Windows Analysis Report Remittance_copy.pdf.scr.exe

Uses insecure TLS / SSL version for HTTPS connection

Source: Remittance_copy.pdf.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49731 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 104.21.27.85:443 -> 192.168.2.4:49748 version: TLS 1.2

Source: Remittance_copy.pdf.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: Remittance_copy.pdf.scr.exe, 00000000.00000002.1675672531.0000000005850000.00000004.08000000.00040000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000000.00000002.1675144874.0000000003371000.00000004.00000800.00020000.00000000.sdmp

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	1_2_01437550
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	1_2_0143793B
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	1_2_01437939
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then jmp 0300FCD1h	1_2_0300FA10
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then jmp 0300EFDDh	1_2_0300EDF0
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then jmp 0300F967h	1_2_0300EDF0
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	1_2_0300E310
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	1_2_0300EB23
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	1_2_0300E943
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then jmp 06D471D1h	1_2_06D46F28
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then jmp 06D48C9Dh	1_2_06D48960
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	1_2_06D436CE
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then jmp 06D46921h	1_2_06D46678
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then jmp 06D40741h	1_2_06D40498
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then jmp 06D47F01h	1_2_06D47C58
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then jmp 06D46071h	1_2_06D45DC8
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then jmp 06D40FF1h	1_2_06D40D48
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then jmp 06D487B1h	1_2_06D48508
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then jmp 06D46D79h	1_2_06D46AD0
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then jmp 06D464C9h	1_2_06D46220
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	1_2_06D433B8
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then jmp 06D47652h	1_2_06D473A8
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	1_2_06D433A8
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then jmp 06D40B99h	1_2_06D408F0
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then jmp 06D48359h	1_2_06D480B0
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then jmp 06D402E9h	1_2_06D40040
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then jmp 06D47AA9h	1_2_06D47800
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then jmp 06D45441h	1_2_06D45198
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then jmp 06D45C19h	1_2_06D45970

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49751 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49753 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49754 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49755 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49756 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49757 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49758 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49759 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49760 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49761 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49763 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49764 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49765 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49766 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49767 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49769 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49770 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49771 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49772 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49773 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49774 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49775 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49776 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49777 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49778 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49779 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49780 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49781 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49782 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49783 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49784 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49785 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49786 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49787 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49788 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49789 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49790 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49791 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49792 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49793 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49794 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49795 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49796 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49797 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49798 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49799 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49801 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49802 -> 108.167.142.65:587

Yara detected Generic Downloader

Source: Yara match	File source: 1.2.Remittance_copy.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.raw.unpack, type: UNPACKEDPE

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49751 -> 108.167.142.65:587

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 172.67.177.134 172.67.177.134
Source: Joe Sandbox View	IP Address: 104.21.27.85 104.21.27.85
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

May check the online IP address of the machine

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.4:49751 -> 108.167.142.65:587

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49731 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: checkip.dyndns.org

Source: Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Remittance_copy.pdf.scr.exe, 00000000.00000002.1675273431.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4125516731.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.000000000347B000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.00000000034BF000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.00000000031FF000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.000000000327C000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.000000000317A000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.00000000031F5000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.0000000003391000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.000000000321E000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.00000000034C8000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.000000000336A000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.000000000339B000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.0000000003374000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.00000000034E5000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.00000000034D2000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.0000000003407000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.00000000033D3000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.0000000003285000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.qoldenfrontier.com
Source: Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.000000000315A000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.000000000315A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org(
Source: Remittance_copy.pdf.scr.exe, 00000000.00000002.1675273431.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4125516731.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/102.129.152.231
Source: Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.000000000315A000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/102.129.152.231$
Source: Remittance_copy.pdf.scr.exe, 00000000.00000002.1675273431.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.0000000003071000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4125516731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.000000000315A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk
Source: Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.000000000315A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk/_send_.php?TS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown

HTTPS traffic detected: 104.21.27.85:443 -> 192.168.2.4:49748 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Remittance_copy.pdf.scr.exe.44125d0.3.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Remittance_copy.pdf.scr.exe.43c3da0.2.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Remittance_copy.pdf.scr.exe.44125d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Remittance_copy.pdf.scr.exe.5a70000.7.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Remittance_copy.pdf.scr.exe.5a70000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 1.2.Remittance_copy.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.Remittance_copy.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.Remittance_copy.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.Remittance_copy.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Remittance_copy.pdf.scr.exe.43c3da0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Remittance_copy.pdf.scr.exe.33838d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Remittance_copy.pdf.scr.exe.33810ac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000001.00000002.4125516731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.4125516731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1675751801.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000000.00000002.1675273431.0000000004464000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1675273431.0000000004464000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Remittance_copy.pdf.scr.exe PID: 6632, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Remittance_copy.pdf.scr.exe PID: 6632, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Remittance_copy.pdf.scr.exe PID: 4020, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Remittance_copy.pdf.scr.exe PID: 4020, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Remittance_copy.pdf.scr.exe

Detected potential crypto function

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_01437550	1_2_01437550
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_01436481	1_2_01436481
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_01437540	1_2_01437540
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_01430FC0	1_2_01430FC0
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_0300C1F0	1_2_0300C1F0
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_03006790	1_2_03006790
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_0300C7B3	1_2_0300C7B3
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_0300B500	1_2_0300B500
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_0300C4D0	1_2_0300C4D0
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_03004B31	1_2_03004B31
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_0300FA10	1_2_0300FA10
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_0300CA93	1_2_0300CA93
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_030098B8	1_2_030098B8
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_0300BF10	1_2_0300BF10
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_0300EDF0	1_2_0300EDF0
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_0300BC33	1_2_0300BC33
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_0300E300	1_2_0300E300
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_0300E310	1_2_0300E310
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_0300B553	1_2_0300B553
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_030035CB	1_2_030035CB
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4C6E0	1_2_06D4C6E0
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D456AF	1_2_06D456AF
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D48FA9	1_2_06D48FA9
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4A760	1_2_06D4A760
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D46F28	1_2_06D46F28
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4ADB0	1_2_06D4ADB0
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4CD30	1_2_06D4CD30
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4BA40	1_2_06D4BA40
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4B3F8	1_2_06D4B3F8
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4D380	1_2_06D4D380
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4C090	1_2_06D4C090
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4D9C8	1_2_06D4D9C8
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D411A0	1_2_06D411A0
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D48960	1_2_06D48960
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4C6D1	1_2_06D4C6D1
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D46678	1_2_06D46678
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D46669	1_2_06D46669
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D477F3	1_2_06D477F3
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4A750	1_2_06D4A750
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D46F1B	1_2_06D46F1B
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D43730	1_2_06D43730
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D484FF	1_2_06D484FF
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D40498	1_2_06D40498
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4048F	1_2_06D4048F
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D47C53	1_2_06D47C53
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D47C58	1_2_06D47C58
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D44430	1_2_06D44430
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D45DC8	1_2_06D45DC8
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D45DBB	1_2_06D45DBB
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4ADA0	1_2_06D4ADA0
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D40D48	1_2_06D40D48
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D48508	1_2_06D48508
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D40D3B	1_2_06D40D3B
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4CD20	1_2_06D4CD20
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D46AD0	1_2_06D46AD0
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D46ACB	1_2_06D46ACB
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D46211	1_2_06D46211
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D46220	1_2_06D46220
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4BA2F	1_2_06D4BA2F
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4B3E8	1_2_06D4B3E8
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4739F	1_2_06D4739F
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D433B8	1_2_06D433B8
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D473A8	1_2_06D473A8
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D433A8	1_2_06D433A8
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4D370	1_2_06D4D370
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D408F0	1_2_06D408F0
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D408E3	1_2_06D408E3
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4C080	1_2_06D4C080
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D428B0	1_2_06D428B0
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D480B0	1_2_06D480B0
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D480A7	1_2_06D480A7
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D428AB	1_2_06D428AB
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D40040	1_2_06D40040
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D47800	1_2_06D47800
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4003B	1_2_06D4003B
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D45198	1_2_06D45198
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4518B	1_2_06D4518B
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4D9B7	1_2_06D4D9B7
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D48957	1_2_06D48957
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D45970	1_2_06D45970
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4596B	1_2_06D4596B

Sample file is different than original file name gathered from version info

Source: Remittance_copy.pdf.scr.exe, 00000000.00000002.1675672531.0000000005850000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs Remittance_copy.pdf.scr.exe
Source: Remittance_copy.pdf.scr.exe, 00000000.00000002.1672831414.000000000152E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Remittance_copy.pdf.scr.exe
Source: Remittance_copy.pdf.scr.exe, 00000000.00000002.1675273431.0000000004371000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs Remittance_copy.pdf.scr.exe
Source: Remittance_copy.pdf.scr.exe, 00000000.00000002.1675751801.0000000005A70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs Remittance_copy.pdf.scr.exe
Source: Remittance_copy.pdf.scr.exe, 00000000.00000002.1675273431.0000000004464000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Remittance_copy.pdf.scr.exe
Source: Remittance_copy.pdf.scr.exe, 00000000.00000000.1670073778.0000000000E82000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamemsvlc220_tlcodedcvt_ids.exeT vs Remittance_copy.pdf.scr.exe
Source: Remittance_copy.pdf.scr.exe, 00000000.00000002.1675144874.0000000003371000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs Remittance_copy.pdf.scr.exe
Source: Remittance_copy.pdf.scr.exe, 00000000.00000002.1675144874.0000000003371000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Remittance_copy.pdf.scr.exe
Source: Remittance_copy.pdf.scr.exe, 00000001.00000002.4125516731.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Remittance_copy.pdf.scr.exe
Source: Remittance_copy.pdf.scr.exe, 00000001.00000002.4125604276.0000000001137000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Remittance_copy.pdf.scr.exe
Source: Remittance_copy.pdf.scr.exe	Binary or memory string: OriginalFilenamemsvlc220_tlcodedcvt_ids.exeT vs Remittance_copy.pdf.scr.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: dpapi.dll	Jump to behavior

Source: Remittance_copy.pdf.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0.2.Remittance_copy.pdf.scr.exe.44125d0.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Remittance_copy.pdf.scr.exe.43c3da0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Remittance_copy.pdf.scr.exe.44125d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Remittance_copy.pdf.scr.exe.5a70000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Remittance_copy.pdf.scr.exe.5a70000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 1.2.Remittance_copy.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.Remittance_copy.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Remittance_copy.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.Remittance_copy.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Remittance_copy.pdf.scr.exe.43c3da0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Remittance_copy.pdf.scr.exe.33838d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Remittance_copy.pdf.scr.exe.33810ac.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000001.00000002.4125516731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.4125516731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1675751801.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000000.00000002.1675273431.0000000004464000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1675273431.0000000004464000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Remittance_copy.pdf.scr.exe PID: 6632, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Remittance_copy.pdf.scr.exe PID: 6632, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Remittance_copy.pdf.scr.exe PID: 4020, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Remittance_copy.pdf.scr.exe PID: 4020, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.raw.unpack, -O-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.raw.unpack, -O-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.raw.unpack, -O-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.raw.unpack, -O-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Remittance_copy.pdf.scr.exe.44125d0.3.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Remittance_copy.pdf.scr.exe.5a70000.7.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Remittance_copy.pdf.scr.exe.43c3da0.2.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: Remittance_copy.pdf.scr.exe, ----.cs	Task registration methods: 'CreateTaskContext'
Source: Remittance_copy.pdf.scr.exe, -.cs	Task registration methods: 'RegisterTask', 'GetRegisteredTask'
Source: Remittance_copy.pdf.scr.exe, --.cs	Task registration methods: 'CreateBuildEventFileInfoForTask'
Source: Remittance_copy.pdf.scr.exe, -.cs	Task registration methods: 'RegisterDefaultTasks'
Source: Remittance_copy.pdf.scr.exe, ---2.cs	Task registration methods: 'AddCreateTemporaryVCProjectTasks'
Source: Remittance_copy.pdf.scr.exe, -.cs	Task registration methods: 'FindRegisteredTasks', 'RegisterTask', 'GetRegisteredTask'

Source: 0.2.Remittance_copy.pdf.scr.exe.44125d0.3.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 0.2.Remittance_copy.pdf.scr.exe.5a70000.7.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 0.2.Remittance_copy.pdf.scr.exe.43c3da0.2.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'

Source: Remittance_copy.pdf.scr.exe	Binary or memory string: MSB4098: MSBuild is invoking VCBuild to build this project. Project-to-project references between VC++ projects (.VCPROJ) and C#/VB/VJ# projects (.CSPROJ, .VBPROJ, .VJSPROJ) are not supported by the command-line build systems when building stand-alone VC++ projects. Projects that contain such project-to-project references will fail to build. Please build the solution file containing this project instead.
Source: Remittance_copy.pdf.scr.exe	Binary or memory string: MSB4126: The specified solution configuration "{0}" is invalid. Please specify a valid solution configuration using the Configuration and Platform properties (e.g. MSBuild.exe Solution.sln /p:Configuration=Debug /p:Platform="Any CPU") or leave those properties blank to use the default solution configuration.
Source: Remittance_copy.pdf.scr.exe	Binary or memory string: yMSB4051: Project {0} is referencing a project with GUID {1}, but a project with this GUID was not found in the .SLN file.
Source: Remittance_copy.pdf.scr.exe	Binary or memory string: Unexpected return type from this.rawGroups.ItemGroupsAndChooses.sln

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@4/4

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Remittance_copy.pdf.scr.exe.log

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe

Mutant created: NULL

Source: Remittance_copy.pdf.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Remittance_copy.pdf.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.00000000032C5000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.00000000032E3000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.00000000032D4000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Remittance_copy.pdf.scr.exe	Virustotal: Detection: 54%
Source: Remittance_copy.pdf.scr.exe	ReversingLabs: Detection: 55%

Source: Remittance_copy.pdf.scr.exe

String found in binary or memory: /InstalledAssemblyTables

Source: unknown	Process created: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe "C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe"
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process created: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe "C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe"
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process created: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe "C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

.NET source code contains potential unpacker

Source: Remittance_copy.pdf.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Remittance_copy.pdf.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Data Obfuscation

Source: Remittance_copy.pdf.scr.exe, ---.cs

.Net Code: Shlyber System.AppDomain.Load(byte[])

Binary contains a suspicious time stamp

Source: Remittance_copy.pdf.scr.exe

Static PE information: 0xDC4F1461 [Sat Feb 15 17:54:41 2087 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D48F4D push es; retf	1_2_06D48F54
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D42717 pushad ; ret	1_2_06D4271A
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D43280 push 68A405C3h; ret	1_2_06D4330E
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4F046 push es; ret	1_2_06D4F044
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4E1F8 push es; ret	1_2_06D4F044
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D41191 push ebx; ret	1_2_06D41192

Source: Remittance_copy.pdf.scr.exe

Static PE information: section name: .text entropy: 6.945040446258407

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (82).png

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.scr

Static PE information: Remittance_copy.pdf.scr.exe

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Remittance_copy.pdf.scr.exe PID: 6632, type: MEMORYSTR

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Memory allocated: 17E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Memory allocated: 3370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Memory allocated: 31F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Memory allocated: 1700000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Memory allocated: 3070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Memory allocated: 5070000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 597968	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 597285	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 594895	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 594766	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 594547	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 594437	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Window / User API: threadDelayed 8473			Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Window / User API: threadDelayed 1375			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6788	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6788	Thread sleep count: 8473 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6788	Thread sleep count: 1375 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -599563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -599203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -598859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -598750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -598641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -598531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -598422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -598312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -598203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -598094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -597968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -597844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -597734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -597625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -597516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -597406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -597285s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -596937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -596828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -596719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -596594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -596484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -596375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -596266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -596156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -596047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -595937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -595813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -595688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -595578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -595469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -595359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -595125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -595016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -594895s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -594766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -594656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -594547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -594437s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 597968	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 597285	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 594895	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 594766	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 594547	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 594437	Jump to behavior

Source: Remittance_copy.pdf.scr.exe, 00000001.00000002.4125765899.000000000147B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllies>

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe

Process information queried: ProcessInformation

Enables debug privileges

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe

Memory allocated: page read and write | page guard

.NET source code references suspicious native API functions

HIPS / PFW / Operating System Protection Evasion

Source: 0.2.Remittance_copy.pdf.scr.exe.5850000.6.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.Remittance_copy.pdf.scr.exe.5850000.6.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.Remittance_copy.pdf.scr.exe.5850000.6.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe

Memory written: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe base: 400000 value starts with: 4D5A

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe

Process created: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe "C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe"

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Queries volume information: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Queries volume information: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Remittance_copy.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4125516731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4126614174.000000000317A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4126614174.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4126614174.000000000331D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1675273431.0000000004464000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Remittance_copy.pdf.scr.exe PID: 6632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Remittance_copy.pdf.scr.exe PID: 4020, type: MEMORYSTR

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Remittance_copy.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4125516731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4126614174.000000000317A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1675273431.0000000004464000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Remittance_copy.pdf.scr.exe PID: 6632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Remittance_copy.pdf.scr.exe PID: 4020, type: MEMORYSTR

Remote Access Functionality

Antivirus detection for URL or domain

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Remittance_copy.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4125516731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4126614174.000000000317A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4126614174.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4126614174.000000000331D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1675273431.0000000004464000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Remittance_copy.pdf.scr.exe PID: 6632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Remittance_copy.pdf.scr.exe PID: 4020, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
108.167.142.65	mail.qoldenfrontier.com	United States	46606	UNIFIEDLAYER-AS-1US	true
172.67.177.134	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
104.21.27.85	scratchdreams.tk	United States	13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

Contacted Domains

Name	IP	Active
reallyfreegeoip.org	172.67.177.134	true
mail.qoldenfrontier.com	108.167.142.65	true
scratchdreams.tk	104.21.27.85	true
checkip.dyndns.com	132.226.247.73	true
checkip.dyndns.org	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://scratchdreams.tk/_send_.php?TS	true	1%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/102.129.152.231	false	Avira URL Cloud: safe	unknown

AV Detection

Source: https://scratchdreams.tk/_send_.php?TS	Avira URL Cloud: Label: malware
Source: https://scratchdreams.tk	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000001.00000002.4126614174.0000000003071000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "test@qoldenfrontier.com", "Password": "%2WMoWREUv@3", "Host": "mail.qoldenfrontier.com", "Port": "587"}

Multi AV Scanner detection for domain / URL

Source: scratchdreams.tk	Virustotal: Detection: 6%			Perma Link
Source: https://scratchdreams.tk	Virustotal: Detection: 15%			Perma Link

Multi AV Scanner detection for submitted file

Source: Remittance_copy.pdf.scr.exe	Virustotal: Detection: 54%			Perma Link
Source: Remittance_copy.pdf.scr.exe	ReversingLabs: Detection: 55%

Machine Learning detection for sample

Source: Remittance_copy.pdf.scr.exe

Joe Sandbox ML: detected

Uses insecure TLS / SSL version for HTTPS connection

Source: Remittance_copy.pdf.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49731 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 104.21.27.85:443 -> 192.168.2.4:49748 version: TLS 1.2

Source: Remittance_copy.pdf.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	1_2_01437550
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	1_2_0143793B
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	1_2_01437939
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then jmp 0300FCD1h	1_2_0300FA10
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then jmp 0300EFDDh	1_2_0300EDF0
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then jmp 0300F967h	1_2_0300EDF0
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	1_2_0300E310
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	1_2_0300EB23
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	1_2_0300E943
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then jmp 06D471D1h	1_2_06D46F28
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then jmp 06D48C9Dh	1_2_06D48960
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	1_2_06D436CE
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then jmp 06D46921h	1_2_06D46678
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then jmp 06D40741h	1_2_06D40498
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then jmp 06D47F01h	1_2_06D47C58
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then jmp 06D46071h	1_2_06D45DC8
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then jmp 06D40FF1h	1_2_06D40D48
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then jmp 06D487B1h	1_2_06D48508
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then jmp 06D46D79h	1_2_06D46AD0
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then jmp 06D464C9h	1_2_06D46220
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	1_2_06D433B8
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then jmp 06D47652h	1_2_06D473A8
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	1_2_06D433A8
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then jmp 06D40B99h	1_2_06D408F0
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then jmp 06D48359h	1_2_06D480B0
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then jmp 06D402E9h	1_2_06D40040
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then jmp 06D47AA9h	1_2_06D47800
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then jmp 06D45441h	1_2_06D45198
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 4x nop then jmp 06D45C19h	1_2_06D45970

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49751 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49753 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49754 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49755 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49756 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49757 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49758 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49759 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49760 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49761 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49763 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49764 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49765 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49766 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49767 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49769 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49770 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49771 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49772 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49773 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49774 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49775 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49776 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49777 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49778 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49779 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49780 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49781 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49782 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49783 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49784 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49785 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49786 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49787 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49788 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49789 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49790 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49791 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49792 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49793 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49794 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49795 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49796 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49797 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49798 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49799 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49801 -> 108.167.142.65:587
Source: Traffic	Snort IDS: 2044767 ET TROJAN Snake Keylogger Exfil via SMTP 192.168.2.4:49802 -> 108.167.142.65:587

Yara detected Generic Downloader

Source: Yara match	File source: 1.2.Remittance_copy.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.raw.unpack, type: UNPACKEDPE

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49751 -> 108.167.142.65:587

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 172.67.177.134 172.67.177.134
Source: Joe Sandbox View	IP Address: 104.21.27.85 104.21.27.85
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

May check the online IP address of the machine

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.4:49751 -> 108.167.142.65:587

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49731 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: checkip.dyndns.org

Source: Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Remittance_copy.pdf.scr.exe, 00000000.00000002.1675273431.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4125516731.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.000000000347B000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.00000000034BF000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.00000000031FF000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.000000000327C000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.000000000317A000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.00000000031F5000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.0000000003391000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.000000000321E000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.00000000034C8000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.000000000336A000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.000000000339B000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.0000000003374000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.00000000034E5000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.00000000031EB000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.00000000034D2000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.0000000003407000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.00000000033D3000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.0000000003285000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.qoldenfrontier.com
Source: Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.000000000315A000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.000000000315A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org(
Source: Remittance_copy.pdf.scr.exe, 00000000.00000002.1675273431.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4125516731.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/102.129.152.231
Source: Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.000000000315A000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/102.129.152.231$
Source: Remittance_copy.pdf.scr.exe, 00000000.00000002.1675273431.0000000004464000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.0000000003071000.00000004.00000800.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4125516731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.000000000315A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk
Source: Remittance_copy.pdf.scr.exe, 00000001.00000002.4126614174.000000000315A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk/_send_.php?TS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown

HTTPS traffic detected: 104.21.27.85:443 -> 192.168.2.4:49748 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Remittance_copy.pdf.scr.exe.44125d0.3.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Remittance_copy.pdf.scr.exe.43c3da0.2.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Remittance_copy.pdf.scr.exe.44125d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Remittance_copy.pdf.scr.exe.5a70000.7.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Remittance_copy.pdf.scr.exe.5a70000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 1.2.Remittance_copy.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.Remittance_copy.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.Remittance_copy.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.Remittance_copy.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Remittance_copy.pdf.scr.exe.43c3da0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Remittance_copy.pdf.scr.exe.33838d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Remittance_copy.pdf.scr.exe.33810ac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000001.00000002.4125516731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.4125516731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1675751801.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000000.00000002.1675273431.0000000004464000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1675273431.0000000004464000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Remittance_copy.pdf.scr.exe PID: 6632, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Remittance_copy.pdf.scr.exe PID: 6632, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Remittance_copy.pdf.scr.exe PID: 4020, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Remittance_copy.pdf.scr.exe PID: 4020, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Remittance_copy.pdf.scr.exe

Detected potential crypto function

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_01437550	1_2_01437550
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_01436481	1_2_01436481
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_01437540	1_2_01437540
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_01430FC0	1_2_01430FC0
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_0300C1F0	1_2_0300C1F0
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_03006790	1_2_03006790
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_0300C7B3	1_2_0300C7B3
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_0300B500	1_2_0300B500
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_0300C4D0	1_2_0300C4D0
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_03004B31	1_2_03004B31
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_0300FA10	1_2_0300FA10
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_0300CA93	1_2_0300CA93
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_030098B8	1_2_030098B8
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_0300BF10	1_2_0300BF10
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_0300EDF0	1_2_0300EDF0
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_0300BC33	1_2_0300BC33
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_0300E300	1_2_0300E300
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_0300E310	1_2_0300E310
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_0300B553	1_2_0300B553
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_030035CB	1_2_030035CB
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4C6E0	1_2_06D4C6E0
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D456AF	1_2_06D456AF
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D48FA9	1_2_06D48FA9
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4A760	1_2_06D4A760
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D46F28	1_2_06D46F28
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4ADB0	1_2_06D4ADB0
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4CD30	1_2_06D4CD30
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4BA40	1_2_06D4BA40
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4B3F8	1_2_06D4B3F8
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4D380	1_2_06D4D380
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4C090	1_2_06D4C090
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4D9C8	1_2_06D4D9C8
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D411A0	1_2_06D411A0
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D48960	1_2_06D48960
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4C6D1	1_2_06D4C6D1
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D46678	1_2_06D46678
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D46669	1_2_06D46669
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D477F3	1_2_06D477F3
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4A750	1_2_06D4A750
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D46F1B	1_2_06D46F1B
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D43730	1_2_06D43730
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D484FF	1_2_06D484FF
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D40498	1_2_06D40498
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4048F	1_2_06D4048F
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D47C53	1_2_06D47C53
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D47C58	1_2_06D47C58
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D44430	1_2_06D44430
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D45DC8	1_2_06D45DC8
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D45DBB	1_2_06D45DBB
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4ADA0	1_2_06D4ADA0
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D40D48	1_2_06D40D48
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D48508	1_2_06D48508
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D40D3B	1_2_06D40D3B
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4CD20	1_2_06D4CD20
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D46AD0	1_2_06D46AD0
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D46ACB	1_2_06D46ACB
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D46211	1_2_06D46211
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D46220	1_2_06D46220
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4BA2F	1_2_06D4BA2F
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4B3E8	1_2_06D4B3E8
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4739F	1_2_06D4739F
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D433B8	1_2_06D433B8
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D473A8	1_2_06D473A8
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D433A8	1_2_06D433A8
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4D370	1_2_06D4D370
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D408F0	1_2_06D408F0
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D408E3	1_2_06D408E3
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4C080	1_2_06D4C080
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D428B0	1_2_06D428B0
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D480B0	1_2_06D480B0
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D480A7	1_2_06D480A7
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D428AB	1_2_06D428AB
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D40040	1_2_06D40040
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D47800	1_2_06D47800
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4003B	1_2_06D4003B
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D45198	1_2_06D45198
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4518B	1_2_06D4518B
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4D9B7	1_2_06D4D9B7
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D48957	1_2_06D48957
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D45970	1_2_06D45970
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4596B	1_2_06D4596B

Sample file is different than original file name gathered from version info

Source: Remittance_copy.pdf.scr.exe, 00000000.00000002.1675672531.0000000005850000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs Remittance_copy.pdf.scr.exe
Source: Remittance_copy.pdf.scr.exe, 00000000.00000002.1672831414.000000000152E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Remittance_copy.pdf.scr.exe
Source: Remittance_copy.pdf.scr.exe, 00000000.00000002.1675273431.0000000004371000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs Remittance_copy.pdf.scr.exe
Source: Remittance_copy.pdf.scr.exe, 00000000.00000002.1675751801.0000000005A70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs Remittance_copy.pdf.scr.exe
Source: Remittance_copy.pdf.scr.exe, 00000000.00000002.1675273431.0000000004464000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Remittance_copy.pdf.scr.exe
Source: Remittance_copy.pdf.scr.exe, 00000000.00000000.1670073778.0000000000E82000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamemsvlc220_tlcodedcvt_ids.exeT vs Remittance_copy.pdf.scr.exe
Source: Remittance_copy.pdf.scr.exe, 00000000.00000002.1675144874.0000000003371000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs Remittance_copy.pdf.scr.exe
Source: Remittance_copy.pdf.scr.exe, 00000000.00000002.1675144874.0000000003371000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Remittance_copy.pdf.scr.exe
Source: Remittance_copy.pdf.scr.exe, 00000001.00000002.4125516731.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Remittance_copy.pdf.scr.exe
Source: Remittance_copy.pdf.scr.exe, 00000001.00000002.4125604276.0000000001137000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Remittance_copy.pdf.scr.exe
Source: Remittance_copy.pdf.scr.exe	Binary or memory string: OriginalFilenamemsvlc220_tlcodedcvt_ids.exeT vs Remittance_copy.pdf.scr.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Section loaded: dpapi.dll	Jump to behavior

Source: Remittance_copy.pdf.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0.2.Remittance_copy.pdf.scr.exe.44125d0.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Remittance_copy.pdf.scr.exe.43c3da0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Remittance_copy.pdf.scr.exe.44125d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Remittance_copy.pdf.scr.exe.5a70000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Remittance_copy.pdf.scr.exe.5a70000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 1.2.Remittance_copy.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.Remittance_copy.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Remittance_copy.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.Remittance_copy.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Remittance_copy.pdf.scr.exe.43c3da0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Remittance_copy.pdf.scr.exe.33838d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Remittance_copy.pdf.scr.exe.33810ac.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000001.00000002.4125516731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.4125516731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1675751801.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000000.00000002.1675273431.0000000004464000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1675273431.0000000004464000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Remittance_copy.pdf.scr.exe PID: 6632, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Remittance_copy.pdf.scr.exe PID: 6632, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Remittance_copy.pdf.scr.exe PID: 4020, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Remittance_copy.pdf.scr.exe PID: 4020, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.raw.unpack, -O-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.raw.unpack, -O-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.raw.unpack, -O-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.raw.unpack, -O-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Remittance_copy.pdf.scr.exe.44125d0.3.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Remittance_copy.pdf.scr.exe.5a70000.7.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Remittance_copy.pdf.scr.exe.43c3da0.2.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: Remittance_copy.pdf.scr.exe, ----.cs	Task registration methods: 'CreateTaskContext'
Source: Remittance_copy.pdf.scr.exe, -.cs	Task registration methods: 'RegisterTask', 'GetRegisteredTask'
Source: Remittance_copy.pdf.scr.exe, --.cs	Task registration methods: 'CreateBuildEventFileInfoForTask'
Source: Remittance_copy.pdf.scr.exe, -.cs	Task registration methods: 'RegisterDefaultTasks'
Source: Remittance_copy.pdf.scr.exe, ---2.cs	Task registration methods: 'AddCreateTemporaryVCProjectTasks'
Source: Remittance_copy.pdf.scr.exe, -.cs	Task registration methods: 'FindRegisteredTasks', 'RegisterTask', 'GetRegisteredTask'

Source: 0.2.Remittance_copy.pdf.scr.exe.44125d0.3.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 0.2.Remittance_copy.pdf.scr.exe.5a70000.7.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 0.2.Remittance_copy.pdf.scr.exe.43c3da0.2.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'

Source: Remittance_copy.pdf.scr.exe	Binary or memory string: MSB4098: MSBuild is invoking VCBuild to build this project. Project-to-project references between VC++ projects (.VCPROJ) and C#/VB/VJ# projects (.CSPROJ, .VBPROJ, .VJSPROJ) are not supported by the command-line build systems when building stand-alone VC++ projects. Projects that contain such project-to-project references will fail to build. Please build the solution file containing this project instead.
Source: Remittance_copy.pdf.scr.exe	Binary or memory string: MSB4126: The specified solution configuration "{0}" is invalid. Please specify a valid solution configuration using the Configuration and Platform properties (e.g. MSBuild.exe Solution.sln /p:Configuration=Debug /p:Platform="Any CPU") or leave those properties blank to use the default solution configuration.
Source: Remittance_copy.pdf.scr.exe	Binary or memory string: yMSB4051: Project {0} is referencing a project with GUID {1}, but a project with this GUID was not found in the .SLN file.
Source: Remittance_copy.pdf.scr.exe	Binary or memory string: Unexpected return type from this.rawGroups.ItemGroupsAndChooses.sln

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@4/4

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Remittance_copy.pdf.scr.exe.log

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe

Mutant created: NULL

Source: Remittance_copy.pdf.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Remittance_copy.pdf.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: Remittance_copy.pdf.scr.exe	Virustotal: Detection: 54%
Source: Remittance_copy.pdf.scr.exe	ReversingLabs: Detection: 55%

Source: Remittance_copy.pdf.scr.exe

String found in binary or memory: /InstalledAssemblyTables

Source: unknown	Process created: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe "C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe"
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process created: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe "C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe"
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process created: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe "C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

.NET source code contains potential unpacker

Source: Remittance_copy.pdf.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Remittance_copy.pdf.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Data Obfuscation

Source: Remittance_copy.pdf.scr.exe, ---.cs

.Net Code: Shlyber System.AppDomain.Load(byte[])

Binary contains a suspicious time stamp

Source: Remittance_copy.pdf.scr.exe

Static PE information: 0xDC4F1461 [Sat Feb 15 17:54:41 2087 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D48F4D push es; retf	1_2_06D48F54
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D42717 pushad ; ret	1_2_06D4271A
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D43280 push 68A405C3h; ret	1_2_06D4330E
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4F046 push es; ret	1_2_06D4F044
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D4E1F8 push es; ret	1_2_06D4F044
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Code function: 1_2_06D41191 push ebx; ret	1_2_06D41192

Source: Remittance_copy.pdf.scr.exe

Static PE information: section name: .text entropy: 6.945040446258407

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (82).png

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.scr

Static PE information: Remittance_copy.pdf.scr.exe

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Remittance_copy.pdf.scr.exe PID: 6632, type: MEMORYSTR

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Memory allocated: 17E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Memory allocated: 3370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Memory allocated: 31F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Memory allocated: 1700000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Memory allocated: 3070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Memory allocated: 5070000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 597968	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 597285	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 594895	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 594766	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 594547	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 594437	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Window / User API: threadDelayed 8473			Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Window / User API: threadDelayed 1375			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6788	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6788	Thread sleep count: 8473 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6788	Thread sleep count: 1375 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -599563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -599203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -598859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -598750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -598641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -598531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -598422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -598312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -598203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -598094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -597968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -597844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -597734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -597625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -597516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -597406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -597285s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -596937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -596828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -596719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -596594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -596484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -596375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -596266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -596156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -596047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -595937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -595813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -595688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -595578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -595469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -595359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -595125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -595016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -594895s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -594766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -594656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -594547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe TID: 6760	Thread sleep time: -594437s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 597968	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 597285	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 594895	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 594766	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 594547	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Thread delayed: delay time: 594437	Jump to behavior

Source: Remittance_copy.pdf.scr.exe, 00000001.00000002.4125765899.000000000147B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllies>

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe

Process information queried: ProcessInformation

Enables debug privileges

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe

Memory allocated: page read and write | page guard

.NET source code references suspicious native API functions

HIPS / PFW / Operating System Protection Evasion

Source: 0.2.Remittance_copy.pdf.scr.exe.5850000.6.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.Remittance_copy.pdf.scr.exe.5850000.6.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.Remittance_copy.pdf.scr.exe.5850000.6.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe

Memory written: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe base: 400000 value starts with: 4D5A

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe

Process created: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe "C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe"

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Queries volume information: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Queries volume information: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Remittance_copy.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4125516731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4126614174.000000000317A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4126614174.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4126614174.000000000331D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1675273431.0000000004464000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Remittance_copy.pdf.scr.exe PID: 6632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Remittance_copy.pdf.scr.exe PID: 4020, type: MEMORYSTR

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Remittance_copy.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance_copy.pdf.scr.exe.44c6c60.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance_copy.pdf.scr.exe.44a6230.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4125516731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4126614174.000000000317A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1675273431.0000000004464000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Remittance_copy.pdf.scr.exe PID: 6632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Remittance_copy.pdf.scr.exe PID: 4020, type: MEMORYSTR

Remote Access Functionality