Windows Analysis Report
Documento_Remisorio_Activo_N#8475684756..exe

Overview

General Information

Sample name: Documento_Remisorio_Activo_N#8475684756..exe
Analysis ID: 1431059
MD5: 636600655d1c0ebdf3073f0f6afb6509
SHA1: 34fff619fe1d3caac84ba88f30cc83ac0dab9f3f
SHA256: 46cfebde9e8cadfefc9c1324f9b250b9488c25c59212438de071ceec81b71967
Infos:

Detection

AsyncRAT, DcRat
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AsyncRAT
Yara detected DcRat
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Contains functionality to infect the boot sector
Drops PE files to the document folder of the user
Drops large PE files
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
AsyncRAT AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
Name Description Attribution Blogpost URLs Link
DCRat DCRat is a typical RAT that has been around since at least June 2019. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\Documents\ChromeUpdate\cr0wdik.exe Avira: detection malicious, Label: HEUR/AGEN.1320513
Multi AV Scanner detection for domain / URL
Source: procesolargovalelapena222.dynuddns.net Virustotal: Detection: 5% Perma Link
Multi AV Scanner detection for submitted file
Source: Documento_Remisorio_Activo_N#8475684756..exe ReversingLabs: Detection: 23%
Source: Documento_Remisorio_Activo_N#8475684756..exe Virustotal: Detection: 35% Perma Link
Uses 32bit PE files
Source: Documento_Remisorio_Activo_N#8475684756..exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Documento_Remisorio_Activo_N#8475684756..exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\vmagent_new\bin\joblist\621001\out\Release\360boxmain.pdb source: Documento_Remisorio_Activo_N#8475684756..exe, cr0wdik.exe.0.dr
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00446E00 FindFirstFileW,StrCmpIW,StrCmpIW,StrCmpIW,FindNextFileW,FindClose, 0_2_00446E00
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0045F950 PathCombineW,_memset,_memset,PathCombineW,FindFirstFileW,_memset,PathCombineW,GetFileAttributesExW,FindNextFileW,FindClose, 0_2_0045F950
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00455960 _memset,FindFirstFileW,FindClose,GetLastError, 0_2_00455960

Networking
barindex
Uses dynamic DNS services
Source: unknown DNS query: name: procesolargovalelapena222.dynuddns.net
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49720 -> 45.95.169.113:22206
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 45.95.169.113 45.95.169.113
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GIGANET-HUGigaNetInternetServiceProviderCoHU GIGANET-HUGigaNetInternetServiceProviderCoHU
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: procesolargovalelapena222.dynuddns.net
Source: Documento_Remisorio_Activo_N#8475684756..exe, cr0wdik.exe.0.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Documento_Remisorio_Activo_N#8475684756..exe, cr0wdik.exe.0.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: Documento_Remisorio_Activo_N#8475684756..exe, cr0wdik.exe.0.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Documento_Remisorio_Activo_N#8475684756..exe, cr0wdik.exe.0.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Documento_Remisorio_Activo_N#8475684756..exe, cr0wdik.exe.0.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: Documento_Remisorio_Activo_N#8475684756..exe, cr0wdik.exe.0.dr String found in binary or memory: http://ocsp.comodoca.com0&
Source: Documento_Remisorio_Activo_N#8475684756..exe, cr0wdik.exe.0.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: Documento_Remisorio_Activo_N#8475684756..exe, cr0wdik.exe.0.dr String found in binary or memory: http://s.360safe.com/safei18n/
Source: csc.exe, 00000003.00000002.3356996740.0000000006F81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Documento_Remisorio_Activo_N#8475684756..exe, cr0wdik.exe.0.dr String found in binary or memory: http://www.360totalsecurity.com/d/ts/%s/%s/channelOpen
Source: Documento_Remisorio_Activo_N#8475684756..exe, cr0wdik.exe.0.dr String found in binary or memory: https://sectigo.com/CPS0D

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected AsyncRAT
Source: Yara match File source: 3.2.csc.exe.aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.4d44f2.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.4d44f2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.c00000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.3355880871.0000000000AA2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2282262613.0000000000C02000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2282125974.00000000004D4000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Documento_Remisorio_Activo_N#8475684756..exe PID: 4980, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csc.exe PID: 712, type: MEMORYSTR
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0044BE10 RegisterClipboardFormatW,GlobalAlloc,GlobalLock,GlobalUnlock,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,SetClipboardData,SetClipboardData,CloseClipboard,GlobalFree,GlobalFree,GlobalFree, 0_2_0044BE10
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0044BE10 RegisterClipboardFormatW,GlobalAlloc,GlobalLock,GlobalUnlock,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,SetClipboardData,SetClipboardData,CloseClipboard,GlobalFree,GlobalFree,GlobalFree, 0_2_0044BE10
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0040A810 _memset,GetKeyboardState,keybd_event,keybd_event,SetForegroundWindow,keybd_event, 0_2_0040A810

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.csc.exe.aa0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 3.2.csc.exe.aa0000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 3.2.csc.exe.aa0000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 3.2.csc.exe.aa0000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.4d44f2.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.4d44f2.1.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.4d44f2.1.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.4d44f2.1.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.4d44f2.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.4d44f2.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.4d44f2.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.4d44f2.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.c00000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.c00000.2.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.c00000.2.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.c00000.2.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 00000003.00000002.3355880871.0000000000AA2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.2282262613.0000000000C02000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.2282125974.00000000004D4000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000003.00000002.3356628122.0000000005258000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000003.00000002.3356996740.0000000006F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: Documento_Remisorio_Activo_N#8475684756..exe PID: 4980, type: MEMORYSTR Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: csc.exe PID: 712, type: MEMORYSTR Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Drops large PE files
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe File dump: cr0wdik.exe.0.dr 800000000 Jump to dropped file
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Documento_Remisorio_Activo_N#8475684756..exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_004228F0 NtQueryDefaultLocale, 0_2_004228F0
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00423B73 NtQueryDefaultLocale, 0_2_00423B73
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_004221F0 NtQueryDefaultLocale, 0_2_004221F0
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00422270 NtQueryDefaultLocale, 0_2_00422270
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00422276 NtQueryDefaultLocale, 0_2_00422276
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00422287 NtQueryDefaultLocale, 0_2_00422287
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00422415 NtQueryDefaultLocale, 0_2_00422415
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_004224DC NtQueryDefaultLocale, 0_2_004224DC
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0042256F NtQueryDefaultLocale, 0_2_0042256F
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0042258A NtQueryDefaultLocale, 0_2_0042258A
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_004227F8 NtQueryDefaultLocale, 0_2_004227F8
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00422873 NtQueryDefaultLocale, 0_2_00422873
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00422814 NtQueryDefaultLocale, 0_2_00422814
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00423020 NtQueryDefaultLocale, 0_2_00423020
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00423033 NtQueryDefaultLocale, 0_2_00423033
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00423080 NtQueryDefaultLocale, 0_2_00423080
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0042312D NtQueryDefaultLocale, 0_2_0042312D
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00423291 NtQueryDefaultLocale, 0_2_00423291
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_004232B1 NtQueryDefaultLocale, 0_2_004232B1
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00423339 NtQueryDefaultLocale, 0_2_00423339
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00423797 NtQueryDefaultLocale, 0_2_00423797
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00423B4A NtQueryDefaultLocale, 0_2_00423B4A
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00423B4F NtQueryDefaultLocale, 0_2_00423B4F
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00423DD6 NtQueryDefaultLocale, 0_2_00423DD6
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00423DE3 NtQueryDefaultLocale, 0_2_00423DE3
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00421DAD NtQueryDefaultLocale, 0_2_00421DAD
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00421DB2 NtQueryDefaultLocale, 0_2_00421DB2
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00423E4F NtQueryDefaultLocale, 0_2_00423E4F
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00423E30 NtQueryDefaultLocale, 0_2_00423E30
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0049C4A0: DeviceIoControl, 0_2_0049C4A0
Detected potential crypto function
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0042C70B 0_2_0042C70B
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0042960E 0_2_0042960E
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00423B73 0_2_00423B73
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00414048 0_2_00414048
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0041405F 0_2_0041405F
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0049806C 0_2_0049806C
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0042A069 0_2_0042A069
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0042A07B 0_2_0042A07B
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00414005 0_2_00414005
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_004240E4 0_2_004240E4
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_004100EC 0_2_004100EC
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_004100F7 0_2_004100F7
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00410141 0_2_00410141
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00410109 0_2_00410109
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0041A132 0_2_0041A132
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00482130 0_2_00482130
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0042A1C6 0_2_0042A1C6
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0041019C 0_2_0041019C
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0041A1A2 0_2_0041A1A2
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0041025A 0_2_0041025A
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00440230 0_2_00440230
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0041E2D5 0_2_0041E2D5
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0042A292 0_2_0042A292
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_004102BA 0_2_004102BA
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00410375 0_2_00410375
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0042432C 0_2_0042432C
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00446330 0_2_00446330
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0040E3C6 0_2_0040E3C6
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0048A3C4 0_2_0048A3C4
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00418469 0_2_00418469
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00422415 0_2_00422415
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0041843C 0_2_0041843C
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_004244CB 0_2_004244CB
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0041A4DC 0_2_0041A4DC
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0041C4E8 0_2_0041C4E8
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00418493 0_2_00418493
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0040E4A6 0_2_0040E4A6
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00424542 0_2_00424542
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0040E54F 0_2_0040E54F
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0047A550 0_2_0047A550
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00424529 0_2_00424529
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0042A534 0_2_0042A534
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0041A5C1 0_2_0041A5C1
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0040E5EE 0_2_0040E5EE
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0042A62F 0_2_0042A62F
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0041863F 0_2_0041863F
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0040E687 0_2_0040E687
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00418740 0_2_00418740
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_004267D0 0_2_004267D0
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0041C7F8 0_2_0041C7F8
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0049287D 0_2_0049287D
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00420983 0_2_00420983
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_004989B1 0_2_004989B1
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0048C9B7 0_2_0048C9B7
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0041AA02 0_2_0041AA02
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00424B46 0_2_00424B46
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00420BDF 0_2_00420BDF
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0042AB99 0_2_0042AB99
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00490C05 0_2_00490C05
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00426C1C 0_2_00426C1C
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00424CD4 0_2_00424CD4
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00422CAB 0_2_00422CAB
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00426D05 0_2_00426D05
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00410D28 0_2_00410D28
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0048AE08 0_2_0048AE08
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00426E00 0_2_00426E00
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0041AF6C 0_2_0041AF6C
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00421010 0_2_00421010
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00423020 0_2_00423020
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00423033 0_2_00423033
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_004130D4 0_2_004130D4
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_004130E5 0_2_004130E5
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00423080 0_2_00423080
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00413097 0_2_00413097
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_004730A0 0_2_004730A0
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00413140 0_2_00413140
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00419149 0_2_00419149
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0042517C 0_2_0042517C
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0042312D 0_2_0042312D
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0041B13F 0_2_0041B13F
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_004131B4 0_2_004131B4
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00421257 0_2_00421257
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00423291 0_2_00423291
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_004232B1 0_2_004232B1
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0040F305 0_2_0040F305
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00423339 0_2_00423339
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0040F3DF 0_2_0040F3DF
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0040F445 0_2_0040F445
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0040F460 0_2_0040F460
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0040D4E0 0_2_0040D4E0
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0041F4B5 0_2_0041F4B5
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00421568 0_2_00421568
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00417520 0_2_00417520
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0040D5C0 0_2_0040D5C0
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_004975E4 0_2_004975E4
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_004275BC 0_2_004275BC
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0040D65F 0_2_0040D65F
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0041D670 0_2_0041D670
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0040D675 0_2_0040D675
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0042163C 0_2_0042163C
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_004176C4 0_2_004176C4
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_004296DB 0_2_004296DB
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_004216EE 0_2_004216EE
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_004296A9 0_2_004296A9
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_004176BF 0_2_004176BF
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0041175B 0_2_0041175B
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0042975C 0_2_0042975C
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00429700 0_2_00429700
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00499715 0_2_00499715
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00419721 0_2_00419721
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00421864 0_2_00421864
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00429836 0_2_00429836
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_004178FA 0_2_004178FA
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_004178B7 0_2_004178B7
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00417942 0_2_00417942
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0049B950 0_2_0049B950
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00429905 0_2_00429905
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00447910 0_2_00447910
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00417992 0_2_00417992
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00419A53 0_2_00419A53
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0041FA63 0_2_0041FA63
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0041FA11 0_2_0041FA11
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00433AA0 0_2_00433AA0
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00423B4A 0_2_00423B4A
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00423B4F 0_2_00423B4F
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00497B28 0_2_00497B28
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00425B20 0_2_00425B20
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00419B29 0_2_00419B29
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0041FB2D 0_2_0041FB2D
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00419BE0 0_2_00419BE0
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0041FBEE 0_2_0041FBEE
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0041FBFD 0_2_0041FBFD
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00411BFF 0_2_00411BFF
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00427BAC 0_2_00427BAC
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0041FBBC 0_2_0041FBBC
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0041FC52 0_2_0041FC52
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00421C0F 0_2_00421C0F
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00419C1C 0_2_00419C1C
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00419C3A 0_2_00419C3A
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00479CD0 0_2_00479CD0
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0041FCD9 0_2_0041FCD9
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00419C8E 0_2_00419C8E
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0041FCB4 0_2_0041FCB4
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0040DDD4 0_2_0040DDD4
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00423DD6 0_2_00423DD6
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00423DE3 0_2_00423DE3
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00411E51 0_2_00411E51
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_004FBE67 0_2_004FBE67
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00419E7B 0_2_00419E7B
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00429E1E 0_2_00429E1E
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00423E30 0_2_00423E30
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0040DE33 0_2_0040DE33
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00419EAF 0_2_00419EAF
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00429F4F 0_2_00429F4F
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0040DF55 0_2_0040DF55
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0040DFCE 0_2_0040DFCE
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00479FD0 0_2_00479FD0
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00413FF2 0_2_00413FF2
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00413FF9 0_2_00413FF9
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: String function: 00404810 appears 32 times
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: String function: 0048462C appears 41 times
PE / OLE file has an invalid certificate
Source: Documento_Remisorio_Activo_N#8475684756..exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: Documento_Remisorio_Activo_N#8475684756..exe Binary or memory string: OriginalFilename vs Documento_Remisorio_Activo_N#8475684756..exe
Source: Documento_Remisorio_Activo_N#8475684756..exe, 00000000.00000002.2282557484.00000000034A0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSandboxMain.exe8 vs Documento_Remisorio_Activo_N#8475684756..exe
Source: Documento_Remisorio_Activo_N#8475684756..exe, 00000000.00000002.2282125974.00000000004D4000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameClient.exe" vs Documento_Remisorio_Activo_N#8475684756..exe
Source: Documento_Remisorio_Activo_N#8475684756..exe, 00000000.00000002.2282145487.00000000004EC000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameSandboxMain.exe8 vs Documento_Remisorio_Activo_N#8475684756..exe
Source: Documento_Remisorio_Activo_N#8475684756..exe, 00000000.00000000.2082520921.00000000004EC000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameSandboxMain.exe8 vs Documento_Remisorio_Activo_N#8475684756..exe
Source: Documento_Remisorio_Activo_N#8475684756..exe, 00000000.00000002.2282262613.0000000000C0E000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameClient.exe" vs Documento_Remisorio_Activo_N#8475684756..exe
Source: Documento_Remisorio_Activo_N#8475684756..exe Binary or memory string: OriginalFilenameSandboxMain.exe8 vs Documento_Remisorio_Activo_N#8475684756..exe
Uses 32bit PE files
Source: Documento_Remisorio_Activo_N#8475684756..exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 3.2.csc.exe.aa0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 3.2.csc.exe.aa0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 3.2.csc.exe.aa0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 3.2.csc.exe.aa0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.4d44f2.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.4d44f2.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.4d44f2.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.4d44f2.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.4d44f2.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.4d44f2.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.4d44f2.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.4d44f2.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.c00000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.c00000.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.c00000.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.c00000.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 00000003.00000002.3355880871.0000000000AA2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.2282262613.0000000000C02000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.2282125974.00000000004D4000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000003.00000002.3356628122.0000000005258000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000003.00000002.3356996740.0000000006F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: Documento_Remisorio_Activo_N#8475684756..exe PID: 4980, type: MEMORYSTR Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: csc.exe PID: 712, type: MEMORYSTR Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.4d44f2.1.raw.unpack, Settings.cs Base64 encoded string: 'NyRWPsy9vgW5FYP011qoykyqGcTCjlFdPGfVIMREZtTixanHY6Mbc2h7PZe6MFMN2adKHLxmfZzkvH9jrwtPlw==', 'Zae4ODBrzbWwCsVxH3taZrWSQCv+AfuqQteIdPVqHziFfJYbLTzJhb0+hi0gL3kXEvtX2qcobXdHR3Qe1kO6Ig==', 'GNOd0iMvLLQBZqd4a/OEjbZjWSpGizh40bZHx8/S7P62/hl2vuCqKV0HwrI2jX2mZouVwTYYjvjwOmYoHv8CGh0beILjkOgPqaU+rB6RVoE=', 'o1ehZrUyw1bTzwZSIzoyw2i9GCdWRVvskS8m+19bPGOaGFZqDINL9k2mkTmzGbA+Wckxgq+oWFbWQW4LgsrCDCsMnKQ/26V6Y+jh+ZCkS1i1WWHAdcJsyfWT90G/Uy+Pt8YvsrIjbc/gyXwBBiKeW+85PoaT69VMj/UjdFaiSy8ez3R74urL/0LCq/Qbjc6uM9xB2GIKe0Yg/bUfwbfd7O8hYC/b+Ex+jnpcQaMJypjD36TB2HR+d6Im07jY6xLutvOi8+Oau8Gp1KakoLSS2iDDMVNVhp+I/6liNz5Un5FA1pMJfq4yNT7GKOQce3oxDC1J2+GvqXYx9G1YXhTEAeTVqqusbfRFaVRH72JfKGn1YoU958SNwyAMY3UCfsOdI3S1IoRwUxJdJApKrXp9Vdybr9MEASk9HIv+TocsKVTy+//9iR0EqkK3jqzsOuHbY1Lp+DLkwfy5/mDArT7cR1NvwwvOw5XSwMunf7jgqjqvslYnC4TEmy2IDOGmJ2ZZbLmZrAw3G6lzXBfiUdJmXPEPt8ExWDm5bgbsASilkE3B4MhLGLgumaa+LI/VhQqayCKd2DNgd30dO6JpDwsv2YP9FdUagrrLY5EHQmCoRfJcNmYTnCTmeZKI2fr/oPs4fPrLztJ57NBTMRR/Jk6UtRsDNmgh170l5PzGekV6kZm0DRmsNkcYtcMb+kVhqcdG6uUID0/A1y+XIyUG+LJ+rJkEx0py664bFLVhHMyIx7FDrgXK3DQCoqRGWRnEheT1vq9KwQKPVFWzSyT7PkabAg1mvuP4BnF6cRu7WGFzBUhU40IriRLQo5mCxgxoH+JmraXPspTDRtd5+df04H4x4s7bg9ILEq9OgYmJm/HS5fo8g55tmKX72ZUErCpHfSxr1K4c9C80vl1QAbZFjqiINZzp383XjKvpWubYTrbjIb0raZtF9AL3hyEfI/rUWXKgXYt2076MZmyy7Z6lvb2/qph8PfrK74n+AfDBqj4gvU4Xw1KO6FuUxP0nXTQ9RHoCpq0pjRlt3i+y1i64QW/ii9WoVUTnCNkjJ9W8rgJZ20CXYOizPiAtydRayNCP2X/P', 'JwfjfZwaMjmIruYLad+id4/nVeiFOqrq/5IUqCot3UatEyOX4929ettkDI5TK0ZywIzJyMWh7PtcIHkFiY3J8kSXgrr9isUBZrKzoUtoNdD1+XN+0sFkkZ+rHvcJPYh1fxVb5p/fC/WUI3Ho8SaCz3mhDxf9j5fY0siya/i5doMZA5ts/QdV6N7UbQDf/9RpOXj0Z4VJX3rurdsyB4rSFddT62zKUbSYjlPYYYHDo5NlwTmJsswjBjyCs/vFtiMfTfanXOXElAvddcZVujLiJemnBL0zP1vRlLc1LHvjQis=', 'r1+fqZx8xZDlXEh+o3INczlf1mnpM1iuhAYrKgzy1INh19csSMMlpqahuW8fhx1vnQMh7KP4xyPhSfFil9eF7A==', 'OAQgXX9fI0Fw/7L2VF1306eiRatuMxhBM1FmCDdqU2xUsQ/A8n9NKD42/OoAyxkcUvripYMkB6bx3YXxVnfPUA==', 'XzjzImJ6vxYuEI6EzwHTIcfyt79zkRbG4EeVEVZ1P5irl/PJMUS3NRW3qO+jCR1Ja+EWMw1C6HL1x9iLMheQog==', 'N0bzIF0EizzE8rU1fzYb4LP1CWninx5jgne+ZELzcG36exBUQc92o1BjxHKIWJOxU4sm9ZmeFG9Aon4riljD1Q==', 'McW3gUYmtdeKWmXoMi3FTkB8dz8gZEwKDuXR1OSKvX3scgpcoZTLG2AsqDcndnKz2EgKmpv1WxKwU13i4TY7+g=='
Source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.4d44f2.1.raw.unpack, NormalStartup.cs Base64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: cr0wdik.exe.0.dr Binary string: K`XD%machinename%%UserProfile%*\Documents and Settings\*\Local Settings\Temp\**\Documents and Settings\*\Local Settings\Temporary Internet Files\**\Documents and Settings\*\Cookies\**\AppData\Local\Temp\**\AppData\Roaming\Microsoft\Windows\Cookies\*.wmv.rmvb.rm.mpg.mp4.mov.mkv.flv.avi.3gp.wma.ra.mp3.ogg.mka.m4a.ac3.aac.xlsx.xls.pptx.ppt.txt.pdf.docx.doc..CacheSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders360SANDBOX\SHADOW360sandbox\filelist_page.xml::{26EE0668-A00A-44D7-9371-BEB064C98683}IDS_MEDIA_LIST_DESCIDS_DOCUMENT_LIST_DESCIDS_DELETE_PROMPT_MSGPreferred DropEffectIDS_COPY_PRMPT360SandBox\Shadow360SANDBOX\SHADOW\IDS_UPPER_FOLDERIDS_DATE_TIME_FMT%Y-%m-%d %H:%MC:\sxin.dllsxin64.dllSxWrapper.dllWINDOWS\SXIn.dllIDS_CRITICAL_FILE_PROMPT_MSG\Device\FloppyX
Source: classification engine Classification label: mal100.troj.evad.winEXE@3/1@1/1
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00460A00 _memset,FindFirstVolumeW,GetLastError,GetDiskFreeSpaceExW,__aulldiv,FindNextVolumeW,GetLastError,FindVolumeClose, 0_2_00460A00
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0043E960 CoCreateInstance, 0_2_0043E960
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0040C7C0 LoadLibraryExW,FindResourceW,SizeofResource,LoadResource,LockResource,_malloc,FreeResource,FreeLibrary,VerQueryValueW, 0_2_0040C7C0
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe File created: C:\Users\user\Documents\ChromeUpdate Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Mutant created: \Sessions\1\BaseNamedObjects\DcRatMutex_qwqdanchun
Source: Documento_Remisorio_Activo_N#8475684756..exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Documento_Remisorio_Activo_N#8475684756..exe ReversingLabs: Detection: 23%
Source: Documento_Remisorio_Activo_N#8475684756..exe Virustotal: Detection: 35%
Source: Documento_Remisorio_Activo_N#8475684756..exe String found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe File read: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe "C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe"
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" Jump to behavior
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Section loaded: k7rn7l32.dll Jump to behavior
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Section loaded: ntd3ll.dll Jump to behavior
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: Documento_Remisorio_Activo_N#8475684756..exe Static file information: File size 1313328 > 1048576
Source: Documento_Remisorio_Activo_N#8475684756..exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Documento_Remisorio_Activo_N#8475684756..exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Documento_Remisorio_Activo_N#8475684756..exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Documento_Remisorio_Activo_N#8475684756..exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Documento_Remisorio_Activo_N#8475684756..exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Documento_Remisorio_Activo_N#8475684756..exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Documento_Remisorio_Activo_N#8475684756..exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Documento_Remisorio_Activo_N#8475684756..exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\vmagent_new\bin\joblist\621001\out\Release\360boxmain.pdb source: Documento_Remisorio_Activo_N#8475684756..exe, cr0wdik.exe.0.dr
Compiles C# or VB.Net code
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00408110 LoadLibraryW,GetProcAddress, 0_2_00408110
PE file contains an invalid checksum
Source: Documento_Remisorio_Activo_N#8475684756..exe Static PE information: real checksum: 0xee8a9 should be: 0x145c75
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00484671 push ecx; ret 0_2_00484684
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00484D46 push ecx; ret 0_2_00484D59
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00477950 push ecx; mov dword ptr [esp], 00000000h 0_2_00477951

Persistence and Installation Behavior
barindex
Contains functionality to infect the boot sector
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: CreateFileA,CreateFileA,DeviceIoControl,CloseHandle,_memset,CloseHandle, \\.\PhysicalDrive%d 0_2_0049A650
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: CreateFileA,CreateFileA,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d 0_2_0049AA10
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: DeviceIoControl,CreateFileA,DeviceIoControl,_malloc,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d 0_2_0049ABA0
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: RegQueryValueExW,_malloc,SetLastError,CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d 0_2_00479710
Drops PE files to the document folder of the user
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe File created: C:\Users\user\Documents\ChromeUpdate\cr0wdik.exe Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe File created: C:\Users\user\Documents\ChromeUpdate\cr0wdik.exe Jump to dropped file

Boot Survival
barindex
Yara detected AsyncRAT
Source: Yara match File source: 3.2.csc.exe.aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.4d44f2.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.4d44f2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.c00000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.3355880871.0000000000AA2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2282262613.0000000000C02000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2282125974.00000000004D4000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Documento_Remisorio_Activo_N#8475684756..exe PID: 4980, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csc.exe PID: 712, type: MEMORYSTR
Contains functionality to infect the boot sector
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: CreateFileA,CreateFileA,DeviceIoControl,CloseHandle,_memset,CloseHandle, \\.\PhysicalDrive%d 0_2_0049A650
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: CreateFileA,CreateFileA,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d 0_2_0049AA10
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: DeviceIoControl,CreateFileA,DeviceIoControl,_malloc,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d 0_2_0049ABA0
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: RegQueryValueExW,_malloc,SetLastError,CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d 0_2_00479710
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Muhandra Jump to behavior
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Muhandra Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00402A30 _memset,PathCombineW,GetCurrentProcessId,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00402A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AsyncRAT
Source: Yara match File source: 3.2.csc.exe.aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.4d44f2.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.4d44f2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.c00000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.3355880871.0000000000AA2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2282262613.0000000000C02000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2282125974.00000000004D4000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Documento_Remisorio_Activo_N#8475684756..exe PID: 4980, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csc.exe PID: 712, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Documento_Remisorio_Activo_N#8475684756..exe Binary or memory string: PROCESSHACKER.EXE
Source: Documento_Remisorio_Activo_N#8475684756..exe, 00000000.00000002.2282262613.0000000000C02000.00000040.00001000.00020000.00000000.sdmp, Documento_Remisorio_Activo_N#8475684756..exe, 00000000.00000002.2282125974.00000000004D4000.00000040.00000001.01000000.00000003.sdmp, csc.exe, 00000003.00000002.3355880871.0000000000AA2000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Memory allocated: 5410000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Memory allocated: 6F80000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Memory allocated: 6A50000 memory reserve | memory write watch Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Dropped PE file which has not been started: C:\Users\user\Documents\ChromeUpdate\cr0wdik.exe Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe API coverage: 0.5 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00446E00 FindFirstFileW,StrCmpIW,StrCmpIW,StrCmpIW,FindNextFileW,FindClose, 0_2_00446E00
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0045F950 PathCombineW,_memset,_memset,PathCombineW,FindFirstFileW,_memset,PathCombineW,GetFileAttributesExW,FindNextFileW,FindClose, 0_2_0045F950
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00455960 _memset,FindFirstFileW,FindClose,GetLastError, 0_2_00455960
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_004554B0 GetModuleHandleA,GetProcAddress,GetSystemInfo, 0_2_004554B0
Source: csc.exe, 00000003.00000002.3356944146.0000000006C50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll9
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0047E6EB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0047E6EB
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0047C6F0 SetLastError,GetCurrentThreadId,GetProcessHeap,OpenThread,OpenThread,GetLastError,GetProcessHeap,HeapFree,OutputDebugStringW,CloseHandle, 0_2_0047C6F0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00408110 LoadLibraryW,GetProcAddress, 0_2_00408110
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0047C6F0 SetLastError,GetCurrentThreadId,GetProcessHeap,OpenThread,OpenThread,GetLastError,GetProcessHeap,HeapFree,OutputDebugStringW,CloseHandle, 0_2_0047C6F0
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0047E6EB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0047E6EB
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0047EDE5 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0047EDE5
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0047D402 _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0047D402
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00481437 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00481437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.4d44f2.1.raw.unpack, AntiProcess.cs Reference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)
Source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.4d44f2.1.raw.unpack, Win32.cs Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.4d44f2.1.raw.unpack, Win32.cs Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.4d44f2.1.raw.unpack, Amsi.cs Reference to suspicious API methods: Win32.VirtualAllocEx(procAddress, (UIntPtr)(ulong)patch.Length, 64u, out var _)
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: AA0000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: AA0000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: AA0000 Jump to behavior
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 79D008 Jump to behavior
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0040A810 _memset,GetKeyboardState,keybd_event,keybd_event,SetForegroundWindow,keybd_event, 0_2_0040A810
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0049B1C0 cpuid 0_2_0049B1C0
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP, 0_2_00492133
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 0_2_0049224A
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen, 0_2_004922E2
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 0_2_00492356
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: GetLocaleInfoA, 0_2_00486441
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 0_2_00492528
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 0_2_004925E9
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: GetLocaleInfoA, 0_2_0049465E
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 0_2_00492650
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s, 0_2_0049268C
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement, 0_2_0048274E
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA, 0_2_004968EF
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW, 0_2_004968BB
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 0_2_00496A2E
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 0_2_00491419
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW, 0_2_00489AD1
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement, 0_2_00491A87
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement, 0_2_00491CDF
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00494483 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00494483
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0048B842 __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, 0_2_0048B842
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0040C640 _memset,_memset,GetVersionExW,GetModuleHandleW,GetProcAddress,_memset, 0_2_0040C640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Yara detected AsyncRAT
Source: Yara match File source: 3.2.csc.exe.aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.4d44f2.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.4d44f2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.c00000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Documento_Remisorio_Activo_N#8475684756..exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.3355880871.0000000000AA2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2282262613.0000000000C02000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2282125974.00000000004D4000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Documento_Remisorio_Activo_N#8475684756..exe PID: 4980, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csc.exe PID: 712, type: MEMORYSTR
AV process strings found (often used to terminate AV products)
Source: Documento_Remisorio_Activo_N#8475684756..exe, Documento_Remisorio_Activo_N#8475684756..exe, 00000000.00000002.2282262613.0000000000C02000.00000040.00001000.00020000.00000000.sdmp, Documento_Remisorio_Activo_N#8475684756..exe, 00000000.00000002.2282125974.00000000004D4000.00000040.00000001.01000000.00000003.sdmp, csc.exe, 00000003.00000002.3355880871.0000000000AA2000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: MSASCui.exe
Source: Documento_Remisorio_Activo_N#8475684756..exe, Documento_Remisorio_Activo_N#8475684756..exe, 00000000.00000002.2282262613.0000000000C02000.00000040.00001000.00020000.00000000.sdmp, Documento_Remisorio_Activo_N#8475684756..exe, 00000000.00000002.2282125974.00000000004D4000.00000040.00000001.01000000.00000003.sdmp, csc.exe, 00000003.00000002.3355880871.0000000000AA2000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: procexp.exe
Source: Documento_Remisorio_Activo_N#8475684756..exe Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: Documento_Remisorio_Activo_N#8475684756..exe, Documento_Remisorio_Activo_N#8475684756..exe, 00000000.00000002.2282262613.0000000000C02000.00000040.00001000.00020000.00000000.sdmp, Documento_Remisorio_Activo_N#8475684756..exe, 00000000.00000002.2282125974.00000000004D4000.00000040.00000001.01000000.00000003.sdmp, csc.exe, 00000003.00000002.3355880871.0000000000AA2000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected DcRat
Source: Yara match File source: Process Memory Space: csc.exe PID: 712, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected DcRat
Source: Yara match File source: Process Memory Space: csc.exe PID: 712, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_00437330 RpcAsyncInitializeHandle,CreateEventW,RpcStringBindingComposeW,RpcBindingFromStringBindingW,WaitForSingleObject,RpcAsyncCompleteCall,CloseHandle,RpcStringFreeW,RpcBindingFree, 0_2_00437330
Source: C:\Users\user\Desktop\Documento_Remisorio_Activo_N#8475684756..exe Code function: 0_2_0043747D CloseHandle,RpcStringFreeW,RpcBindingFree, 0_2_0043747D
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.95.169.113
 procesolargovalelapena222.dynuddns.net Croatia (LOCAL Name: Hrvatska)
42864 GIGANET-HUGigaNetInternetServiceProviderCoHU true

Contacted Domains

Name IP Active
procesolargovalelapena222.dynuddns.net 45.95.169.113 true