Register Login

sloganpng

top title background image

IMG-ZIRAATI03102022.exe

Status: finished

Submission Time: 2022-10-03 15:56:17 +02:00

Malicious

Trojan

Spyware

Evader

Remcos

Comments

Tags

Details

Analysis ID:
715079
API (Web) ID:
1082521
Analysis Started:

2022-10-03 16:01:00 +02:00
Analysis Finished:

2022-10-03 16:14:05 +02:00
MD5:
3b4a0b66d0415af1e216224497c59b4b
SHA1:
d5f559097a703f155bad6b8610a48ea2dbd68b27
SHA256:
95c80a6add91050a965c4d38e3db1736c7cfc8c286e87c9d1c3aeb46ee3a95de
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
		malicious
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

Open Full Report

malicious

Score: 19/71

malicious

Score: 11/42

malicious

malicious

IPs

IP	Country	Detection
79.134.225.75	Switzerland
149.154.167.220	United Kingdom
144.76.120.25	Germany
Click to see the 1 hidden entries
178.237.33.50	Netherlands

Domains

Name	IP	Detection
remcapi.duckdns.org	79.134.225.75
geoplugin.net	178.237.33.50
www.uplooder.net	144.76.120.25
Click to see the 1 hidden entries
api.telegram.org	149.154.167.220

URLs

Name	Detection
remcapi.duckdns.org
http://james.newtonking.com/projects/json
http://geoplugin.net/json.gp
Click to see the 15 hidden entries
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://api.telegram.org
https://www.nuget.org/packages/Newtonsoft.Json.Bson
https://www.newtonsoft.com/json
https://www.uplooder.net/img/image/57/b15c1f2fa18efb7b0a2e9e577171ed5d/IMG-ZIRAATI03102022-Wqnntgku.
https://www.uplooder.net
https://api.telegram
https://api.telegram.org45k$1
https://www.uplooder.net/img/image/57/b15c1f2fa18efb7b0a2e9e577171ed5d/IMG-ZIRAATI03102022-Wqnntgku.jpg
https://www.newtonsoft.com/jsonschema
https://api.telegram.org/bot5700424484:AAHP7I1VQ--kj9KZNXGLeSEyqUKvt4ILTyk/sendMessage?chat_id=1391434830&text=%0D%0A%F0%9F%94%8A%20NEW%20EXECUTION%0D%0A1%EF%B8%8F%E2%83%A3%20User%20=%20user%0D%0A2%EF%B8%8F%E2%83%A3%20Date%20UTC%20=%2010/3/2022%2011:03:09%20PM%0D%0A3%EF%B8%8F%E2%83%A3%20File%20=%20IMG-ZIRAATI03102022.exe
https://api.telegram.org/bot5700424484:AAHP7I1VQ--kj9KZNXGLeSEyqUKvt4ILTyk/sendMessage?chat_id=13914
http://geoplugin.net/json.gp/C
https://api.telegram.org/bot
https://api.telegram.org

Dropped files

Name	File Type	Hashes	Detection
C:\ProgramData\work\FILE.EXE	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\ProgramData\work\FILE.EXE:Zone.Identifier	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IMG-ZIRAATI03102022.exe.log	ASCII text, with CRLF line terminators	#
Click to see the 12 hidden entries
C:\Users\user\AppData\Local\Temp\install.vbs	data	#
C:\Users\user\AppData\Roaming\FILE.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Roaming\FILE.exe:Zone.Identifier	ASCII text, with CRLF line terminators	#
C:\ProgramData\remcos\logs.dat	data	#
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FILE.exe.log	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\json[1].json	JSON data	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eijp20js.dii.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jrha0431.05b.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nrxaxftx.vxf.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rvimo0ac.yrw.psm1	very short file (no magic)	#