Windows Analysis Report
SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.Evo-gen.3521.549.exe
Analysis ID:	1519624
MD5:	fada0c33bf7972b910f80e7233a8fd57
SHA1:	6b6ae977d686e446ec8028dbb0c9447c7fdec026
SHA256:	5413944edc2672c6634f665d6c6722cf21220ef49254d8fe42d0d63dc8826988
Tags:	exe
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Contains functionality to bypass UAC (CMSTPLUA)

Detected unpacking (creates a PE file in dynamic memory)

Found malware configuration

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Drops large PE files

Injects a PE file into a foreign processes

Installs a global keyboard hook

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Signatures

AV Detection

Antivirus detection for URL or domain

Source: hotsdefender.webredirect.org

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000003.00000002.4514898457.00000000049A7000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": "hotsdefender.webredirect.org:2404:1", "Assigned name": "AGOSTO2024", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Ag0s70JwbdycP5ikGBT/VhjSeXFA==-S28M8P", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "wikipedia;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "remcos", "Keylog folder": "Key"}

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4514898457.00000000049A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 5532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 6540, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046D38C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

3_2_046D38C8

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 5532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 6540, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046A7538 _wcslen,CoGetObject,

3_2_046A7538

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Unpacked PE file: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack

Uses 32bit PE files

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\ReleaseAI\win\Release\stubs\x86\Updater.pdb source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, TerminalIll.exe.0.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 0_2_0040F2B0 FindFirstFileW,GetLastError,FindClose,	0_2_0040F2B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_0040F2B0 FindFirstFileW,GetLastError,FindClose,	3_2_0040F2B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046A96A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	3_2_046A96A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046A928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	3_2_046A928E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046BC322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	3_2_046BC322
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046AC388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	3_2_046AC388
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046ABD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	3_2_046ABD72
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046A7877 FindFirstFileW,FindNextFileW,	3_2_046A7877
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046A8847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	3_2_046A8847
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046EE8F9 FindFirstFileExA,	3_2_046EE8F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046ABB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	3_2_046ABB6B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046B9B86 FindFirstFileW,FindNextFileW,FindNextFileW,	3_2_046B9B86

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046A7CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

3_2_046A7CD2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49708 -> 5.34.182.173:2404

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: hotsdefender.webredirect.org

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49708 -> 5.34.182.173:2404

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 178.237.33.50 178.237.33.50

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ITLASUA ITLASUA

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49710 -> 178.237.33.50:80

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046BB411 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

3_2_046BB411

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: hotsdefender.webredirect.org
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000003.2255306822.00000000049F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000002.4514898457.00000000049F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000003.2255306822.00000000049F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp%
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000003.2255306822.00000000049F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpP
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000002.4514898457.00000000049A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpSystem32

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046AA2F3 SetWindowsHookExA 0000000D,046AA2DF,00000000

3_2_046AA2F3

Installs a global keyboard hook

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Jump to behavior

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046AB749 OpenClipboard,GetClipboardData,CloseClipboard,

3_2_046AB749

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046B68FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_046B68FC

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046AB749 OpenClipboard,GetClipboardData,CloseClipboard,

3_2_046AB749

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046AA41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

3_2_046AA41B

Yara detected Keylogger Generic

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 5532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 6540, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4514898457.00000000049A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 5532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 6540, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046BCA73 SystemParametersInfoW,

3_2_046BCA73

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 5532, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 6540, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Drops large PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

File dump: TerminalIll.exe.0.dr 989587324

Jump to dropped file

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Process Stats: CPU usage > 49%

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046B67EF ExitWindowsEx,LoadLibraryA,GetProcAddress,

3_2_046B67EF

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 0_2_004140C0	0_2_004140C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 0_2_00417933	0_2_00417933
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 0_2_0040B1B0	0_2_0040B1B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 0_2_0040CA40	0_2_0040CA40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 0_2_0041C460	0_2_0041C460
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 0_2_0040FC10	0_2_0040FC10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 0_2_00410660	0_2_00410660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 0_2_004C7740	0_2_004C7740
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_004140C0	3_2_004140C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_00417933	3_2_00417933
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_0040B1B0	3_2_0040B1B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_0040CA40	3_2_0040CA40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_0041C460	3_2_0041C460
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_0040FC10	3_2_0040FC10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_00410660	3_2_00410660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_004C7740	3_2_004C7740
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046C742E	3_2_046C742E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046D7566	3_2_046D7566
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046DE5A8	3_2_046DE5A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046D87F0	3_2_046D87F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046D706A	3_2_046D706A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046B4005	3_2_046B4005
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046DE11C	3_2_046DE11C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046D81E8	3_2_046D81E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046F41D9	3_2_046F41D9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046BF18B	3_2_046BF18B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046E6270	3_2_046E6270
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046DE34B	3_2_046DE34B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046F33AB	3_2_046F33AB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046C7C40	3_2_046C7C40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046D7DB3	3_2_046D7DB3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046DDEED	3_2_046DDEED
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046D5EEB	3_2_046D5EEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046C6E9F	3_2_046C6E9F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046D797E	3_2_046D797E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046D39D7	3_2_046D39D7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046EDA49	3_2_046EDA49
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046C7AD7	3_2_046C7AD7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046BDBF3	3_2_046BDBF3

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: String function: 046A1E65 appears 34 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: String function: 004025B0 appears 42 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: String function: 046D4801 appears 41 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: String function: 046A2093 appears 50 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: String function: 046D4E70 appears 54 times

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Win32.Evo-gen.3521.549.exe
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000000.00000000.2058051661.00000000005E7000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameupdater.exeB vs SecuriteInfo.com.Win32.Evo-gen.3521.549.exe
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000000.00000002.2276434355.00000000066DC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameupdater.exeB vs SecuriteInfo.com.Win32.Evo-gen.3521.549.exe
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameupdater.exeB vs SecuriteInfo.com.Win32.Evo-gen.3521.549.exe
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000000.2231279969.00000000005E7000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameupdater.exeB vs SecuriteInfo.com.Win32.Evo-gen.3521.549.exe
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Binary or memory string: OriginalFilenameupdater.exeB vs SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Uses 32bit PE files

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Yara signature match

Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 5532, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 6540, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@3/3@2/2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 0_2_0040E400 FormatMessageW,GetLastError,

0_2_0040E400

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046B798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

3_2_046B798D

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046AF4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

3_2_046AF4AF

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 0_2_00404240 LoadResource,LockResource,SizeofResource,

0_2_00404240

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046BAD09 OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

3_2_046BAD09

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

File created: C:\Users\user\Pictures\TermianlConsole

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Mutant created: \Sessions\1\BaseNamedObjects\Ag0s70JwbdycP5ikGBT/VhjSeXFA==-S28M8P

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	String found in binary or memory: B0x%XMD5SHA256%s %s %s/checknowpurgenotifseenLastModifiedClientConfigPath.datServerConfigPathJustDownloadUpdatesStartMinimizedURLrestartapprestartappcmdstartappfirstNoGUIReducedGUIForceMSIBasicUIchecknowsilentsilentallsilentcritical/install
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	String found in binary or memory: AUpdater finished. Mode: updater.logRunning updater. Mode: Updater wizard ended. Return code: retryattemptsrememberpasswordloglevelautoupdatepolicyproxydownloadsfolderUpdater-comproxystub.dllSoftware\Caphyon\Advanced Updater\SettingsConfigFilePathNoAutoUpdateCheckNextUpdateCheck/silent/silentall/silentcritical-nofreqcheck-url-minuseractions-licensecheckurl-licenseid-justdownload-startminimized-restartapp-restartappcmd-nogui-reducedgui-showaitdlg-forcemsibasicui-startappfirst/configure/clean/justcheck-dumpdetected-critical-installready-licensendate/runservice/debugservice/installservice/configservice-name/uninstallservice/runserverIPCObjNameBase/set/automation-clsid-registerproxystub-Embedding
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	String found in binary or memory: AUpdater finished. Mode: updater.logRunning updater. Mode: Updater wizard ended. Return code: retryattemptsrememberpasswordloglevelautoupdatepolicyproxydownloadsfolderUpdater-comproxystub.dllSoftware\Caphyon\Advanced Updater\SettingsConfigFilePathNoAutoUpdateCheckNextUpdateCheck/silent/silentall/silentcritical-nofreqcheck-url-minuseractions-licensecheckurl-licenseid-justdownload-startminimized-restartapp-restartappcmd-nogui-reducedgui-showaitdlg-forcemsibasicui-startappfirst/configure/clean/justcheck-dumpdetected-critical-installready-licensendate/runservice/debugservice/installservice/configservice-name/uninstallservice/runserverIPCObjNameBase/set/automation-clsid-registerproxystub-Embedding
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	String found in binary or memory: AUpdater finished. Mode: updater.logRunning updater. Mode: Updater wizard ended. Return code: retryattemptsrememberpasswordloglevelautoupdatepolicyproxydownloadsfolderUpdater-comproxystub.dllSoftware\Caphyon\Advanced Updater\SettingsConfigFilePathNoAutoUpdateCheckNextUpdateCheck/silent/silentall/silentcritical-nofreqcheck-url-minuseractions-licensecheckurl-licenseid-justdownload-startminimized-restartapp-restartappcmd-nogui-reducedgui-showaitdlg-forcemsibasicui-startappfirst/configure/clean/justcheck-dumpdetected-critical-installready-licensendate/runservice/debugservice/installservice/configservice-name/uninstallservice/runserverIPCObjNameBase/set/automation-clsid-registerproxystub-Embedding

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: k7rn7l32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: ntd3ll.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: winnsi.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Static file information: File size 2680832 > 1048576

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x16c200

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\ReleaseAI\win\Release\stubs\x86\Updater.pdb source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, TerminalIll.exe.0.dr

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Unpacked PE file: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 0_2_00410070 LoadLibraryW,GetProcAddress,FreeLibrary,FreeLibrary,

0_2_00410070

PE file contains sections with non-standard names

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Static PE information: section name: .didat
Source: TerminalIll.exe.0.dr	Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046FE55D push esi; ret	3_2_046FE566
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046F7186 push ecx; ret	3_2_046F7199
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046D4EB6 push ecx; ret	3_2_046D4EC9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046FC9A2 pushfd ; retf	3_2_046FC9AD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046F7AA8 push eax; ret	3_2_046F7AC6

Contains functionality to download and launch executables

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046A6EEB ShellExecuteW,URLDownloadToFileW,

3_2_046A6EEB

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

File created: C:\Users\user\Pictures\TermianlConsole\TerminalIll.exe

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046BAADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

3_2_046BAADB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdvancedUpdater			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdvancedUpdater			Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046BCBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

3_2_046BCBE1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 0_2_00421890		0_2_00421890
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_00421890		3_2_00421890

Delayed program exit found

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046AF7E2 Sleep,ExitProcess,

3_2_046AF7E2

Contains functionality to enumerate running services

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

3_2_046BA7D9

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Window / User API: threadDelayed 887	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Window / User API: threadDelayed 8617	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Window / User API: foregroundWindowGot 1762	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Dropped PE file which has not been started: C:\Users\user\Pictures\TermianlConsole\TerminalIll.exe

Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

API coverage: 8.9 %

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_00421890

3_2_00421890

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe TID: 5764	Thread sleep count: 223 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe TID: 5764	Thread sleep time: -111500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe TID: 5460	Thread sleep count: 887 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe TID: 5460	Thread sleep time: -2661000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe TID: 5460	Thread sleep count: 8617 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe TID: 5460	Thread sleep time: -25851000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 0_2_0040F2B0 FindFirstFileW,GetLastError,FindClose,	0_2_0040F2B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_0040F2B0 FindFirstFileW,GetLastError,FindClose,	3_2_0040F2B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046A96A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	3_2_046A96A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046A928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	3_2_046A928E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046BC322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	3_2_046BC322
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046AC388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	3_2_046AC388
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046ABD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	3_2_046ABD72
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046A7877 FindFirstFileW,FindNextFileW,	3_2_046A7877
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046A8847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	3_2_046A8847
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046EE8F9 FindFirstFileExA,	3_2_046EE8F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046ABB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	3_2_046ABB6B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046B9B86 FindFirstFileW,FindNextFileW,FindNextFileW,	3_2_046B9B86

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046A7CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

3_2_046A7CD2

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000003.2255441723.0000000004A26000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000002.4514898457.0000000004A05000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000002.4514898457.00000000049A7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000003.2255306822.0000000004A05000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

API call chain: ExitProcess graph end node

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 0_2_0048A530 IsDebuggerPresent,OutputDebugStringW,

0_2_0048A530

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 0_2_00410070 LoadLibraryW,GetProcAddress,FreeLibrary,FreeLibrary,

0_2_00410070

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046E3355 mov eax, dword ptr fs:[00000030h]

3_2_046E3355

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 0_2_0048A813 GetProcessHeap,HeapFree,InterlockedPushEntrySList,

0_2_0048A813

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe"

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 0_2_004A6E63 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004A6E63
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_004A6E63 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_004A6E63
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046D503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_046D503C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046D4A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_046D4A8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046DBB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_046DBB71
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046D4BD8 SetUnhandledExceptionFilter,	3_2_046D4BD8

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Memory written: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe base: 46A0000 value starts with: 4D5A

Jump to behavior

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

3_2_046B2132

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046B9662 mouse_event,

3_2_046B9662

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000002.4514898457.0000000004A05000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000002.4514898457.00000000049A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000002.4514898457.0000000004A05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerr\|
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000002.4515084168.0000000004A2C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managers
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000002.4515084168.0000000004A2C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000002.4514898457.00000000049E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000002.4515084168.0000000004A2C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000002.4514898457.00000000049A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [Program Manager]

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046D4CB6 cpuid

3_2_046D4CB6

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,	0_2_0040C5D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,	3_2_0040C5D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: GetLocaleInfoA,	3_2_046AF90C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_046F24BC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: EnumSystemLocalesW,	3_2_046E8484
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: GetLocaleInfoW,	3_2_046F25C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_046F2690
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: EnumSystemLocalesW,	3_2_046F201B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: EnumSystemLocalesW,	3_2_046F20B6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_046F2143
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: GetLocaleInfoW,	3_2_046F2393
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	3_2_046F1D58
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: EnumSystemLocalesW,	3_2_046F1FD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: GetLocaleInfoW,	3_2_046E896D

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 0_2_0040BEB0 GetSystemTime,SystemTimeToFileTime,GetLastError,

0_2_0040BEB0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046BB69E GetComputerNameExW,GetUserNameW,

3_2_046BB69E

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046E9210 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

3_2_046E9210

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4514898457.00000000049A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 5532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 6540, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

3_2_046ABA4D

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		3_2_046ABB6B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: \key3.db		3_2_046ABB6B

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4514898457.00000000049A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 5532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 6540, type: MEMORYSTR

Contains functionality to launch a control a shell (cmd.exe)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: cmd.exe

3_2_046A569A

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
5.34.182.173	hotsdefender.webredirect.org	Ukraine		15626	ITLASUA	true
178.237.33.50	geoplugin.net	Netherlands		8455	ATOM86-ASATOM86NL	false

Contacted Domains

Name	IP	Active
hotsdefender.webredirect.org	5.34.182.173	true
geoplugin.net	178.237.33.50	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://geoplugin.net/json.gp	false	URL Reputation: safe	unknown
hotsdefender.webredirect.org	true	Avira URL Cloud: malware	unknown

AV Detection

Antivirus detection for URL or domain

Source: hotsdefender.webredirect.org

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000003.00000002.4514898457.00000000049A7000.00000004.00000020.00020000.00000000.sdmp

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4514898457.00000000049A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 5532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 6540, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046D38C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

3_2_046D38C8

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 5532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 6540, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046A7538 _wcslen,CoGetObject,

3_2_046A7538

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Unpacked PE file: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack

Uses 32bit PE files

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\ReleaseAI\win\Release\stubs\x86\Updater.pdb source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, TerminalIll.exe.0.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 0_2_0040F2B0 FindFirstFileW,GetLastError,FindClose,	0_2_0040F2B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_0040F2B0 FindFirstFileW,GetLastError,FindClose,	3_2_0040F2B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046A96A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	3_2_046A96A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046A928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	3_2_046A928E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046BC322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	3_2_046BC322
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046AC388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	3_2_046AC388
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046ABD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	3_2_046ABD72
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046A7877 FindFirstFileW,FindNextFileW,	3_2_046A7877
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046A8847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	3_2_046A8847
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046EE8F9 FindFirstFileExA,	3_2_046EE8F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046ABB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	3_2_046ABB6B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046B9B86 FindFirstFileW,FindNextFileW,FindNextFileW,	3_2_046B9B86

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046A7CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

3_2_046A7CD2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49708 -> 5.34.182.173:2404

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: hotsdefender.webredirect.org

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49708 -> 5.34.182.173:2404

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 178.237.33.50 178.237.33.50

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ITLASUA ITLASUA

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49710 -> 178.237.33.50:80

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046BB411 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

3_2_046BB411

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: hotsdefender.webredirect.org
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000003.2255306822.00000000049F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000002.4514898457.00000000049F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000003.2255306822.00000000049F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp%
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000003.2255306822.00000000049F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpP
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000002.4514898457.00000000049A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpSystem32

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046AA2F3 SetWindowsHookExA 0000000D,046AA2DF,00000000

3_2_046AA2F3

Installs a global keyboard hook

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Jump to behavior

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046AB749 OpenClipboard,GetClipboardData,CloseClipboard,

3_2_046AB749

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046B68FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_046B68FC

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046AB749 OpenClipboard,GetClipboardData,CloseClipboard,

3_2_046AB749

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046AA41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

3_2_046AA41B

Yara detected Keylogger Generic

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 5532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 6540, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4514898457.00000000049A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 5532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 6540, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046BCA73 SystemParametersInfoW,

3_2_046BCA73

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 5532, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 6540, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Drops large PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

File dump: TerminalIll.exe.0.dr 989587324

Jump to dropped file

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Process Stats: CPU usage > 49%

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046B67EF ExitWindowsEx,LoadLibraryA,GetProcAddress,

3_2_046B67EF

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 0_2_004140C0	0_2_004140C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 0_2_00417933	0_2_00417933
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 0_2_0040B1B0	0_2_0040B1B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 0_2_0040CA40	0_2_0040CA40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 0_2_0041C460	0_2_0041C460
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 0_2_0040FC10	0_2_0040FC10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 0_2_00410660	0_2_00410660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 0_2_004C7740	0_2_004C7740
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_004140C0	3_2_004140C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_00417933	3_2_00417933
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_0040B1B0	3_2_0040B1B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_0040CA40	3_2_0040CA40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_0041C460	3_2_0041C460
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_0040FC10	3_2_0040FC10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_00410660	3_2_00410660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_004C7740	3_2_004C7740
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046C742E	3_2_046C742E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046D7566	3_2_046D7566
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046DE5A8	3_2_046DE5A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046D87F0	3_2_046D87F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046D706A	3_2_046D706A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046B4005	3_2_046B4005
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046DE11C	3_2_046DE11C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046D81E8	3_2_046D81E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046F41D9	3_2_046F41D9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046BF18B	3_2_046BF18B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046E6270	3_2_046E6270
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046DE34B	3_2_046DE34B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046F33AB	3_2_046F33AB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046C7C40	3_2_046C7C40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046D7DB3	3_2_046D7DB3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046DDEED	3_2_046DDEED
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046D5EEB	3_2_046D5EEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046C6E9F	3_2_046C6E9F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046D797E	3_2_046D797E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046D39D7	3_2_046D39D7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046EDA49	3_2_046EDA49
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046C7AD7	3_2_046C7AD7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046BDBF3	3_2_046BDBF3

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: String function: 046A1E65 appears 34 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: String function: 004025B0 appears 42 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: String function: 046D4801 appears 41 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: String function: 046A2093 appears 50 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: String function: 046D4E70 appears 54 times

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Win32.Evo-gen.3521.549.exe
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000000.00000000.2058051661.00000000005E7000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameupdater.exeB vs SecuriteInfo.com.Win32.Evo-gen.3521.549.exe
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000000.00000002.2276434355.00000000066DC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameupdater.exeB vs SecuriteInfo.com.Win32.Evo-gen.3521.549.exe
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000000.00000002.2275932941.0000000000607000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameupdater.exeB vs SecuriteInfo.com.Win32.Evo-gen.3521.549.exe
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000000.2231279969.00000000005E7000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameupdater.exeB vs SecuriteInfo.com.Win32.Evo-gen.3521.549.exe
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Binary or memory string: OriginalFilenameupdater.exeB vs SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Uses 32bit PE files

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Yara signature match

Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 5532, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 6540, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@3/3@2/2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 0_2_0040E400 FormatMessageW,GetLastError,

0_2_0040E400

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046B798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

3_2_046B798D

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046AF4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

3_2_046AF4AF

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 0_2_00404240 LoadResource,LockResource,SizeofResource,

0_2_00404240

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046BAD09 OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

3_2_046BAD09

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

File created: C:\Users\user\Pictures\TermianlConsole

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Mutant created: \Sessions\1\BaseNamedObjects\Ag0s70JwbdycP5ikGBT/VhjSeXFA==-S28M8P

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	String found in binary or memory: B0x%XMD5SHA256%s %s %s/checknowpurgenotifseenLastModifiedClientConfigPath.datServerConfigPathJustDownloadUpdatesStartMinimizedURLrestartapprestartappcmdstartappfirstNoGUIReducedGUIForceMSIBasicUIchecknowsilentsilentallsilentcritical/install
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	String found in binary or memory: AUpdater finished. Mode: updater.logRunning updater. Mode: Updater wizard ended. Return code: retryattemptsrememberpasswordloglevelautoupdatepolicyproxydownloadsfolderUpdater-comproxystub.dllSoftware\Caphyon\Advanced Updater\SettingsConfigFilePathNoAutoUpdateCheckNextUpdateCheck/silent/silentall/silentcritical-nofreqcheck-url-minuseractions-licensecheckurl-licenseid-justdownload-startminimized-restartapp-restartappcmd-nogui-reducedgui-showaitdlg-forcemsibasicui-startappfirst/configure/clean/justcheck-dumpdetected-critical-installready-licensendate/runservice/debugservice/installservice/configservice-name/uninstallservice/runserverIPCObjNameBase/set/automation-clsid-registerproxystub-Embedding
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	String found in binary or memory: AUpdater finished. Mode: updater.logRunning updater. Mode: Updater wizard ended. Return code: retryattemptsrememberpasswordloglevelautoupdatepolicyproxydownloadsfolderUpdater-comproxystub.dllSoftware\Caphyon\Advanced Updater\SettingsConfigFilePathNoAutoUpdateCheckNextUpdateCheck/silent/silentall/silentcritical-nofreqcheck-url-minuseractions-licensecheckurl-licenseid-justdownload-startminimized-restartapp-restartappcmd-nogui-reducedgui-showaitdlg-forcemsibasicui-startappfirst/configure/clean/justcheck-dumpdetected-critical-installready-licensendate/runservice/debugservice/installservice/configservice-name/uninstallservice/runserverIPCObjNameBase/set/automation-clsid-registerproxystub-Embedding
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	String found in binary or memory: AUpdater finished. Mode: updater.logRunning updater. Mode: Updater wizard ended. Return code: retryattemptsrememberpasswordloglevelautoupdatepolicyproxydownloadsfolderUpdater-comproxystub.dllSoftware\Caphyon\Advanced Updater\SettingsConfigFilePathNoAutoUpdateCheckNextUpdateCheck/silent/silentall/silentcritical-nofreqcheck-url-minuseractions-licensecheckurl-licenseid-justdownload-startminimized-restartapp-restartappcmd-nogui-reducedgui-showaitdlg-forcemsibasicui-startappfirst/configure/clean/justcheck-dumpdetected-critical-installready-licensendate/runservice/debugservice/installservice/configservice-name/uninstallservice/runserverIPCObjNameBase/set/automation-clsid-registerproxystub-Embedding

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: k7rn7l32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: ntd3ll.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Section loaded: winnsi.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Static file information: File size 2680832 > 1048576

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x16c200

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\ReleaseAI\win\Release\stubs\x86\Updater.pdb source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, TerminalIll.exe.0.dr

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Unpacked PE file: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 0_2_00410070 LoadLibraryW,GetProcAddress,FreeLibrary,FreeLibrary,

0_2_00410070

PE file contains sections with non-standard names

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Static PE information: section name: .didat
Source: TerminalIll.exe.0.dr	Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046FE55D push esi; ret	3_2_046FE566
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046F7186 push ecx; ret	3_2_046F7199
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046D4EB6 push ecx; ret	3_2_046D4EC9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046FC9A2 pushfd ; retf	3_2_046FC9AD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046F7AA8 push eax; ret	3_2_046F7AC6

Contains functionality to download and launch executables

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046A6EEB ShellExecuteW,URLDownloadToFileW,

3_2_046A6EEB

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

File created: C:\Users\user\Pictures\TermianlConsole\TerminalIll.exe

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046BAADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

3_2_046BAADB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdvancedUpdater			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdvancedUpdater			Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

3_2_046BCBE1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 0_2_00421890		0_2_00421890
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_00421890		3_2_00421890

Delayed program exit found

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046AF7E2 Sleep,ExitProcess,

3_2_046AF7E2

Contains functionality to enumerate running services

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

3_2_046BA7D9

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Window / User API: threadDelayed 887	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Window / User API: threadDelayed 8617	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Window / User API: foregroundWindowGot 1762	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Dropped PE file which has not been started: C:\Users\user\Pictures\TermianlConsole\TerminalIll.exe

Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

API coverage: 8.9 %

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_00421890

3_2_00421890

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe TID: 5764	Thread sleep count: 223 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe TID: 5764	Thread sleep time: -111500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe TID: 5460	Thread sleep count: 887 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe TID: 5460	Thread sleep time: -2661000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe TID: 5460	Thread sleep count: 8617 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe TID: 5460	Thread sleep time: -25851000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 0_2_0040F2B0 FindFirstFileW,GetLastError,FindClose,	0_2_0040F2B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_0040F2B0 FindFirstFileW,GetLastError,FindClose,	3_2_0040F2B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046A96A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	3_2_046A96A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046A928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	3_2_046A928E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046BC322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	3_2_046BC322
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046AC388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	3_2_046AC388
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046ABD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	3_2_046ABD72
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046A7877 FindFirstFileW,FindNextFileW,	3_2_046A7877
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046A8847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	3_2_046A8847
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046EE8F9 FindFirstFileExA,	3_2_046EE8F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046ABB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	3_2_046ABB6B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046B9B86 FindFirstFileW,FindNextFileW,FindNextFileW,	3_2_046B9B86

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046A7CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

3_2_046A7CD2

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

API call chain: ExitProcess graph end node

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 0_2_0048A530 IsDebuggerPresent,OutputDebugStringW,

0_2_0048A530

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 0_2_00410070 LoadLibraryW,GetProcAddress,FreeLibrary,FreeLibrary,

0_2_00410070

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046E3355 mov eax, dword ptr fs:[00000030h]

3_2_046E3355

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 0_2_0048A813 GetProcessHeap,HeapFree,InterlockedPushEntrySList,

0_2_0048A813

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe"

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 0_2_004A6E63 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004A6E63
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_004A6E63 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_004A6E63
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046D503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_046D503C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046D4A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_046D4A8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046DBB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_046DBB71
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: 3_2_046D4BD8 SetUnhandledExceptionFilter,	3_2_046D4BD8

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Memory written: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe base: 46A0000 value starts with: 4D5A

Jump to behavior

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

3_2_046B2132

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046B9662 mouse_event,

3_2_046B9662

Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000002.4514898457.0000000004A05000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000002.4514898457.00000000049A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000002.4514898457.0000000004A05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerr\|
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000002.4515084168.0000000004A2C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managers
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000002.4515084168.0000000004A2C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000002.4514898457.00000000049E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000002.4515084168.0000000004A2C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.3521.549.exe, 00000003.00000002.4514898457.00000000049A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [Program Manager]

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046D4CB6 cpuid

3_2_046D4CB6

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,	0_2_0040C5D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,	3_2_0040C5D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: GetLocaleInfoA,	3_2_046AF90C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_046F24BC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: EnumSystemLocalesW,	3_2_046E8484
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: GetLocaleInfoW,	3_2_046F25C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_046F2690
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: EnumSystemLocalesW,	3_2_046F201B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: EnumSystemLocalesW,	3_2_046F20B6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_046F2143
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: GetLocaleInfoW,	3_2_046F2393
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	3_2_046F1D58
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: EnumSystemLocalesW,	3_2_046F1FD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: GetLocaleInfoW,	3_2_046E896D

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 0_2_0040BEB0 GetSystemTime,SystemTimeToFileTime,GetLastError,

0_2_0040BEB0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046BB69E GetComputerNameExW,GetUserNameW,

3_2_046BB69E

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: 3_2_046E9210 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

3_2_046E9210

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4514898457.00000000049A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 5532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 6540, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

3_2_046ABA4D

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		3_2_046ABB6B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe	Code function: \key3.db		3_2_046ABB6B

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.6300000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.51c42e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.46a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Evo-gen.3521.549.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4514531527.00000000046A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4514898457.00000000049A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2275798447.000000000051C000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2276278471.0000000006300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 5532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.3521.549.exe PID: 6540, type: MEMORYSTR

Contains functionality to launch a control a shell (cmd.exe)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Code function: cmd.exe

3_2_046A569A

ID:	1519624
Product:	CloudBasic
Start time:	18:43:14
Start date:	26.09.2024
Sample:	SecuriteInfo.com.Win32.Evo-gen.3521.549.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	fada0c33bf7972b910f80e7233a8fd57
SHA1:	6b6ae977d686e446ec8028dbb0c9447c7fdec026
SHA256:	5413944edc2672c6634f665d6c6722cf21220ef49254d8fe42d0d63dc8826988
Filetype:	Win32 Executable (generic) a (10002005/4) 98.81%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json	JSON data	18BC6D34FABB00C1E30D98E8DAEC814A	D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54	862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
C:\Users\user\AppData\Roaming\Key\logs.dat	data	F41A444B60E8D70A3B73227AA560D95D	94FDEC5CA1D8AD5A8B43B79DE640B892C4F7F864	F17F00E20731F564FE47F8B0457AAF4CCEF7351930E78935CE9C13D83A80D336
C:\Users\user\Pictures\TermianlConsole\TerminalIll.exe	PE32 executable (GUI) Intel 80386, for MS Windows	15F5D8FB64D019A533C54B04AA06D800	E306EE2C6130949DCAB5EC8F51F02C1EB7649641	97EA1F93B31260057AB7024DA973979AC23A00F36CCE5E8E15C9986B49420070

Windows Analysis Report
SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
SecuriteInfo.com.Win32.Evo-gen.3521.549.exe

Malware Threat Intel
Provided by