Windows Analysis Report
17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe

Overview

General Information

Sample name: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe
Analysis ID: 1561336
MD5: c79d2fae260eb141b5abdef70699b2f7
SHA1: 3f4602c889b5a8da7a3899340913338610eb444d
SHA256: 39f13c40aa478d6c1d0523d2710ae9144162054f0b754f8af151fea3b3bbfcae
Tags: base64-decodedexeuser-abuse_ch
Infos:

Detection

Remcos
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Installs a global keyboard hook
Machine Learning detection for sample
Uses dynamic DNS services
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Avira: detected
Antivirus detection for URL or domain
Source: shilajat.duckdns.org Avira URL Cloud: Label: malware
Found malware configuration
Source: 0.0.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack Malware Configuration Extractor: Remcos {"Host:Port:Password": ["shilajat.duckdns.org:2404:1"], "Assigned name": "Pastnov", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "shilajit-ISLNRR", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "Book.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Capturas de pantalla", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "Asus"}
Multi AV Scanner detection for submitted file
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe ReversingLabs: Detection: 86%
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Virustotal: Detection: 79% Perma Link
Yara detected Remcos RAT
Source: Yara match File source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, type: SAMPLE
Source: Yara match File source: 0.2.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4359006394.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1912121435.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe PID: 7292, type: MEMORYSTR
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 0_2_004338C8
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_8bf0c812-7

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, type: SAMPLE
Source: Yara match File source: 0.2.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1912121435.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe PID: 7292, type: MEMORYSTR

Privilege Escalation
barindex
Contains functionality to bypass UAC (CMSTPLUA)
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_00407538 _wcslen,CoGetObject, 0_2_00407538
Uses 32bit PE files
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 0_2_0040928E
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 0_2_0041C322
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 0_2_0040C388
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 0_2_004096A0
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 0_2_00408847
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_00407877 FindFirstFileW,FindNextFileW, 0_2_00407877
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 0_2_0040BB6B
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW, 0_2_00419B86
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 0_2_0040BD72
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 0_2_00407CD2

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49730 -> 154.216.17.204:2404
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: shilajat.duckdns.org
Uses dynamic DNS services
Source: unknown DNS query: name: shilajat.duckdns.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 154.216.17.204:2404
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 178.237.33.50 178.237.33.50
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49731 -> 178.237.33.50:80
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0041B411 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 0_2_0041B411
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: shilajat.duckdns.org
Source: global traffic DNS traffic detected: DNS query: geoplugin.net
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000003.1963749907.0000000000823000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359006394.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359006394.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000003.1963749907.00000000007FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359006394.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000003.1963749907.00000000007FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp%1
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe String found in binary or memory: http://geoplugin.net/json.gp/C
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359006394.00000000007BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpSystem32

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,00000000 0_2_0040A2F3
Installs a global keyboard hook
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Jump to behavior
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard, 0_2_0040B749
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 0_2_004168FC
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard, 0_2_0040B749
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx, 0_2_0040A41B
Yara detected Keylogger Generic
Source: Yara match File source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, type: SAMPLE
Source: Yara match File source: 0.2.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1912121435.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe PID: 7292, type: MEMORYSTR

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, type: SAMPLE
Source: Yara match File source: 0.2.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4359006394.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1912121435.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe PID: 7292, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands
barindex
Contains functionalty to change the wallpaper
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0041CA6D SystemParametersInfoW, 0_2_0041CA6D
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0041CA73 SystemParametersInfoW, 0_2_0041CA73

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, type: SAMPLE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, type: SAMPLE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, type: SAMPLE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.0.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.0.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.0.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000000.1912121435.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe PID: 7292, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle, 0_2_0041330D
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle, 0_2_0041BBC6
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle, 0_2_0041BB9A
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress, 0_2_004167EF
Detected potential crypto function
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0043706A 0_2_0043706A
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_00414005 0_2_00414005
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0043E11C 0_2_0043E11C
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_004541D9 0_2_004541D9
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_004381E8 0_2_004381E8
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0041F18B 0_2_0041F18B
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_00446270 0_2_00446270
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0043E34B 0_2_0043E34B
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_004533AB 0_2_004533AB
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0042742E 0_2_0042742E
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_00437566 0_2_00437566
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0043E5A8 0_2_0043E5A8
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_004387F0 0_2_004387F0
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0043797E 0_2_0043797E
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_004339D7 0_2_004339D7
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0044DA49 0_2_0044DA49
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_00427AD7 0_2_00427AD7
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0041DBF3 0_2_0041DBF3
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_00427C40 0_2_00427C40
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_00437DB3 0_2_00437DB3
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_00435EEB 0_2_00435EEB
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0043DEED 0_2_0043DEED
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_00426E9F 0_2_00426E9F
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: String function: 00402093 appears 50 times
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: String function: 00401E65 appears 35 times
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: String function: 00434E70 appears 54 times
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: String function: 00434801 appears 42 times
Uses 32bit PE files
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, type: SAMPLE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, type: SAMPLE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.0.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.0.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.0.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000000.1912121435.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe PID: 7292, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@1/2@2/2
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 0_2_0041798D
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle, 0_2_0040F4AF
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource, 0_2_0041B539
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 0_2_0041AADB
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json Jump to behavior
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Mutant created: \Sessions\1\BaseNamedObjects\shilajit-ISLNRR
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Command line argument: Software\ 0_2_0040EA00
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Command line argument: shilajit-ISLNRR 0_2_0040EA00
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Command line argument: Exe 0_2_0040EA00
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Command line argument: Exe 0_2_0040EA00
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Command line argument: shilajit-ISLNRR 0_2_0040EA00
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Command line argument: (TG 0_2_0040EA00
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Command line argument: ,aF 0_2_0040EA00
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Command line argument: Inj 0_2_0040EA00
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Command line argument: Inj 0_2_0040EA00
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Command line argument: @*| 0_2_0040EA00
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Command line argument: @*| 0_2_0040EA00
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Command line argument: @*| 0_2_0040EA00
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Command line argument: HSG 0_2_0040EA00
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Command line argument: @*| 0_2_0040EA00
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Command line argument: exepath 0_2_0040EA00
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Command line argument: ,aF 0_2_0040EA00
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Command line argument: HSG 0_2_0040EA00
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Command line argument: exepath 0_2_0040EA00
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Command line argument: @*| 0_2_0040EA00
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Command line argument: licence 0_2_0040EA00
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Command line argument: tMG 0_2_0040EA00
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Command line argument: `SG 0_2_0040EA00
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Command line argument: Administrator 0_2_0040EA00
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Command line argument: User 0_2_0040EA00
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Command line argument: del 0_2_0040EA00
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Command line argument: del 0_2_0040EA00
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Command line argument: del 0_2_0040EA00
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe ReversingLabs: Detection: 86%
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Virustotal: Detection: 79%
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 0_2_0041CBE1
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_00457186 push ecx; ret 0_2_00457199
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0041C7F3 push eax; retf 0_2_0041C7FD
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_00457AA8 push eax; ret 0_2_00457AC6
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_00434EB6 push ecx; ret 0_2_00434EC9
Contains functionality to download and launch executables
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_00406EEB ShellExecuteW,URLDownloadToFileW, 0_2_00406EEB
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 0_2_0041AADB
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 0_2_0041CBE1
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Delayed program exit found
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0040F7E2 Sleep,ExitProcess, 0_2_0040F7E2
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 0_2_0041A7D9
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Window / User API: threadDelayed 9342 Jump to behavior
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Window / User API: foregroundWindowGot 1768 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe TID: 7316 Thread sleep count: 234 > 30 Jump to behavior
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe TID: 7316 Thread sleep time: -117000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe TID: 7320 Thread sleep count: 158 > 30 Jump to behavior
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe TID: 7320 Thread sleep time: -474000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe TID: 7320 Thread sleep count: 9342 > 30 Jump to behavior
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe TID: 7320 Thread sleep time: -28026000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 0_2_0040928E
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 0_2_0041C322
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 0_2_0040C388
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 0_2_004096A0
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 0_2_00408847
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_00407877 FindFirstFileW,FindNextFileW, 0_2_00407877
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 0_2_0040BB6B
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW, 0_2_00419B86
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 0_2_0040BD72
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 0_2_00407CD2
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359128763.0000000000838000.00000004.00000020.00020000.00000000.sdmp, 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000003.1964035663.0000000000838000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWoO
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359128763.0000000000838000.00000004.00000020.00020000.00000000.sdmp, 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000003.1964035663.0000000000838000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359006394.00000000007BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00434A8A
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 0_2_0041CBE1
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_00443355 mov eax, dword ptr fs:[00000030h] 0_2_00443355
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_004120B2 GetProcessHeap,HeapFree, 0_2_004120B2
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0043503C
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00434A8A
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0043BB71
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_00434BD8 SetUnhandledExceptionFilter, 0_2_00434BD8
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 0_2_00412132
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_00419662 mouse_event, 0_2_00419662
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359006394.0000000000823000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerost:i
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359128763.0000000000831000.00000004.00000020.00020000.00000000.sdmp, 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359006394.0000000000823000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359128763.0000000000831000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager-]i
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000003.1963749907.0000000000823000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager]i
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359006394.0000000000823000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerr|
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359006394.0000000000823000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager!i
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359006394.0000000000823000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager4i
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359006394.00000000007BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerES-PC
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359006394.0000000000823000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager`i;
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359006394.0000000000823000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managernet/
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359006394.0000000000823000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manageroi2
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359006394.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359006394.00000000007FF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |Program Manager|
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000003.1963749907.0000000000823000.00000004.00000020.00020000.00000000.sdmp, 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359006394.0000000000823000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerVi5
Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359006394.00000000007BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [Program Manager]
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_00434CB6 cpuid 0_2_00434CB6
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: GetLocaleInfoA, 0_2_0040F90C
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: EnumSystemLocalesW, 0_2_0045201B
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: EnumSystemLocalesW, 0_2_004520B6
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_00452143
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: GetLocaleInfoW, 0_2_00452393
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: EnumSystemLocalesW, 0_2_00448484
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_004524BC
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: GetLocaleInfoW, 0_2_004525C3
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00452690
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: GetLocaleInfoW, 0_2_0044896D
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_00451D58
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: EnumSystemLocalesW, 0_2_00451FD0
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_00404F51 GetLocalTime,CreateEventA,CreateThread, 0_2_00404F51
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0041B69E GetComputerNameExW,GetUserNameW, 0_2_0041B69E
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: 0_2_0044942D _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 0_2_0044942D
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, type: SAMPLE
Source: Yara match File source: 0.2.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4359006394.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1912121435.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe PID: 7292, type: MEMORYSTR
Contains functionality to steal Chrome passwords or cookies
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0_2_0040BA4D
Contains functionality to steal Firefox passwords or cookies
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 0_2_0040BB6B
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: \key3.db 0_2_0040BB6B

Remote Access Functionality
barindex
Yara detected Remcos RAT
Source: Yara match File source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, type: SAMPLE
Source: Yara match File source: 0.2.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4359006394.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1912121435.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe PID: 7292, type: MEMORYSTR
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe Code function: cmd.exe 0_2_0040569A
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
154.216.17.204
 shilajat.duckdns.org Seychelles
135357 SKHT-ASShenzhenKatherineHengTechnologyInformationCo true
178.237.33.50
 geoplugin.net Netherlands
8455 ATOM86-ASATOM86NL false

Contacted Domains

Name IP Active
shilajat.duckdns.org 154.216.17.204 true
geoplugin.net 178.237.33.50 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://geoplugin.net/json.gp false
    		high
    shilajat.duckdns.org true
    • Avira URL Cloud: malware
    		 unknown