Edit tour
Windows
Analysis Report
PURCHASEORDERSHEET&SPECIFICATIONSDOC.exe
Overview
General Information
Detection
GuLoader, Remcos
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected GuLoader
Yara detected Remcos RAT
Deletes itself after installation
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Maps a DLL or memory area into another process
Mass process execution to delay analysis
Obfuscated command line found
Sample uses process hollowing technique
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Too many similar processes found
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64native
- PURCHASEORDERSHEET&SPECIFICATIONSDOC.exe (PID: 2980 cmdline:
"C:\Users\ user\Deskt op\PURCHAS EORDERSHEE T&SPECIFIC ATIONSDOC. exe" MD5: DBE4440D32DC0B20DEE76C192587AB33) - cmd.exe (PID: 7836 cmdline:
cmd.exe /c set /a "2 50^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 2396 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 1444 cmdline:
cmd.exe /c set /a "2 44^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 5380 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 6780 cmdline:
cmd.exe /c set /a "2 27^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 2208 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 1264 cmdline:
cmd.exe /c set /a "2 55^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 3196 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 6500 cmdline:
cmd.exe /c set /a "2 44^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 6456 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 3776 cmdline:
cmd.exe /c set /a "2 53^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 3252 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 6732 cmdline:
cmd.exe /c set /a "1 30^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 2304 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 928 cmdline:
cmd.exe /c set /a "1 31^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 7624 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 4156 cmdline:
cmd.exe /c set /a "1 39^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 1428 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 7600 cmdline:
cmd.exe /c set /a "1 39^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 2208 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 1264 cmdline:
cmd.exe /c set /a "2 42^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 7276 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 6500 cmdline:
cmd.exe /c set /a "1 95^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 3012 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 7048 cmdline:
cmd.exe /c set /a "2 12^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 3292 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 6216 cmdline:
cmd.exe /c set /a "2 08^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 196 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 5708 cmdline:
cmd.exe /c set /a "1 97^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 1792 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 4156 cmdline:
cmd.exe /c set /a "2 12^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 6780 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 5108 cmdline:
cmd.exe /c set /a "2 47^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 4620 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 192 cmdline:
cmd.exe /c set /a "2 16^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 3448 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 1084 cmdline:
cmd.exe /c set /a "2 21^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 7816 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 5472 cmdline:
cmd.exe /c set /a "2 12^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 7588 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 1952 cmdline:
cmd.exe /c set /a "2 40^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 1372 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 3788 cmdline:
cmd.exe /c set /a "1 53^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 5768 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 4156 cmdline:
cmd.exe /c set /a "2 20^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 7528 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 5108 cmdline:
cmd.exe /c set /a "1 45^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 488 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 7596 cmdline:
cmd.exe /c set /a "1 95^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 3128 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 1520 cmdline:
cmd.exe /c set /a "1 33^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 196 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 2208 cmdline:
cmd.exe /c set /a "1 45^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 6688 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 5960 cmdline:
cmd.exe /c set /a "1 57^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 3136 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 4740 cmdline:
cmd.exe /c set /a "1 45^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 192 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 2460 cmdline:
cmd.exe /c set /a "2 16^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 6404 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 928 cmdline:
cmd.exe /c set /a "1 45^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 3544 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 7276 cmdline:
cmd.exe /c set /a "1 29^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 6456 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 3012 cmdline:
cmd.exe /c set /a "2 01^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 5776 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 5680 cmdline:
cmd.exe /c set /a "1 37^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 6780 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 3448 cmdline:
cmd.exe /c set /a "1 29^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 5960 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 7276 cmdline:
cmd.exe /c set /a "1 29^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 6204 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 6348 cmdline:
cmd.exe /c set /a "1 29^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 7964 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 1520 cmdline:
cmd.exe /c set /a "1 29^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 5708 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 4156 cmdline:
cmd.exe /c set /a "1 29^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 488 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 4740 cmdline:
cmd.exe /c set /a "1 29^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 5776 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 6196 cmdline:
cmd.exe /c set /a "1 29^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 2516 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 452 cmdline:
cmd.exe /c set /a "1 57^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 2280 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 7588 cmdline:
cmd.exe /c set /a "1 45^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 3252 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 3060 cmdline:
cmd.exe /c set /a "2 16^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 2208 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 192 cmdline:
cmd.exe /c set /a "1 45^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 7884 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 5680 cmdline:
cmd.exe /c set /a "1 29^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 1428 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 1392 cmdline:
cmd.exe /c set /a "1 57^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 3292 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 6204 cmdline:
cmd.exe /c set /a "1 45^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 7816 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 7964 cmdline:
cmd.exe /c set /a "1 93^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 6196 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 6456 cmdline:
cmd.exe /c set /a "1 45^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 452 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 3776 cmdline:
cmd.exe /c set /a "1 29^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 3128 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 3012 cmdline:
cmd.exe /c set /a "1 57^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 6348 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 2700 cmdline:
cmd.exe /c set /a "1 45^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 7048 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 6940 cmdline:
cmd.exe /c set /a "2 16^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 1724 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 1640 cmdline:
cmd.exe /c set /a "1 45^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 3252 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 6192 cmdline:
cmd.exe /c set /a "1 33^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 2516 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 7040 cmdline:
cmd.exe /c set /a "1 57^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 928 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 6668 cmdline:
cmd.exe /c set /a "1 45^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 6456 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 3060 cmdline:
cmd.exe /c set /a "2 16^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 3776 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 6336 cmdline:
cmd.exe /c set /a "1 45^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 6348 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 4156 cmdline:
cmd.exe /c set /a "1 29^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 1428 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 6688 cmdline:
cmd.exe /c set /a "2 01^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 488 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 5108 cmdline:
cmd.exe /c set /a "1 37^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 7276 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 6780 cmdline:
cmd.exe /c set /a "1 29^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Conhost.exe (PID: 6196 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - PURCHASEORDERSHEET&SPECIFICATIONSDOC.exe (PID: 7048 cmdline:
"C:\Users\ user\Deskt op\PURCHAS EORDERSHEE T&SPECIFIC ATIONSDOC. exe" MD5: DBE4440D32DC0B20DEE76C192587AB33) - PURCHASEORDERSHEET&SPECIFICATIONSDOC.exe (PID: 732 cmdline:
C:\Users\u ser\Deskto p\PURCHASE ORDERSHEET &SPECIFICA TIONSDOC.e xe /stext "C:\Users\ user\AppDa ta\Local\T emp\blnru" MD5: DBE4440D32DC0B20DEE76C192587AB33) - PURCHASEORDERSHEET&SPECIFICATIONSDOC.exe (PID: 5748 cmdline:
C:\Users\u ser\Deskto p\PURCHASE ORDERSHEET &SPECIFICA TIONSDOC.e xe /stext "C:\Users\ user\AppDa ta\Local\T emp\dfsjvx zdl" MD5: DBE4440D32DC0B20DEE76C192587AB33) - PURCHASEORDERSHEET&SPECIFICATIONSDOC.exe (PID: 452 cmdline:
C:\Users\u ser\Deskto p\PURCHASE ORDERSHEET &SPECIFICA TIONSDOC.e xe /stext "C:\Users\ user\AppDa ta\Local\T emp\ohfuvp kfznra" MD5: DBE4440D32DC0B20DEE76C192587AB33) - wscript.exe (PID: 2224 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Loc al\Temp\rr rsyhb.vbs" MD5: 4D780D8F77047EE1C65F747D9F63A1FE)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Remcos, RemcosRAT | Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity. |
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GuLoader_3 | Yara detected GuLoader | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_GuLoader_3 | Yara detected GuLoader | Joe Security | ||
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
Click to see the 3 entries |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: |
Source: | Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: |
Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: |
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Source: | Author: Michael Haag: |
Timestamp: | 04/26/24-09:42:02.921686 |
SID: | 2032776 |
Source Port: | 50301 |
Destination Port: | 3980 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/26/24-09:46:14.616756 |
SID: | 2032777 |
Source Port: | 3980 |
Destination Port: | 50301 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | ReversingLabs: |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | 137_2_00404423 |
Source: | Static PE information: |
Source: | Code function: | 5_2_00405454 | |
Source: | Code function: | 5_2_00405E7B | |
Source: | Code function: | 137_2_0040AE51 | |
Source: | Code function: | 138_2_00407EF8 | |
Source: | Code function: | 139_2_00407898 |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | DNS query: | ||
Source: | DNS query: |
Source: | HTTP traffic detected: |
Source: | IP Address: |
Source: | ASN Name: |
Source: | HTTP traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |