Windows Analysis Report
remcmdstub.exe

Overview

General Information

Sample name: remcmdstub.exe
Analysis ID: 1428654
MD5: 6fca49b85aa38ee016e39e14b9f9d6d9
SHA1: b0d689c70e91d5600ccc2a4e533ff89bf4ca388b
SHA256: fedd609a16c717db9bea3072bed41e79b564c4bc97f959208bfa52fb3c9fa814
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: remcmdstub.exe Virustotal: Detection: 23% Perma Link
Source: remcmdstub.exe ReversingLabs: Detection: 23%
Uses 32bit PE files
Source: remcmdstub.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: remcmdstub.exe Static PE information: certificate valid
Source: remcmdstub.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: remcmdstub.exe String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: remcmdstub.exe String found in binary or memory: http://s2.symcb.com0
Source: remcmdstub.exe String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: remcmdstub.exe String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: remcmdstub.exe String found in binary or memory: http://sv.symcd.com0&
Source: remcmdstub.exe String found in binary or memory: http://www.symauth.com/cps0(
Source: remcmdstub.exe String found in binary or memory: http://www.symauth.com/rpa00
Source: remcmdstub.exe String found in binary or memory: https://d.symcb.com/cps0%
Source: remcmdstub.exe String found in binary or memory: https://d.symcb.com/rpa0
Uses 32bit PE files
Source: remcmdstub.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal48.winEXE@2/1@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6992:120:WilError_03
Source: remcmdstub.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\remcmdstub.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: remcmdstub.exe Virustotal: Detection: 23%
Source: remcmdstub.exe ReversingLabs: Detection: 23%
Source: unknown Process created: C:\Users\user\Desktop\remcmdstub.exe "C:\Users\user\Desktop\remcmdstub.exe"
Source: C:\Users\user\Desktop\remcmdstub.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\remcmdstub.exe Section loaded: apphelp.dll Jump to behavior
Source: remcmdstub.exe Static PE information: certificate valid
Source: remcmdstub.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: remcmdstub.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: remcmdstub.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: remcmdstub.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: remcmdstub.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: remcmdstub.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\remcmdstub.exe Code function: 0_2_003412E0 ExpandEnvironmentStringsA,_memset,GetStdHandle,GetStdHandle,GetStdHandle,GetStdHandle,GetConsoleMode,SetConsoleMode,GetLastError,SetConsoleCtrlHandler,LoadLibraryA,GetProcAddress,SetLastError,CreateProcessA,CloseHandle,CloseHandle,WaitForMultipleObjects,GenerateConsoleCtrlEvent,WaitForMultipleObjects,GetLastError,GetExitCodeProcess,GetLastError,GetLastError,WriteFile,Sleep,GetLastError,GetLastError,GetLastError,WaitForSingleObject,CloseHandle,GetProcAddress,CloseHandle,CloseHandle,CloseHandle,CloseHandle,FreeLibrary, 0_2_003412E0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\remcmdstub.exe Code function: 0_2_003449F5 push ecx; ret 0_2_00344A08
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\remcmdstub.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\remcmdstub.exe API coverage: 9.9 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\remcmdstub.exe Code function: 0_2_00341EB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00341EB5
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\remcmdstub.exe Code function: 0_2_003412E0 ExpandEnvironmentStringsA,_memset,GetStdHandle,GetStdHandle,GetStdHandle,GetStdHandle,GetConsoleMode,SetConsoleMode,GetLastError,SetConsoleCtrlHandler,LoadLibraryA,GetProcAddress,SetLastError,CreateProcessA,CloseHandle,CloseHandle,WaitForMultipleObjects,GenerateConsoleCtrlEvent,WaitForMultipleObjects,GetLastError,GetExitCodeProcess,GetLastError,GetLastError,WriteFile,Sleep,GetLastError,GetLastError,GetLastError,WaitForSingleObject,CloseHandle,GetProcAddress,CloseHandle,CloseHandle,CloseHandle,CloseHandle,FreeLibrary, 0_2_003412E0
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\remcmdstub.exe Code function: 0_2_00341EB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00341EB5
Source: C:\Users\user\Desktop\remcmdstub.exe Code function: 0_2_00344CAB SetUnhandledExceptionFilter, 0_2_00344CAB
Source: C:\Users\user\Desktop\remcmdstub.exe Code function: 0_2_0034308C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0034308C
Source: C:\Users\user\Desktop\remcmdstub.exe Code function: 0_2_00345973 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00345973
Source: C:\Users\user\Desktop\remcmdstub.exe Code function: 0_2_00341010 GetVersionExA, 0_2_00341010

No Screenshots

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1428654 Sample: remcmdstub.exe Startdate: 19/04/2024 Architecture: WINDOWS Score: 48 10 Multi AV Scanner detection for submitted file 2->10 6 remcmdstub.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       
No contacted IP infos