Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.607510368640178
Filename:	TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe
Filesize:	7649280
MD5:	fb652b5ff3a97ebbb8c9bf69c7010c1c
SHA1:	49acdeb895d801dd4439fad35337b19baca56d65
SHA256:	4d37f7aea76ccb788710e7d3a8d2553964142a835115a9f0768f33b286400352
SHA512:	371530bd53d32ef3d3f98c833186c17ee62901826b37a3dab762217ca4a41b2cb9b70e90c5b0cb6d190eada569554001b73e406f442ee29c2549b7f140c4032a
SSDEEP:	196608:OFltGUFFD+Uo2jWZBvJ8cQhjZUsd8QZFupe:AtFFD+UNjWZBIhDZ5
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

Signature Hits	Behavior Group	Mitre Attack
Detected Remcos RAT	Remote Access Functionality	Remote Access Software
Malicious sample detected (through community Yara rule)	System Summary	Security Software Discovery
Multi AV Scanner detection for submitted file	AV Detection
Drops large PE files	System Summary
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing
AV process strings found (often used to terminate AV products)	Lowering of HIPS / PFW / Operating System Security Settings	Security Software Discovery
Abnormal high CPU Usage	System Summary	Process Injection
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)	System Summary
Contains functionality to call native functions	System Summary	Security Software Discovery
Detected potential crypto function	System Summary	Security Software Discovery Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Launches processes in debugging mode, may be used to hinder debugging	Anti Debugging	Disable or Modify Tools
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion Security Software Discovery
PE file contains an invalid checksum	Data Obfuscation	Security Software Discovery
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary	Security Software Discovery
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder Security Software Discovery
Creates files inside the user directory	System Summary	Masquerading
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Security Software Discovery
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Discovery
Public key (encryption) found	Cryptography
Reads software policies	System Summary	System Information Discovery
Reads the hosts file	System Summary	Security Software Discovery Remote System Discovery
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking	Security Software Discovery
PE file imports many functions	System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\remcos\logs.dat

data

dropped

Details

File:	C:\ProgramData\remcos\logs.dat
Category:	dropped
Dump:	logs.dat.2.dr
ID:	dr_1
Target ID:	2
Process:	C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe
Type:	data
Entropy:	3.4635588344265
Encrypted:	false
Ssdeep:	12:6lzpNFec0WFe5BWFe5BWdBhTcemOSJOW+:6RpNgc0WqBWqBWVmFOW+
Size:	462
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Remcos	Stealing of Sensitive Information

C:\Users\user\Music\ZentimoDesignerUpdater\ZentimoVideo.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\Music\ZentimoDesignerUpdater\ZentimoVideo.exe
Category:	dropped
Dump:	ZentimoVideo.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	0.10198765652193818
Encrypted:	false
Size:	977447173
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe

"C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe"

Details

Is windows:	true
Is dropped:	false
PID:	3320
Target ID:	0
Parent PID:	1244
Name:	TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe
Path:	C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe
Commandline:	"C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe"
Size:	7649280
MD5:	FB652B5FF3A97EBBB8C9BF69C7010C1C
Time:	16:41:34
Date:	20/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	8253440
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Sigma detected: Remcos	Stealing of Sensitive Information
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Launches processes in debugging mode, may be used to hinder debugging	Anti Debugging	Disable or Modify Tools
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Keylogger Generic	Key, Mouse, Clipboard, Microphone and Screen Capturing
Detected Delphi use of System.ParamCount	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file imports many functions	System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe

"C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe"

Details

Is windows:	true
Is dropped:	false
PID:	3444
Target ID:	2
Parent PID:	3320
Name:	TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe
Path:	C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe
Commandline:	"C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe"
Size:	7649280
MD5:	FB652B5FF3A97EBBB8C9BF69C7010C1C
Time:	16:41:51
Date:	20/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	8253440
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Sigma detected: Remcos	Stealing of Sensitive Information
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Launches processes in debugging mode, may be used to hinder debugging	Anti Debugging	Disable or Modify Tools
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Keylogger Generic	Key, Mouse, Clipboard, Microphone and Screen Capturing
Detected Delphi use of System.ParamCount	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file imports many functions	System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

URLs

Name

Malicious

alfredoperezpu1405.con-ip.com

http://zentimo.com/allVersions.htmP

unknown

http://zentimo.com/enterkey.htmU

unknown

http://zentimo.com/blog/how-to-use-skins/U

unknown

http://geoplugin.net/json.gp/C

unknown

http://zentimo.com/common/userdebugreport.phpU

unknown

http://zentimo.com/enterkey.htm?sm=regform

unknown

http://zentimo.com/readaboutpro.htmU

unknown

http://zentimo.com/allVersions.htmU

unknown

http://www.safelyremove.com

unknown

http://zentimo.com/order.htm

unknown

http://zentimo.com/restoreLicKey.htm?sm=regformU

unknown

http://www.indyproject.org/

unknown

http://zentimo.com/common/convert-license-key-svc?key=

unknown

http://zentimo.com/download.htm?sm=ServiceWrArch

unknown

http://zentimo.com/versioninfo/vernew.htm?

unknown

http://zentimo.com/download.htm?sm=ServiceWrVerU

unknown

http://zentimo.com

unknown

http://zentimo.com/blog/how-to-use-skins/

unknown

http://zentimo.com/download.htm?sm=CrackedVer_WrArch

unknown

There are 10 hidden URLs, click here to show them.

Domains

Name

Malicious

alfredoperezpu1405.con-ip.com

0.0.0.0

Details

Name:	alfredoperezpu1405.con-ip.com
IP:	0.0.0.0
TargetID:	2
Current Path:	C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

ZentimoDesignerEditor

Details

TargetID:	0
Path:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Value name:	ZentimoDesignerEditor
Value data:	C:\Users\user\Music\ZentimoDesignerUpdater\ZentimoVideo.exe

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder

HKEY_CURRENT_USER\Software\Rmc-NK89SF

exepath

HKEY_CURRENT_USER\Software\Rmc-NK89SF

licence

HKEY_CURRENT_USER\Software\Rmc-NK89SF

time

Memdumps

Base Address

Regiontype

Protect

Malicious

2F0000

direct allocation

page execute and read and write

ADF000

unkown

page execute and read and write

D24000

heap

page read and write

283F000

stack

page read and write

340E000

stack

page read and write

315F000

stack

page read and write

2BBF000

direct allocation

page read and write

C97000

heap

page read and write

9E7000

unkown

page readonly

2E8E000

stack

page read and write

2D4E000

direct allocation

page read and write

B6E000

unkown

page execute and read and write

95C000

unkown

page write copy

516000

unkown

page execute read

CED000

stack

page read and write

B60000

unkown

page execute and read and write

368000

direct allocation

page execute and read and write

EB0000

heap

page read and write

293F000

stack

page read and write

270000

heap

page read and write

C1E000

stack

page read and write

C8F000

heap

page read and write

265D000

heap

page read and write

2649000

direct allocation

page read and write

2D1C000

direct allocation

page read and write

C30000

heap

page read and write

2B3F000

stack

page read and write

B7E000

unkown

page readonly

234000

remote allocation

page execute and read and write

CB5000

heap

page read and write

9CB000

unkown

page readonly

2E4F000

stack

page read and write

2B52000

direct allocation

page read and write

B73000

unkown

page readonly

38C000

stack

page read and write

2D10000

direct allocation

page read and write

2D08000

direct allocation

page read and write

415000

unkown

page execute read

335F000

stack

page read and write

F10000

heap

page read and write

2CF9000

direct allocation

page read and write

368E000

stack

page read and write

908000

unkown

page write copy

BB5000

unkown

page execute and read and write

A22000

unkown

page readonly

F16000

heap

page read and write

2ECE000

stack

page read and write

955000

unkown

page read and write

B6A000

unkown

page readonly

10000

heap

page read and write

401000

unkown

page execute read

2A3F000

stack

page read and write

C6D000

heap

page read and write

378F000

stack

page read and write

231000

remote allocation

page execute and read and write

2B69000

direct allocation

page read and write

C90000

heap

page read and write

325F000

stack

page read and write

354F000

stack

page read and write

C36000

heap

page read and write

D07000

heap

page read and write

28C000

stack

page read and write

219000

remote allocation

page execute and read and write

908000

unkown

page read and write

E7E000

stack

page read and write

2630000

direct allocation

page read and write

364F000

stack

page read and write

2B84000

direct allocation

page read and write

B5C000

unkown

page readonly

BB1000

unkown

page readonly

188000

stack

page read and write

3390000

heap

page read and write

8D000

stack

page read and write

D00000

heap

page read and write

10000

heap

page read and write

2EF0000

heap

page read and write

400000

unkown

page readonly

41A000

unkown

page execute read

923000

unkown

page write copy

350F000

stack

page read and write

B76000

unkown

page execute and read and write

E3D000

stack

page read and write

B83000

unkown

page execute and read and write

F00000

heap

page read and write

2644000

direct allocation

page read and write

2640000

heap

page read and write

3020000

heap

page read and write

There are 77 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
TRANSFERENCIA ACH NO 987685745658790976587465789.exe.bin

Files

Processes

URLs

Domains

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportTRANSFERENCIA ACH NO 987685745658790976587465789.exe.bin

Files

Processes

URLs

Domains

Registry

Memdumps

IOC Report
TRANSFERENCIA ACH NO 987685745658790976587465789.exe.bin