Windows Analysis Report
xcYJfxDKL0Sk.exe

Overview

General Information

Sample Name: xcYJfxDKL0Sk.exe
Analysis ID: 1345576
MD5: a75658c26b3c3ef739148060446b8d9b
SHA1: d8ca42c0a901edea00fedce2d306e8e09bf27c91
SHA256: 3a2bc0787d73f2e92b71865154496cef6c1a983c4137f16c3733c1663295fc43
Tags: exeRemcos
Infos:

Detection

Remcos
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected UAC Bypass using CMSTP
Contains functionality to bypass UAC (CMSTPLUA)
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Remcos RAT
Sigma detected: Remcos
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Connects to many ports of the same IP (likely port scanning)
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Contains functionality to register a low level keyboard hook
Machine Learning detection for sample
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionalty to change the wallpaper
Deletes itself after installation
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to enumerate running services
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Contains functionality to download and launch executables
Contains functionality to retrieve information about pressed keystrokes
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to simulate mouse events
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality for read data from the clipboard

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

AV Detection
barindex
Found malware configuration
Source: 0.2.xcYJfxDKL0Sk.exe.400000.0.unpack Malware Configuration Extractor: Remcos {"Version": "4.9.2 Pro", "Host:Port:Password": "0.tcp.sa.ngrok.io:14096:1", "Assigned name": "RemoteHost (em ingls)", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-7QVKVR", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Capturas de tela", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Multi AV Scanner detection for submitted file
Source: xcYJfxDKL0Sk.exe Virustotal: Detection: 80% Perma Link
Yara detected Remcos RAT
Source: Yara match File source: xcYJfxDKL0Sk.exe, type: SAMPLE
Source: Yara match File source: 0.0.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1630897285.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1752772463.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: xcYJfxDKL0Sk.exe PID: 6188, type: MEMORYSTR
Antivirus / Scanner detection for submitted sample
Source: xcYJfxDKL0Sk.exe Avira: detected
Antivirus detection for URL or domain
Source: http://geoplugin.net/json.gp URL Reputation: Label: phishing
Source: http://geoplugin.net/json.gp URL Reputation: Label: phishing
Source: http://geoplugin.net/json.gp/C URL Reputation: Label: phishing
Source: 0.tcp.sa.ngrok.io Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: 0.tcp.sa.ngrok.io Virustotal: Detection: 14% Perma Link
Source: 0.tcp.sa.ngrok.io Virustotal: Detection: 14% Perma Link
Machine Learning detection for sample
Source: xcYJfxDKL0Sk.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_00433785 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 0_2_00433785
Source: xcYJfxDKL0Sk.exe, 00000000.00000000.1630897285.0000000000459000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_e80f468d-2

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: xcYJfxDKL0Sk.exe, type: SAMPLE
Source: Yara match File source: 0.0.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1630897285.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1752772463.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: xcYJfxDKL0Sk.exe PID: 6188, type: MEMORYSTR

Privilege Escalation
barindex
Contains functionality to bypass UAC (CMSTPLUA)
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_004074FD _wcslen,CoGetObject, 0_2_004074FD
Uses 32bit PE files
Source: xcYJfxDKL0Sk.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0041C1DF FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 0_2_0041C1DF
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 0_2_00409253
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0040C29B FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 0_2_0040C29B
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 0_2_00409665
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 0_2_0040880C
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0040783C FindFirstFileW,FindNextFileW, 0_2_0040783C
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_00419A43 FindFirstFileW,FindNextFileW,FindNextFileW, 0_2_00419A43
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0040BA7E FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 0_2_0040BA7E
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0040BC85 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 0_2_0040BC85
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 0_2_00407C97

Networking
barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 54.94.248.37 ports 14096,0,1,4,6,9
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 0.tcp.sa.ngrok.io
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 178.237.33.50 178.237.33.50
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49729 -> 54.94.248.37:14096
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: xcYJfxDKL0Sk.exe, 00000000.00000003.1654211767.00000000006A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/
Source: xcYJfxDKL0Sk.exe, 00000000.00000003.1654211767.00000000006A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/X
Source: xcYJfxDKL0Sk.exe, 00000000.00000003.1654211767.0000000000680000.00000004.00000020.00020000.00000000.sdmp, xcYJfxDKL0Sk.exe, 00000000.00000003.1654211767.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, xcYJfxDKL0Sk.exe, 00000000.00000003.1654211767.0000000000690000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp
Source: xcYJfxDKL0Sk.exe String found in binary or memory: http://geoplugin.net/json.gp/C
Source: xcYJfxDKL0Sk.exe, 00000000.00000003.1664670142.0000000000673000.00000004.00000020.00020000.00000000.sdmp, xcYJfxDKL0Sk.exe, 00000000.00000003.1664172887.000000000067A000.00000004.00000020.00020000.00000000.sdmp, xcYJfxDKL0Sk.exe, 00000000.00000002.1752929377.000000000063E000.00000004.00000020.00020000.00000000.sdmp, xcYJfxDKL0Sk.exe, 00000000.00000003.1654211767.0000000000680000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp5
Source: xcYJfxDKL0Sk.exe, 00000000.00000003.1654211767.0000000000680000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp8
Source: xcYJfxDKL0Sk.exe, 00000000.00000003.1654211767.00000000006A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpSystem32
Source: xcYJfxDKL0Sk.exe, 00000000.00000003.1664670142.0000000000673000.00000004.00000020.00020000.00000000.sdmp, xcYJfxDKL0Sk.exe, 00000000.00000003.1664172887.000000000067A000.00000004.00000020.00020000.00000000.sdmp, xcYJfxDKL0Sk.exe, 00000000.00000003.1654211767.0000000000680000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpb
Source: xcYJfxDKL0Sk.exe, 00000000.00000003.1654211767.0000000000680000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpl
Source: unknown DNS traffic detected: queries for: 0.tcp.sa.ngrok.io
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0041B2CE InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 0_2_0041B2CE
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,00000000 0_2_0040A2B8
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0041680F OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 0_2_0041680F
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0040B65C OpenClipboard,GetClipboardData,CloseClipboard, 0_2_0040B65C
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx, 0_2_0040A3E0
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0040B65C OpenClipboard,GetClipboardData,CloseClipboard, 0_2_0040B65C

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: xcYJfxDKL0Sk.exe, type: SAMPLE
Source: Yara match File source: 0.0.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1630897285.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1752772463.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: xcYJfxDKL0Sk.exe PID: 6188, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands
barindex
Contains functionalty to change the wallpaper
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0041C930 SystemParametersInfoW, 0_2_0041C930

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: xcYJfxDKL0Sk.exe, type: SAMPLE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: xcYJfxDKL0Sk.exe, type: SAMPLE Matched rule: REMCOS_RAT_variants Author: unknown
Source: xcYJfxDKL0Sk.exe, type: SAMPLE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.0.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.0.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.0.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000000.1630897285.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.1752772463.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: xcYJfxDKL0Sk.exe PID: 6188, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Uses 32bit PE files
Source: xcYJfxDKL0Sk.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: xcYJfxDKL0Sk.exe, type: SAMPLE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: xcYJfxDKL0Sk.exe, type: SAMPLE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: xcYJfxDKL0Sk.exe, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.0.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.0.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.0.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000000.1630897285.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.1752772463.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: xcYJfxDKL0Sk.exe PID: 6188, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_00416702 ExitWindowsEx,LoadLibraryA,GetProcAddress, 0_2_00416702
Detected potential crypto function
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0041F048 0_2_0041F048
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0043E00C 0_2_0043E00C
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0045409A 0_2_0045409A
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_004380A8 0_2_004380A8
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_00446130 0_2_00446130
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0045326C 0_2_0045326C
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0043E23B 0_2_0043E23B
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_004272EB 0_2_004272EB
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_00437426 0_2_00437426
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0043E498 0_2_0043E498
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_004386B0 0_2_004386B0
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0043783E 0_2_0043783E
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0044D889 0_2_0044D889
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_00433894 0_2_00433894
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_00427994 0_2_00427994
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_00427AFD 0_2_00427AFD
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0041DAB0 0_2_0041DAB0
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_00437C73 0_2_00437C73
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_00426D5C 0_2_00426D5C
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0043DDDD 0_2_0043DDDD
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_00435DA1 0_2_00435DA1
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_00413F18 0_2_00413F18
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_00436F2A 0_2_00436F2A
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: String function: 004346BE appears 42 times
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: String function: 00402093 appears 50 times
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: String function: 00401E65 appears 35 times
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: String function: 00434D70 appears 54 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_00413220 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle, 0_2_00413220
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0041BA57 OpenProcess,NtSuspendProcess,CloseHandle, 0_2_0041BA57
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0041BA83 OpenProcess,NtResumeProcess,CloseHandle, 0_2_0041BA83
Sample file is different than original file name gathered from version info
Source: xcYJfxDKL0Sk.exe, 00000000.00000002.1752929377.000000000068B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewscript.exe` vs xcYJfxDKL0Sk.exe
Source: xcYJfxDKL0Sk.exe, 00000000.00000002.1752929377.000000000068B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewscript.exe.mui` vs xcYJfxDKL0Sk.exe
Source: xcYJfxDKL0Sk.exe Virustotal: Detection: 80%
Source: xcYJfxDKL0Sk.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe C:\Users\user\Desktop\xcYJfxDKL0Sk.exe
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\frjghkytrkcmwefakksrc.vbs"
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\frjghkytrkcmwefakksrc.vbs" Jump to behavior
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_004178A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 0_2_004178A0
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json Jump to behavior
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe File created: C:\Users\user\AppData\Local\Temp\frjghkytrkcmwefakksrc.vbs Jump to behavior
Source: classification engine Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@3/2@2/2
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0041A998 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 0_2_0041A998
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0040F3C2 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle, 0_2_0040F3C2
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Mutant created: \Sessions\1\BaseNamedObjects\Rmc-7QVKVR
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0041B3F6 FindResourceA,LoadResource,LockResource,SizeofResource, 0_2_0041B3F6
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\frjghkytrkcmwefakksrc.vbs"
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Command line argument: PG 0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Command line argument: PG 0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Command line argument: Software\ 0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Command line argument: Rmc-7QVKVR 0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Command line argument: Exe 0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Command line argument: Exe 0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Command line argument: Rmc-7QVKVR 0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Command line argument: Inj 0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Command line argument: Inj 0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Command line argument: PG 0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Command line argument: PG 0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Command line argument: PG 0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Command line argument: 8SG 0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Command line argument: exepath 0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Command line argument: PG 0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Command line argument: 8SG 0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Command line argument: exepath 0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Command line argument: PG 0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Command line argument: licence 0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Command line argument: PG 0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Command line argument: PG 0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Command line argument: PG 0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Command line argument: PG 0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Command line argument: PG 0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Command line argument: PG 0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Command line argument: dMG 0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Command line argument: PG 0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Command line argument: PG 0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Command line argument: PSG 0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Command line argument: Administrator 0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Command line argument: User 0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Command line argument: del 0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Command line argument: del 0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Command line argument: del 0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Command line argument: ^rE 0_2_004571B0
Source: xcYJfxDKL0Sk.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: xcYJfxDKL0Sk.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: xcYJfxDKL0Sk.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: xcYJfxDKL0Sk.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: xcYJfxDKL0Sk.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: xcYJfxDKL0Sk.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: xcYJfxDKL0Sk.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: xcYJfxDKL0Sk.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: xcYJfxDKL0Sk.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: xcYJfxDKL0Sk.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: xcYJfxDKL0Sk.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: xcYJfxDKL0Sk.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_00457046 push ecx; ret 0_2_00457059
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_00457968 push eax; ret 0_2_00457986
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_00434DB6 push ecx; ret 0_2_00434DC9
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0041CA9E LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 0_2_0041CA9E
Contains functionality to download and launch executables
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_00406EB0 ShellExecuteW,URLDownloadToFileW, 0_2_00406EB0
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0041A998 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 0_2_0041A998

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\SysWOW64\wscript.exe File deleted: c:\users\user\desktop\xcyjfxdkl0sk.exe Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0041CA9E LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 0_2_0041CA9E
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Delayed program exit found
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0040F6F5 Sleep,ExitProcess, 0_2_0040F6F5
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 0_2_0041A696
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0041C1DF FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 0_2_0041C1DF
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 0_2_00409253
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0040C29B FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 0_2_0040C29B
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 0_2_00409665
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 0_2_0040880C
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0040783C FindFirstFileW,FindNextFileW, 0_2_0040783C
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_00419A43 FindFirstFileW,FindNextFileW,FindNextFileW, 0_2_00419A43
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0040BA7E FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 0_2_0040BA7E
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0040BC85 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 0_2_0040BC85
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 0_2_00407C97
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe API call chain: ExitProcess graph end node
Source: xcYJfxDKL0Sk.exe, 00000000.00000003.1664670142.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, xcYJfxDKL0Sk.exe, 00000000.00000002.1752929377.000000000063E000.00000004.00000020.00020000.00000000.sdmp, xcYJfxDKL0Sk.exe, 00000000.00000003.1654211767.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, xcYJfxDKL0Sk.exe, 00000000.00000002.1752929377.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, xcYJfxDKL0Sk.exe, 00000000.00000003.1664172887.00000000006B7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: xcYJfxDKL0Sk.exe, 00000000.00000003.1664670142.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, xcYJfxDKL0Sk.exe, 00000000.00000003.1654211767.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, xcYJfxDKL0Sk.exe, 00000000.00000002.1752929377.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, xcYJfxDKL0Sk.exe, 00000000.00000003.1664172887.00000000006B7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWg2
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_00434947 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00434947
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0041CA9E LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 0_2_0041CA9E
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0044FA8E GetProcessHeap, 0_2_0044FA8E
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_00443214 mov eax, dword ptr fs:[00000030h] 0_2_00443214
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_00434947 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00434947
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0043BA62 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0043BA62
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_00434A95 SetUnhandledExceptionFilter, 0_2_00434A95
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_00434F3C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00434F3C
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 0_2_00412065
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\frjghkytrkcmwefakksrc.vbs" Jump to behavior
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_00419575 mouse_event, 0_2_00419575
Source: xcYJfxDKL0Sk.exe, 00000000.00000002.1752929377.000000000063E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |Program Manager|
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: GetLocaleInfoA, 0_2_0040F81F
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_00452004
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: GetLocaleInfoW, 0_2_00452254
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: EnumSystemLocalesW, 0_2_004482C4
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_0045237D
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: GetLocaleInfoW, 0_2_00452484
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00452551
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: GetLocaleInfoW, 0_2_004487AD
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_00451C19
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: EnumSystemLocalesW, 0_2_00451EDC
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: EnumSystemLocalesW, 0_2_00451E91
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: EnumSystemLocalesW, 0_2_00451F77
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_00434BBD cpuid 0_2_00434BBD
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0041B74D GetSystemTimes,Sleep,GetSystemTimes,__aulldiv, 0_2_0041B74D
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0044926D _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 0_2_0044926D
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: 0_2_0041B55B GetComputerNameExW,GetUserNameW, 0_2_0041B55B

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: xcYJfxDKL0Sk.exe, type: SAMPLE
Source: Yara match File source: 0.0.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1630897285.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1752772463.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: xcYJfxDKL0Sk.exe PID: 6188, type: MEMORYSTR
Contains functionality to steal Firefox passwords or cookies
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 0_2_0040BA7E
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: \key3.db 0_2_0040BA7E
Contains functionality to steal Chrome passwords or cookies
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0_2_0040B960

Remote Access Functionality
barindex
Yara detected Remcos RAT
Source: Yara match File source: xcYJfxDKL0Sk.exe, type: SAMPLE
Source: Yara match File source: 0.0.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1630897285.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1752772463.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: xcYJfxDKL0Sk.exe PID: 6188, type: MEMORYSTR
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe Code function: cmd.exe 0_2_0040569A
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1345576 Sample: xcYJfxDKL0Sk.exe Startdate: 21/11/2023 Architecture: WINDOWS Score: 100 14 0.tcp.sa.ngrok.io 2->14 16 geoplugin.net 2->16 22 Multi AV Scanner detection for domain / URL 2->22 24 Found malware configuration 2->24 26 Malicious sample detected (through community Yara rule) 2->26 28 9 other signatures 2->28 7 xcYJfxDKL0Sk.exe 6 15 2->7         started        signatures3 process4 dnsIp5 18 0.tcp.sa.ngrok.io 54.94.248.37, 14096, 49729, 49731 AMAZON-02US United States 7->18 20 geoplugin.net 178.237.33.50, 49730, 80 ATOM86-ASATOM86NL Netherlands 7->20 30 Contains functionality to bypass UAC (CMSTPLUA) 7->30 32 Contains functionalty to change the wallpaper 7->32 34 Contains functionality to steal Chrome passwords or cookies 7->34 36 4 other signatures 7->36 11 wscript.exe 7->11         started        signatures6 process7 signatures8 38 Deletes itself after installation 11->38
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
178.237.33.50
 geoplugin.net Netherlands
8455 ATOM86-ASATOM86NL false
54.94.248.37
 0.tcp.sa.ngrok.io United States
16509 AMAZON-02US true

Contacted Domains

Name IP Active
0.tcp.sa.ngrok.io 54.94.248.37 true
geoplugin.net 178.237.33.50 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://geoplugin.net/json.gp true
  • URL Reputation: phishing
  • URL Reputation: phishing
 unknown
0.tcp.sa.ngrok.io true
  • 14%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown