Windows Analysis Report
1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe

Overview

General Information

Sample name: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe
Analysis ID: 1525554
MD5: af9d6cdc4ff098c170ad543c236e6e0a
SHA1: eb3dd66a5e96512f94fd29b07d2ac277d66b30b6
SHA256: 372cbc51a06856ab5865659790ec01821c095afda53e177256eebe1ae4af5b6a
Tags: base64-decodedexeuser-abuse_ch
Infos:

Detection

Remcos
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Installs a global keyboard hook
Machine Learning detection for sample
Uses dynamic DNS services
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Avira: detected
Found malware configuration
Source: 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": "ab9001.ddns.net:31944:1", "Assigned name": "OCTOBERs", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "VLC.exe", "Startup value": "Rmc", "Hide file": "Disable", "Mutex": "Chrorne-CKQJ2Y", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Multi AV Scanner detection for domain / URL
Source: ab9001.ddns.net Virustotal: Detection: 15% Perma Link
Source: ab9001.ddns.net Virustotal: Detection: 15% Perma Link
Multi AV Scanner detection for submitted file
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Virustotal: Detection: 83% Perma Link
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe ReversingLabs: Detection: 89%
Yara detected Remcos RAT
Source: Yara match File source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, type: SAMPLE
Source: Yara match File source: 0.2.1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.3790231384.000000000227F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3789902446.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1345113615.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe PID: 7824, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_004315EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 0_2_004315EC
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789902446.0000000000456000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_dfbdb724-c
Uses 32bit PE files
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 0_2_0041A01B
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 0_2_0040B28E
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 0_2_0040838E
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 0_2_004087A0
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 0_2_00407848
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_004068CD FindFirstFileW,FindNextFileW, 0_2_004068CD
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_0044BA59 FindFirstFileExA, 0_2_0044BA59
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 0_2_0040AA71
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW, 0_2_00417AAB
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 0_2_0040AC78
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 0_2_00406D28

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49725 -> 64.188.16.157:31944
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49850 -> 64.188.16.157:31944
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49979 -> 64.188.16.157:31944
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49974 -> 64.188.16.157:31944
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49978 -> 64.188.16.157:31944
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49977 -> 64.188.16.157:31944
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49982 -> 64.188.16.157:31944
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49980 -> 64.188.16.157:31944
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49976 -> 64.188.16.157:31944
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49981 -> 64.188.16.157:31944
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49983 -> 64.188.16.157:31944
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: ab9001.ddns.net
Uses dynamic DNS services
Source: unknown DNS query: name: ab9001.ddns.net
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.9:49725 -> 64.188.16.157:31944
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 64.188.16.157 64.188.16.157
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_00424A66 recv, 0_2_00424A66
Source: global traffic DNS traffic detected: DNS query: ab9001.ddns.net
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe String found in binary or memory: http://geoplugin.net/json.gp
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe String found in binary or memory: http://geoplugin.net/json.gp/C

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_00409340 SetWindowsHookExA 0000000D,0040932C,00000000 0_2_00409340
Installs a global keyboard hook
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Jump to behavior
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard, 0_2_0040A65A
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_00414EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 0_2_00414EC1
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard, 0_2_0040A65A
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_00409468 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx, 0_2_00409468

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, type: SAMPLE
Source: Yara match File source: 0.2.1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.3790231384.000000000227F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3789902446.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1345113615.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe PID: 7824, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands
barindex
Contains functionalty to change the wallpaper
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_0041A76C SystemParametersInfoW, 0_2_0041A76C

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, type: SAMPLE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, type: SAMPLE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, type: SAMPLE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.0.1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.0.1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.0.1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000000.00000002.3789902446.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000000.1345113615.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe PID: 7824, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Process Stats: CPU usage > 49%
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_00414DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress, 0_2_00414DB4
Detected potential crypto function
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_00425152 0_2_00425152
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_00435286 0_2_00435286
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_004513D4 0_2_004513D4
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_0045050B 0_2_0045050B
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_00436510 0_2_00436510
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_004316FB 0_2_004316FB
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_0043569E 0_2_0043569E
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_00443700 0_2_00443700
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_004257FB 0_2_004257FB
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_004128E3 0_2_004128E3
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_00425964 0_2_00425964
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_0041B917 0_2_0041B917
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_0043D9CC 0_2_0043D9CC
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_00435AD3 0_2_00435AD3
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_00424BC3 0_2_00424BC3
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_0043DBFB 0_2_0043DBFB
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_0044ABA9 0_2_0044ABA9
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_00433C0B 0_2_00433C0B
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_00434D8A 0_2_00434D8A
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_0043DE2A 0_2_0043DE2A
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_0041CEAF 0_2_0041CEAF
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_00435F08 0_2_00435F08
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: String function: 00402073 appears 51 times
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: String function: 00432B90 appears 53 times
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: String function: 00432525 appears 42 times
Uses 32bit PE files
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, type: SAMPLE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, type: SAMPLE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.0.1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.0.1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.0.1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000000.00000002.3789902446.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000000.1345113615.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe PID: 7824, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.rans.troj.spyw.evad.winEXE@1/1@4/1
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_00415C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 0_2_00415C90
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_0040E2E7 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle, 0_2_0040E2E7
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_00419493 FindResourceA,LoadResource,LockResource,SizeofResource, 0_2_00419493
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 0_2_00418A00
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Mutant created: \Sessions\1\BaseNamedObjects\Chrorne-CKQJ2Y
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Command line argument: Software\ 0_2_0040D3F0
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Command line argument: Chrorne-CKQJ2Y 0_2_0040D3F0
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Command line argument: Exe 0_2_0040D3F0
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Command line argument: Exe 0_2_0040D3F0
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Command line argument: Chrorne-CKQJ2Y 0_2_0040D3F0
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Command line argument: (#G 0_2_0040D3F0
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Command line argument: Inj 0_2_0040D3F0
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Command line argument: Inj 0_2_0040D3F0
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Command line argument: Inj 0_2_0040D3F0
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Command line argument: Chrorne-CKQJ2Y 0_2_0040D3F0
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Command line argument: origmsc 0_2_0040D3F0
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Command line argument: Rmc 0_2_0040D3F0
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Command line argument: XIK 0_2_0040D3F0
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Command line argument: XIK 0_2_0040D3F0
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Command line argument: XIK 0_2_0040D3F0
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Command line argument: H"G 0_2_0040D3F0
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Command line argument: XIK 0_2_0040D3F0
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Command line argument: exepath 0_2_0040D3F0
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Command line argument: H"G 0_2_0040D3F0
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Command line argument: exepath 0_2_0040D3F0
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Command line argument: XIK 0_2_0040D3F0
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Command line argument: licence 0_2_0040D3F0
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Command line argument: `"G 0_2_0040D3F0
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Command line argument: Administrator 0_2_0040D3F0
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Command line argument: User 0_2_0040D3F0
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Virustotal: Detection: 83%
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe ReversingLabs: Detection: 89%
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Section loaded: cryptbase.dll Jump to behavior
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 0_2_0041A8DA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_004542E6 push ecx; ret 0_2_004542F9
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_00432BD6 push ecx; ret 0_2_00432BE9
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_00454C08 push eax; ret 0_2_00454C26
Contains functionality to download and launch executables
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_004063C6 ShellExecuteW,URLDownloadToFileW, 0_2_004063C6
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 0_2_00418A00
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 0_2_0041A8DA
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Delayed program exit found
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_0040E18D Sleep,ExitProcess, 0_2_0040E18D
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 0_2_004186FE
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Window / User API: threadDelayed 5450 Jump to behavior
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Window / User API: threadDelayed 4039 Jump to behavior
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Window / User API: foregroundWindowGot 1775 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe API coverage: 8.5 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe TID: 7848 Thread sleep count: 235 > 30 Jump to behavior
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe TID: 7848 Thread sleep time: -117500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe TID: 7852 Thread sleep count: 5450 > 30 Jump to behavior
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe TID: 7852 Thread sleep time: -16350000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe TID: 7852 Thread sleep count: 4039 > 30 Jump to behavior
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe TID: 7852 Thread sleep time: -12117000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 0_2_0041A01B
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 0_2_0040B28E
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 0_2_0040838E
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 0_2_004087A0
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 0_2_00407848
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_004068CD FindFirstFileW,FindNextFileW, 0_2_004068CD
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_0044BA59 FindFirstFileExA, 0_2_0044BA59
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 0_2_0040AA71
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW, 0_2_00417AAB
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 0_2_0040AC78
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 0_2_00406D28
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004327AE
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 0_2_0041A8DA
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_004407B5 mov eax, dword ptr fs:[00000030h] 0_2_004407B5
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_00410763 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError, 0_2_00410763
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004327AE
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_004328FC SetUnhandledExceptionFilter, 0_2_004328FC
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_004398AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004398AC
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_00432D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00432D5C
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 0_2_00410B5C
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_004175E1 mouse_event, 0_2_004175E1
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerhn
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerijk)
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerc
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerEM
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managers.net:31944
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerPjr)
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerXe!)
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager4eE)
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager]n&)
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerfj`)
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager,
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager)e^)
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerina/
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerZn
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerOn()P
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerCe()
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager1
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager&eW)
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerM(
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager>
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp, logs.dat.0.dr Binary or memory string: [Program Manager]
Source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerMe:)
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_004329DA cpuid 0_2_004329DA
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: EnumSystemLocalesW, 0_2_0044F17B
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: EnumSystemLocalesW, 0_2_0044F130
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: EnumSystemLocalesW, 0_2_0044F216
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_0044F2A3
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: GetLocaleInfoA, 0_2_0040E2BB
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: GetLocaleInfoW, 0_2_0044F4F3
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_0044F61C
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: GetLocaleInfoW, 0_2_0044F723
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_0044F7F0
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: EnumSystemLocalesW, 0_2_00445914
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: GetLocaleInfoW, 0_2_00445E1C
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_0044EEB8
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_0040A0B0 GetLocalTime,wsprintfW, 0_2_0040A0B0
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_004195F8 GetComputerNameExW,GetUserNameW, 0_2_004195F8
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: 0_2_004466BF _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 0_2_004466BF
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, type: SAMPLE
Source: Yara match File source: 0.2.1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.3790231384.000000000227F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3789902446.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1345113615.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe PID: 7824, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
Contains functionality to steal Chrome passwords or cookies
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0_2_0040A953
Contains functionality to steal Firefox passwords or cookies
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 0_2_0040AA71
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: \key3.db 0_2_0040AA71

Remote Access Functionality
barindex
Yara detected Remcos RAT
Source: Yara match File source: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe, type: SAMPLE
Source: Yara match File source: 0.2.1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.3790231384.000000000227F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3789902446.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1345113615.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3789994357.00000000004AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe PID: 7824, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe Code function: cmd.exe 0_2_0040567A
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
64.188.16.157
 ab9001.ddns.net United States
8100 ASN-QUADRANET-GLOBALUS true

Contacted Domains

Name IP Active
s-part-0032.t-0009.t-msedge.net 13.107.246.60 true
ab9001.ddns.net 64.188.16.157 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
ab9001.ddns.net true unknown