Edit tour

Windows Analysis Report
Remittance Copy.exe

Overview

General Information

Sample name:	Remittance Copy.exe
Analysis ID:	1596128
MD5:	51d320eaff611801eb17ee66c5014439
SHA1:	ba0e158af013acc307c208cc1a5bc36200a7f964
SHA256:	4dad634758a92e4c5cc6c53cf25e5f68defab0418a235963aae266753248e211
Tags:	exeuser-threatcat_ch
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected MassLogger RAT

Yara detected Telegram RAT

.NET source code references suspicious native API functions

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Remittance Copy.exe (PID: 3808 cmdline: "C:\Users\user\Desktop\Remittance Copy.exe" MD5: 51D320EAFF611801EB17EE66C5014439)

RegSvcs.exe (PID: 6580 cmdline: "C:\Users\user\Desktop\Remittance Copy.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "zorica.bogdanovic@pale.rs.ba", "Password": "zorica.bogdanovic", "Server": "mail.pale.rs.ba"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.3291233502.0000000003676000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3291233502.0000000003676000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.3290129049.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000002.00000002.3290129049.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3290129049.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.3290129049.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xefb7:$a1: get_encryptedPassword 0xf2df:$a2: get_encryptedUsername 0xed52:$a3: get_timePasswordChanged 0xee73:$a4: get_passwordField 0xefcd:$a5: set_encryptedPassword 0x10929:$a7: get_logins 0x105da:$a8: GetOutlookPasswords 0x103cc:$a9: StartKeylogger 0x10879:$a10: KeyLoggerEventArgs 0x10429:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.2043636214.0000000000C20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.2043636214.0000000000C20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2043636214.0000000000C20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2043636214.0000000000C20000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1b7:$a1: get_encryptedPassword 0xf4df:$a2: get_encryptedUsername 0xef52:$a3: get_timePasswordChanged 0xf073:$a4: get_passwordField 0xf1cd:$a5: set_encryptedPassword 0x10b29:$a7: get_logins 0x107da:$a8: GetOutlookPasswords 0x105cc:$a9: StartKeylogger 0x10a79:$a10: KeyLoggerEventArgs 0x10629:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.2043636214.0000000000C20000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14167:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13665:$a3: \Google\Chrome\User Data\Default\Login Data 0x13973:$a4: \Orbitum\User Data\Default\Login Data 0x1476b:$a5: \Kometa\User Data\Default\Login Data
Process Memory Space: Remittance Copy.exe PID: 3808	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: Remittance Copy.exe PID: 3808	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Remittance Copy.exe PID: 3808	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Remittance Copy.exe PID: 3808	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x4655a4:$a1: get_encryptedPassword 0x4658bd:$a2: get_encryptedUsername 0x465353:$a3: get_timePasswordChanged 0x465474:$a4: get_passwordField 0x4655ba:$a5: set_encryptedPassword 0x466ebd:$a7: get_logins 0x466b6e:$a8: GetOutlookPasswords 0x466960:$a9: StartKeylogger 0x466e0d:$a10: KeyLoggerEventArgs 0x4669bd:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 6580	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 6580	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 6580	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 6580	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x17bd:$a1: get_encryptedPassword 0x1ad6:$a2: get_encryptedUsername 0x156c:$a3: get_timePasswordChanged 0x168d:$a4: get_passwordField 0x17d3:$a5: set_encryptedPassword 0x30d6:$a7: get_logins 0x2d87:$a8: GetOutlookPasswords 0x2b79:$a9: StartKeylogger 0x3026:$a10: KeyLoggerEventArgs 0x2bd6:$a11: KeyLoggerEventArgsEventHandler
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Remittance Copy.exe.c20000.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.Remittance Copy.exe.c20000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Remittance Copy.exe.c20000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Remittance Copy.exe.c20000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1b7:$a1: get_encryptedPassword 0xf4df:$a2: get_encryptedUsername 0xef52:$a3: get_timePasswordChanged 0xf073:$a4: get_passwordField 0xf1cd:$a5: set_encryptedPassword 0x10b29:$a7: get_logins 0x107da:$a8: GetOutlookPasswords 0x105cc:$a9: StartKeylogger 0x10a79:$a10: KeyLoggerEventArgs 0x10629:$a11: KeyLoggerEventArgsEventHandler
0.2.Remittance Copy.exe.c20000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14167:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13665:$a3: \Google\Chrome\User Data\Default\Login Data 0x13973:$a4: \Orbitum\User Data\Default\Login Data 0x1476b:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1b7:$a1: get_encryptedPassword 0xf4df:$a2: get_encryptedUsername 0xef52:$a3: get_timePasswordChanged 0xf073:$a4: get_passwordField 0xf1cd:$a5: set_encryptedPassword 0x10b29:$a7: get_logins 0x107da:$a8: GetOutlookPasswords 0x105cc:$a9: StartKeylogger 0x10a79:$a10: KeyLoggerEventArgs 0x10629:$a11: KeyLoggerEventArgsEventHandler
2.2.RegSvcs.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14167:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13665:$a3: \Google\Chrome\User Data\Default\Login Data 0x13973:$a4: \Orbitum\User Data\Default\Login Data 0x1476b:$a5: \Kometa\User Data\Default\Login Data
0.2.Remittance Copy.exe.c20000.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.Remittance Copy.exe.c20000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Remittance Copy.exe.c20000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Remittance Copy.exe.c20000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3b7:$a1: get_encryptedPassword 0xd6df:$a2: get_encryptedUsername 0xd152:$a3: get_timePasswordChanged 0xd273:$a4: get_passwordField 0xd3cd:$a5: set_encryptedPassword 0xed29:$a7: get_logins 0xe9da:$a8: GetOutlookPasswords 0xe7cc:$a9: StartKeylogger 0xec79:$a10: KeyLoggerEventArgs 0xe829:$a11: KeyLoggerEventArgsEventHandler
0.2.Remittance Copy.exe.c20000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12367:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11865:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b73:$a4: \Orbitum\User Data\Default\Login Data 0x1296b:$a5: \Kometa\User Data\Default\Login Data
Click to see the 10 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 162.215.96.254, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 6580, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49706

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-21T17:52:59.907193+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	158.101.44.242	80	TCP
2025-01-21T17:53:07.891384+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	158.101.44.242	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000002.00000002.3291233502.0000000003521000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "zorica.bogdanovic@pale.rs.ba", "Password": "zorica.bogdanovic", "Server": "mail.pale.rs.ba"}

Multi AV Scanner detection for submitted file

Source: Remittance Copy.exe	Virustotal: Detection: 26%			Perma Link
Source: Remittance Copy.exe	ReversingLabs: Detection: 28%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Remittance Copy.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Remittance Copy.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49705 version: TLS 1.0

Source:	Binary string: wntdll.pdbUGP source: Remittance Copy.exe, 00000000.00000003.2041476228.0000000003840000.00000004.00001000.00020000.00000000.sdmp, Remittance Copy.exe, 00000000.00000003.2041292189.00000000036A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Remittance Copy.exe, 00000000.00000003.2041476228.0000000003840000.00000004.00001000.00020000.00000000.sdmp, Remittance Copy.exe, 00000000.00000003.2041292189.00000000036A0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_003460DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_003460DD
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_003463F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_003463F9
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_0034EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0034EB60
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_00346CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00346CA9
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_0034F56F FindFirstFileW,FindClose,	0_2_0034F56F
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_0034F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0034F5FA
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_00351B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00351B2F
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_00351C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00351C8A
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_00351F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00351F94

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01995782h	2_2_01995358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 019951B9h	2_2_01994F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01995782h	2_2_019956AF

Source: global traffic

TCP traffic: 192.168.2.5:55769 -> 162.159.36.2:53

Source: global traffic

HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49704 -> 158.101.44.242:80

Source: global traffic

TCP traffic: 192.168.2.5:49706 -> 162.215.96.254:25

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49705 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Remittance Copy.exe

Code function: 0_2_00354EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00354EB5

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: mail.pale.rs.ba

Source: RegSvcs.exe, 00000002.00000002.3291233502.00000000035A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000002.00000002.3291233502.00000000035A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: RegSvcs.exe, 00000002.00000002.3291233502.0000000003676000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3291233502.00000000035A0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3291233502.000000000358E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000002.00000002.3291233502.0000000003521000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000002.00000002.3291233502.0000000003676000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3291233502.00000000035A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: Remittance Copy.exe, 00000000.00000002.2043636214.0000000000C20000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3290129049.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000002.00000002.3291233502.00000000035A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: RegSvcs.exe, 00000002.00000002.3291233502.0000000003676000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.pale.rs.ba
Source: RegSvcs.exe, 00000002.00000002.3291233502.0000000003676000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.pale.rs.bad
Source: RegSvcs.exe, 00000002.00000002.3291233502.00000000035BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000002.00000002.3291233502.00000000035BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: RegSvcs.exe, 00000002.00000002.3291233502.0000000003521000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000002.00000002.3291233502.0000000003676000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: Remittance Copy.exe, 00000000.00000002.2043636214.0000000000C20000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3290129049.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegSvcs.exe, 00000002.00000002.3291233502.00000000035A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Remittance Copy.exe, 00000000.00000002.2043636214.0000000000C20000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3290129049.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3291233502.00000000035A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000002.00000002.3291233502.00000000035A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: RegSvcs.exe, 00000002.00000002.3291233502.00000000035A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Remittance Copy.exe.c20000.1.raw.unpack, UltraSpeed.cs

.Net Code: VKCodeToUnicode

Source: C:\Users\user\Desktop\Remittance Copy.exe

Code function: 0_2_00356B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00356B0C

Source: C:\Users\user\Desktop\Remittance Copy.exe

Code function: 0_2_00356D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00356D07

Source: C:\Users\user\Desktop\Remittance Copy.exe

0_2_00356B0C

Source: C:\Users\user\Desktop\Remittance Copy.exe

Code function: 0_2_00342B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00342B37

Source: C:\Users\user\Desktop\Remittance Copy.exe

Code function: 0_2_0036F7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0036F7FF

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Remittance Copy.exe.c20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Remittance Copy.exe.c20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Remittance Copy.exe.c20000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Remittance Copy.exe.c20000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.3290129049.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2043636214.0000000000C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2043636214.0000000000C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: Process Memory Space: Remittance Copy.exe PID: 3808, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 6580, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00303D19
Source: Remittance Copy.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Remittance Copy.exe, 00000000.00000000.2030859218.00000000003AE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_db5321e6-7
Source: Remittance Copy.exe, 00000000.00000000.2030859218.00000000003AE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: 3SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c06b7142-e
Source: Remittance Copy.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d0dd826f-2
Source: Remittance Copy.exe	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_bfa625b2-b

Source: C:\Users\user\Desktop\Remittance Copy.exe

Code function: 0_2_00346606: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00346606

Source: C:\Users\user\Desktop\Remittance Copy.exe

Code function: 0_2_0033ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_0033ACC5

Source: C:\Users\user\Desktop\Remittance Copy.exe

Code function: 0_2_003479D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_003479D3

Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_0030E3B0	0_2_0030E3B0
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_00313200	0_2_00313200
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_00313B70	0_2_00313B70
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_0033410F	0_2_0033410F
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_003202A4	0_2_003202A4
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_0033038E	0_2_0033038E
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_0033467F	0_2_0033467F
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_003206D9	0_2_003206D9
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_0036AACE	0_2_0036AACE
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_00334BEF	0_2_00334BEF
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_0032CCC1	0_2_0032CCC1
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_00306F07	0_2_00306F07
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_0030AF50	0_2_0030AF50
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_0032B043	0_2_0032B043
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_0031B11F	0_2_0031B11F
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_003631BC	0_2_003631BC
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_0032D1B9	0_2_0032D1B9
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_0032123A	0_2_0032123A
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_0033724D	0_2_0033724D
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_003093F0	0_2_003093F0
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_003413CA	0_2_003413CA
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_0031F563	0_2_0031F563
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_003096C0	0_2_003096C0
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_0034B6CC	0_2_0034B6CC
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_003077B0	0_2_003077B0
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_0036F7FF	0_2_0036F7FF
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_003379C9	0_2_003379C9
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_0031FA57	0_2_0031FA57
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_00309B60	0_2_00309B60
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_00307D19	0_2_00307D19
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_0031FE6F	0_2_0031FE6F
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_00329ED0	0_2_00329ED0
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_00307FA3	0_2_00307FA3
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_00CB62A8	0_2_00CB62A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0199C168	2_2_0199C168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0199CAB0	2_2_0199CAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_01992DD1	2_2_01992DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_01994F08	2_2_01994F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_01997E68	2_2_01997E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0199B9E0	2_2_0199B9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0199CAAF	2_2_0199CAAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_01994EF8	2_2_01994EF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_01997E67	2_2_01997E67

Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: String function: 0032F8A0 appears 35 times
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: String function: 00326AC0 appears 42 times
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: String function: 0031EC2F appears 68 times

Source: Remittance Copy.exe, 00000000.00000003.2040475056.00000000037C3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Remittance Copy.exe
Source: Remittance Copy.exe, 00000000.00000003.2039857704.000000000396D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Remittance Copy.exe
Source: Remittance Copy.exe, 00000000.00000002.2043636214.0000000000C20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs Remittance Copy.exe

Source: Remittance Copy.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.Remittance Copy.exe.c20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Remittance Copy.exe.c20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Remittance Copy.exe.c20000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Remittance Copy.exe.c20000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.3290129049.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2043636214.0000000000C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2043636214.0000000000C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: Remittance Copy.exe PID: 3808, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 6580, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 0.2.Remittance Copy.exe.c20000.1.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Remittance Copy.exe.c20000.1.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@3/3

Source: C:\Users\user\Desktop\Remittance Copy.exe

Code function: 0_2_0034CE7A GetLastError,FormatMessageW,

0_2_0034CE7A

Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_0033AB84 AdjustTokenPrivileges,CloseHandle,		0_2_0033AB84
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_0033B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_0033B134

Source: C:\Users\user\Desktop\Remittance Copy.exe

Code function: 0_2_0034E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0034E1FD

Source: C:\Users\user\Desktop\Remittance Copy.exe

Code function: 0_2_00346532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

0_2_00346532

Source: C:\Users\user\Desktop\Remittance Copy.exe

Code function: 0_2_0035C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,

0_2_0035C18C

Source: C:\Users\user\Desktop\Remittance Copy.exe

Code function: 0_2_0030406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_0030406B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Remittance Copy.exe

File created: C:\Users\user\AppData\Local\Temp\hurtling

Jump to behavior

Source: Remittance Copy.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Remittance Copy.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.3291233502.0000000003610000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3291233502.0000000003600000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3291763381.000000000454D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3291233502.000000000361E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3291233502.0000000003633000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3291233502.000000000363F000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Remittance Copy.exe	Virustotal: Detection: 26%
Source: Remittance Copy.exe	ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Users\user\Desktop\Remittance Copy.exe "C:\Users\user\Desktop\Remittance Copy.exe"
Source: C:\Users\user\Desktop\Remittance Copy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Remittance Copy.exe"
Source: C:\Users\user\Desktop\Remittance Copy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Remittance Copy.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Remittance Copy.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Copy.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Copy.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Copy.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Copy.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Copy.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Copy.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Copy.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Copy.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Copy.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Copy.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Copy.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Remittance Copy.exe

Static file information: File size 1174016 > 1048576

Source: Remittance Copy.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Remittance Copy.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Remittance Copy.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Remittance Copy.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Remittance Copy.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Remittance Copy.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Remittance Copy.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: Remittance Copy.exe, 00000000.00000003.2041476228.0000000003840000.00000004.00001000.00020000.00000000.sdmp, Remittance Copy.exe, 00000000.00000003.2041292189.00000000036A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Remittance Copy.exe, 00000000.00000003.2041476228.0000000003840000.00000004.00001000.00020000.00000000.sdmp, Remittance Copy.exe, 00000000.00000003.2041292189.00000000036A0000.00000004.00001000.00020000.00000000.sdmp

Source: Remittance Copy.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Remittance Copy.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Remittance Copy.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Remittance Copy.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Remittance Copy.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Remittance Copy.exe

Code function: 0_2_0031E01E LoadLibraryA,GetProcAddress,

0_2_0031E01E

Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_0031288B push 66003123h; retn 0037h		0_2_003128E1
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_00326B05 push ecx; ret		0_2_00326B18

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (72).png

Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_00368111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00368111
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_0031EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0031EB42

Source: C:\Users\user\Desktop\Remittance Copy.exe

Code function: 0_2_0032123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0032123A

Source: C:\Users\user\Desktop\Remittance Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Remittance Copy.exe

API/Special instruction interceptor: Address: CB5ECC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8339			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1485			Jump to behavior

Source: C:\Users\user\Desktop\Remittance Copy.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-95811

Source: C:\Users\user\Desktop\Remittance Copy.exe

API coverage: 4.0 %

Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_003460DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_003460DD
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_003463F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_003463F9
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_0034EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0034EB60
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_00346CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00346CA9
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_0034F56F FindFirstFileW,FindClose,	0_2_0034F56F
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_0034F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0034F5FA
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_00351B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00351B2F
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_00351C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00351C8A
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_00351F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00351F94

Source: C:\Users\user\Desktop\Remittance Copy.exe

Code function: 0_2_0031DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0031DDC0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99650	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99407	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96107	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95994	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95877	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95091	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94188	Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.3290265663.0000000001458000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Remittance Copy.exe

API call chain: ExitProcess graph end node

graph_0-95245

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_0199C168 LdrInitializeThunk,LdrInitializeThunk,

2_2_0199C168

Source: C:\Users\user\Desktop\Remittance Copy.exe

Code function: 0_2_00356AAF BlockInput,

0_2_00356AAF

Source: C:\Users\user\Desktop\Remittance Copy.exe

Code function: 0_2_00303D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00303D19

Source: C:\Users\user\Desktop\Remittance Copy.exe

Code function: 0_2_00333920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

0_2_00333920

Source: C:\Users\user\Desktop\Remittance Copy.exe

Code function: 0_2_0031E01E LoadLibraryA,GetProcAddress,

0_2_0031E01E

Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_00CB6198 mov eax, dword ptr fs:[00000030h]	0_2_00CB6198
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_00CB6138 mov eax, dword ptr fs:[00000030h]	0_2_00CB6138
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_00CB4B18 mov eax, dword ptr fs:[00000030h]	0_2_00CB4B18

Source: C:\Users\user\Desktop\Remittance Copy.exe

Code function: 0_2_0033A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_0033A66C

Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_003281AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_003281AC
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_00328189 SetUnhandledExceptionFilter,		0_2_00328189

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.Remittance Copy.exe.c20000.1.raw.unpack, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.Remittance Copy.exe.c20000.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.Remittance Copy.exe.c20000.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Remittance Copy.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Remittance Copy.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1051008

Jump to behavior

Source: C:\Users\user\Desktop\Remittance Copy.exe

Code function: 0_2_0033B106 LogonUserW,

0_2_0033B106

Source: C:\Users\user\Desktop\Remittance Copy.exe

Code function: 0_2_00303D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00303D19

Source: C:\Users\user\Desktop\Remittance Copy.exe

Code function: 0_2_0034411C SendInput,keybd_event,

0_2_0034411C

Source: C:\Users\user\Desktop\Remittance Copy.exe

Code function: 0_2_003474BB mouse_event,

0_2_003474BB

Source: C:\Users\user\Desktop\Remittance Copy.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Remittance Copy.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Remittance Copy.exe

0_2_0033A66C

Source: C:\Users\user\Desktop\Remittance Copy.exe

Code function: 0_2_003471FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_003471FA

Source: Remittance Copy.exe	Binary or memory string: Shell_TrayWnd
Source: Remittance Copy.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning

Source: C:\Users\user\Desktop\Remittance Copy.exe

Code function: 0_2_003265C4 cpuid

0_2_003265C4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Remittance Copy.exe

Code function: 0_2_0035091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,

0_2_0035091D

Source: C:\Users\user\Desktop\Remittance Copy.exe

Code function: 0_2_0037B340 GetUserNameW,

0_2_0037B340

Source: C:\Users\user\Desktop\Remittance Copy.exe

Code function: 0_2_00331E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00331E8E

Source: C:\Users\user\Desktop\Remittance Copy.exe

Code function: 0_2_0031DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0031DDC0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Remittance Copy.exe, 00000000.00000002.2045748525.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: mcupdate.exe

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.Remittance Copy.exe.c20000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance Copy.exe.c20000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3290129049.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2043636214.0000000000C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Remittance Copy.exe PID: 3808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6580, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.Remittance Copy.exe.c20000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance Copy.exe.c20000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3291233502.0000000003676000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3290129049.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2043636214.0000000000C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Remittance Copy.exe PID: 3808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6580, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Remittance Copy.exe	Binary or memory string: WIN_81
Source: Remittance Copy.exe	Binary or memory string: WIN_XP
Source: Remittance Copy.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: Remittance Copy.exe	Binary or memory string: WIN_XPe
Source: Remittance Copy.exe	Binary or memory string: WIN_VISTA
Source: Remittance Copy.exe	Binary or memory string: WIN_7
Source: Remittance Copy.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 0.2.Remittance Copy.exe.c20000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance Copy.exe.c20000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3291233502.0000000003676000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3290129049.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2043636214.0000000000C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Remittance Copy.exe PID: 3808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6580, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.Remittance Copy.exe.c20000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance Copy.exe.c20000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3290129049.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2043636214.0000000000C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Remittance Copy.exe PID: 3808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6580, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.Remittance Copy.exe.c20000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance Copy.exe.c20000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3291233502.0000000003676000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3290129049.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2043636214.0000000000C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Remittance Copy.exe PID: 3808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6580, type: MEMORYSTR

Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_00358C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00358C4F
Source: C:\Users\user\Desktop\Remittance Copy.exe	Code function: 0_2_0035923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_0035923B

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	12 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	127 System Information Discovery	Distributed Component Object Model	121 Input Capture	23 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 Masquerading	LSA Secrets	141 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Remittance Copy.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Remittance Copy.exe