM7

time

Memdumps

Base Address

Regiontype

Protect

Malicious

457000

unkown

page readonly

457000

unkown

page readonly

5CE000

heap

page read and write

248F000

stack

page read and write

5C0000

heap

page read and write

470000

unkown

page write copy

2280000

heap

page read and write

556000

heap

page read and write

476000

unkown

page readonly

80E000

stack

page read and write

2290000

heap

page read and write

400000

unkown

page readonly

473000

unkown

page read and write

9C000

stack

page read and write

560000

heap

page read and write

5CA000

heap

page read and write

20DE000

stack

page read and write

470000

unkown

page read and write

21E0000

heap

page read and write

401000

unkown

page execute read

22A0000

heap

page read and write

401000

unkown

page execute read

5AE000

stack

page read and write

550000

heap

page read and write

1F0000

heap

page read and write

476000

unkown

page readonly

400000

unkown

page readonly

7BF000

stack

page read and write

21DF000

stack

page read and write

19D000

stack

page read and write

There are 20 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe

Processes

URLs

IPs

Registry

Memdumps

IOC Report
1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe