We are hiring! Windows Kernel Developer (Remote), apply here!
flash

IMG-ZIRAATI03102022.exe

Status: finished
Submission Time: 2022-10-03 15:56:17 +02:00
Malicious
Trojan
Spyware
Evader
Remcos

Comments

Tags

  • exe
  • geo
  • RemcosRAT
  • TUR
  • ZiraatBank

Details

  • Analysis ID:
    715079
  • API (Web) ID:
    1082521
  • Analysis Started:
    2022-10-03 16:01:00 +02:00
  • Analysis Finished:
    2022-10-03 16:14:05 +02:00
  • MD5:
    3b4a0b66d0415af1e216224497c59b4b
  • SHA1:
    d5f559097a703f155bad6b8610a48ea2dbd68b27
  • SHA256:
    95c80a6add91050a965c4d38e3db1736c7cfc8c286e87c9d1c3aeb46ee3a95de
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
19/71

malicious
11/42

malicious

malicious

IPs

IP Country Detection
79.134.225.75
Switzerland
149.154.167.220
United Kingdom
144.76.120.25
Germany
Click to see the 1 hidden entries
178.237.33.50
Netherlands

Domains

Name IP Detection
remcapi.duckdns.org
79.134.225.75
geoplugin.net
178.237.33.50
www.uplooder.net
144.76.120.25
Click to see the 1 hidden entries
api.telegram.org
149.154.167.220

URLs

Name Detection
remcapi.duckdns.org
http://james.newtonking.com/projects/json
http://geoplugin.net/json.gp
Click to see the 15 hidden entries
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://api.telegram.org
https://www.nuget.org/packages/Newtonsoft.Json.Bson
https://www.newtonsoft.com/json
https://www.uplooder.net/img/image/57/b15c1f2fa18efb7b0a2e9e577171ed5d/IMG-ZIRAATI03102022-Wqnntgku.
https://www.uplooder.net
https://api.telegram
https://api.telegram.org45k$1
https://www.uplooder.net/img/image/57/b15c1f2fa18efb7b0a2e9e577171ed5d/IMG-ZIRAATI03102022-Wqnntgku.jpg
https://www.newtonsoft.com/jsonschema
https://api.telegram.org/bot5700424484:AAHP7I1VQ--kj9KZNXGLeSEyqUKvt4ILTyk/sendMessage?chat_id=1391434830&text=%0D%0A%F0%9F%94%8A%20*NEW%20EXECUTION*%0D%0A1%EF%B8%8F%E2%83%A3%20User%20=%20user%0D%0A2%EF%B8%8F%E2%83%A3%20Date%20UTC%20=%2010/3/2022%2011:03:09%20PM%0D%0A3%EF%B8%8F%E2%83%A3%20File%20=%20IMG-ZIRAATI03102022.exe
https://api.telegram.org/bot5700424484:AAHP7I1VQ--kj9KZNXGLeSEyqUKvt4ILTyk/sendMessage?chat_id=13914
http://geoplugin.net/json.gp/C
https://api.telegram.org/bot
https://api.telegram.org

Dropped files

Name File Type Hashes Detection
C:\ProgramData\work\FILE.EXE
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\ProgramData\work\FILE.EXE:Zone.Identifier
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IMG-ZIRAATI03102022.exe.log
ASCII text, with CRLF line terminators
#
Click to see the 12 hidden entries
C:\Users\user\AppData\Local\Temp\install.vbs
data
#
C:\Users\user\AppData\Roaming\FILE.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Roaming\FILE.exe:Zone.Identifier
ASCII text, with CRLF line terminators
#
C:\ProgramData\remcos\logs.dat
data
#
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FILE.exe.log
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\json[1].json
JSON data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eijp20js.dii.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jrha0431.05b.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nrxaxftx.vxf.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rvimo0ac.yrw.psm1
very short file (no magic)
#