Windows Analysis Report
Payment slip_pdf.pif.exe

Overview

General Information

Sample name: Payment slip_pdf.pif.exe
Analysis ID: 1638157
MD5: 9dd85c31485ec45ec0e45413698ba89a
SHA1: 3060711676279d3e8cad80f767fffb359bf43bc0
SHA256: d64cc2c7665ad1a75e68a45a82eddc59a25c056e36ecfdebf6450207ca61ae8e
Tags: exeuser-julianmckein
Infos:

Detection

Remcos, GuLoader
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Detected Remcos RAT
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Remcos RAT
Creates autostart registry keys with suspicious names
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\Remcos\remcos.exe Virustotal: Detection: 24% Perma Link
Source: C:\ProgramData\Remcos\remcos.exe ReversingLabs: Detection: 21%
Multi AV Scanner detection for submitted file
Source: Payment slip_pdf.pif.exe Virustotal: Detection: 24% Perma Link
Source: Payment slip_pdf.pif.exe ReversingLabs: Detection: 21%
Yara detected Remcos RAT
Source: Yara match File source: 0000000C.00000002.2108185461.0000000005671000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment slip_pdf.pif.exe PID: 1920, type: MEMORYSTR
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Uses 32bit PE files
Source: Payment slip_pdf.pif.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.129:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Code function: 0_2_00405475 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_00405475
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Code function: 0_2_00405E9C FindFirstFileA,FindClose, 0_2_00405E9C
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Code function: 0_2_0040264F FindFirstFileA, 0_2_0040264F
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Code function: 12_2_0040264F FindFirstFileA, 12_2_0040264F
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Code function: 12_2_00405475 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 12_2_00405475
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Code function: 12_2_00405E9C FindFirstFileA,FindClose, 12_2_00405E9C
Source: C:\ProgramData\Remcos\remcos.exe Code function: 13_2_00405475 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 13_2_00405475
Source: C:\ProgramData\Remcos\remcos.exe Code function: 13_2_00405E9C FindFirstFileA,FindClose, 13_2_00405E9C
Source: C:\ProgramData\Remcos\remcos.exe Code function: 13_2_0040264F FindFirstFileA, 13_2_0040264F
Source: C:\ProgramData\Remcos\remcos.exe Code function: 15_2_00405475 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 15_2_00405475
Source: C:\ProgramData\Remcos\remcos.exe Code function: 15_2_00405E9C FindFirstFileA,FindClose, 15_2_00405E9C
Source: C:\ProgramData\Remcos\remcos.exe Code function: 15_2_0040264F FindFirstFileA, 15_2_0040264F
Source: C:\ProgramData\Remcos\remcos.exe Code function: 16_2_00405475 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 16_2_00405475
Source: C:\ProgramData\Remcos\remcos.exe Code function: 16_2_00405E9C FindFirstFileA,FindClose, 16_2_00405E9C
Source: C:\ProgramData\Remcos\remcos.exe Code function: 16_2_0040264F FindFirstFileA, 16_2_0040264F
Source: C:\ProgramData\Remcos\remcos.exe Code function: 17_2_00405475 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 17_2_00405475
Source: C:\ProgramData\Remcos\remcos.exe Code function: 17_2_00405E9C FindFirstFileA,FindClose, 17_2_00405E9C
Source: C:\ProgramData\Remcos\remcos.exe Code function: 17_2_0040264F FindFirstFileA, 17_2_0040264F
Source: C:\ProgramData\Remcos\remcos.exe File opened: C:\Users\user\AppData\Local\kabinetssekretr\Idriftstte\Regimentets Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe File opened: C:\Users\user\AppData\Local\kabinetssekretr\Idriftstte Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe File opened: C:\Users\user Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe File opened: C:\Users\user\AppData\Local\kabinetssekretr Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe File opened: C:\Users\user\AppData\Local Jump to behavior
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49724 -> 216.58.206.78:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1tGFKOOy5IKzQd8rTIWKS81wv12OARueJ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1tGFKOOy5IKzQd8rTIWKS81wv12OARueJ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1tGFKOOy5IKzQd8rTIWKS81wv12OARueJ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1tGFKOOy5IKzQd8rTIWKS81wv12OARueJ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: drive.google.com
Source: global traffic DNS traffic detected: DNS query: drive.usercontent.google.com
Source: remcos.exe, remcos.exe, 00000011.00000000.2380438690.0000000000409000.00000008.00000001.01000000.0000000A.sdmp, remcos.exe, 00000011.00000002.2503857103.0000000000409000.00000004.00000001.01000000.0000000A.sdmp, Payment slip_pdf.pif.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Payment slip_pdf.pif.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Payment slip_pdf.pif.exe, 0000000C.00000003.2016668250.0000000005677000.00000004.00000020.00020000.00000000.sdmp, Payment slip_pdf.pif.exe, 0000000C.00000002.2108185461.000000000565D000.00000004.00000020.00020000.00000000.sdmp, Payment slip_pdf.pif.exe, 0000000C.00000003.2016611503.0000000005677000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com
Source: Payment slip_pdf.pif.exe, 0000000C.00000002.2108185461.0000000005625000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: Payment slip_pdf.pif.exe, 0000000C.00000002.2165121027.0000000034C90000.00000004.00001000.00020000.00000000.sdmp, Payment slip_pdf.pif.exe, 0000000C.00000002.2108185461.0000000005641000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1tGFKOOy5IKzQd8rTIWKS81wv12OARueJ
Source: Payment slip_pdf.pif.exe, 0000000C.00000002.2108185461.0000000005671000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/
Source: Payment slip_pdf.pif.exe, 0000000C.00000002.2108185461.000000000565D000.00000004.00000020.00020000.00000000.sdmp, Payment slip_pdf.pif.exe, 0000000C.00000002.2108185461.0000000005641000.00000004.00000020.00020000.00000000.sdmp, Payment slip_pdf.pif.exe, 0000000C.00000003.2016611503.0000000005677000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1tGFKOOy5IKzQd8rTIWKS81wv12OARueJ&export=download
Source: Payment slip_pdf.pif.exe, 0000000C.00000003.2016668250.0000000005677000.00000004.00000020.00020000.00000000.sdmp, Payment slip_pdf.pif.exe, 0000000C.00000002.2108185461.000000000565D000.00000004.00000020.00020000.00000000.sdmp, Payment slip_pdf.pif.exe, 0000000C.00000003.2016611503.0000000005677000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ssl.gstatic.com
Source: Payment slip_pdf.pif.exe, 0000000C.00000003.2016668250.0000000005677000.00000004.00000020.00020000.00000000.sdmp, Payment slip_pdf.pif.exe, 0000000C.00000002.2108185461.000000000565D000.00000004.00000020.00020000.00000000.sdmp, Payment slip_pdf.pif.exe, 0000000C.00000003.2016611503.0000000005677000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com;report-uri
Source: Payment slip_pdf.pif.exe, 0000000C.00000003.2016668250.0000000005677000.00000004.00000020.00020000.00000000.sdmp, Payment slip_pdf.pif.exe, 0000000C.00000002.2108185461.000000000565D000.00000004.00000020.00020000.00000000.sdmp, Payment slip_pdf.pif.exe, 0000000C.00000003.2016611503.0000000005677000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: Payment slip_pdf.pif.exe, 0000000C.00000003.2016668250.0000000005677000.00000004.00000020.00020000.00000000.sdmp, Payment slip_pdf.pif.exe, 0000000C.00000002.2108185461.000000000565D000.00000004.00000020.00020000.00000000.sdmp, Payment slip_pdf.pif.exe, 0000000C.00000003.2016611503.0000000005677000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com
Source: Payment slip_pdf.pif.exe, 0000000C.00000003.2016668250.0000000005677000.00000004.00000020.00020000.00000000.sdmp, Payment slip_pdf.pif.exe, 0000000C.00000002.2108185461.000000000565D000.00000004.00000020.00020000.00000000.sdmp, Payment slip_pdf.pif.exe, 0000000C.00000003.2016611503.0000000005677000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.129:443 -> 192.168.2.5:49725 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Code function: 0_2_00404FE3 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404FE3

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 0000000C.00000002.2108185461.0000000005671000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment slip_pdf.pif.exe PID: 1920, type: MEMORYSTR

System Summary
barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Payment slip_pdf.pif.exe
Source: initial sample Static PE information: Filename: Payment slip_pdf.pif.exe
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Code function: 0_2_0040310B EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_0040310B
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Code function: 12_2_0040310B EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 12_2_0040310B
Source: C:\ProgramData\Remcos\remcos.exe Code function: 13_2_0040310B EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 13_2_0040310B
Source: C:\ProgramData\Remcos\remcos.exe Code function: 15_2_0040310B EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 15_2_0040310B
Source: C:\ProgramData\Remcos\remcos.exe Code function: 16_2_0040310B EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 16_2_0040310B
Source: C:\ProgramData\Remcos\remcos.exe Code function: 17_2_0040310B EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 17_2_0040310B
Detected potential crypto function
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Code function: 0_2_00404822 0_2_00404822
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Code function: 0_2_004062C3 0_2_004062C3
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Code function: 0_2_00406A9A 0_2_00406A9A
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Code function: 12_2_00404822 12_2_00404822
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Code function: 12_2_004062C3 12_2_004062C3
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Code function: 12_2_00406A9A 12_2_00406A9A
Source: C:\ProgramData\Remcos\remcos.exe Code function: 13_2_00404822 13_2_00404822
Source: C:\ProgramData\Remcos\remcos.exe Code function: 13_2_004062C3 13_2_004062C3
Source: C:\ProgramData\Remcos\remcos.exe Code function: 13_2_00406A9A 13_2_00406A9A
Source: C:\ProgramData\Remcos\remcos.exe Code function: 15_2_00404822 15_2_00404822
Source: C:\ProgramData\Remcos\remcos.exe Code function: 15_2_004062C3 15_2_004062C3
Source: C:\ProgramData\Remcos\remcos.exe Code function: 15_2_00406A9A 15_2_00406A9A
Source: C:\ProgramData\Remcos\remcos.exe Code function: 16_2_00404822 16_2_00404822
Source: C:\ProgramData\Remcos\remcos.exe Code function: 16_2_004062C3 16_2_004062C3
Source: C:\ProgramData\Remcos\remcos.exe Code function: 16_2_00406A9A 16_2_00406A9A
Source: C:\ProgramData\Remcos\remcos.exe Code function: 17_2_00404822 17_2_00404822
Source: C:\ProgramData\Remcos\remcos.exe Code function: 17_2_004062C3 17_2_004062C3
Source: C:\ProgramData\Remcos\remcos.exe Code function: 17_2_00406A9A 17_2_00406A9A
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\nsc2507.tmp\System.dll 3B6A5CB2A3C091814FCE297C04FB677F72732FB21615102C62A195FDC2E7DFAC
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\nscFE55.tmp\System.dll 3B6A5CB2A3C091814FCE297C04FB677F72732FB21615102C62A195FDC2E7DFAC
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Code function: String function: 00402A07 appears 51 times
Source: C:\ProgramData\Remcos\remcos.exe Code function: String function: 004029EA appears 48 times
Source: C:\ProgramData\Remcos\remcos.exe Code function: String function: 00402A07 appears 104 times
Source: C:\ProgramData\Remcos\remcos.exe Code function: String function: 00405B98 appears 77 times
Source: C:\ProgramData\Remcos\remcos.exe Code function: String function: 00405BBA appears 39 times
Sample file is different than original file name gathered from version info
Source: Payment slip_pdf.pif.exe, 00000000.00000002.1906497905.000000000044B000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamemervrdiafgifts jeglasset.exeD vs Payment slip_pdf.pif.exe
Source: Payment slip_pdf.pif.exe, 0000000C.00000000.1902439673.000000000044B000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamemervrdiafgifts jeglasset.exeD vs Payment slip_pdf.pif.exe
Source: Payment slip_pdf.pif.exe Binary or memory string: OriginalFilenamemervrdiafgifts jeglasset.exeD vs Payment slip_pdf.pif.exe
Uses 32bit PE files
Source: Payment slip_pdf.pif.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.evad.winEXE@8/25@2/2
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Code function: 0_2_004042E6 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_004042E6
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Code function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar, 0_2_00402036
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe File created: C:\Users\user\AppData\Local\kabinetssekretr Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Mutant created: \Sessions\1\BaseNamedObjects\Rmc-4U257D
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe File created: C:\Users\user\AppData\Local\Temp\nsp6083.tmp Jump to behavior
Source: Payment slip_pdf.pif.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Payment slip_pdf.pif.exe Virustotal: Detection: 24%
Source: Payment slip_pdf.pif.exe ReversingLabs: Detection: 21%
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe File read: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Payment slip_pdf.pif.exe "C:\Users\user\Desktop\Payment slip_pdf.pif.exe"
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Process created: C:\Users\user\Desktop\Payment slip_pdf.pif.exe "C:\Users\user\Desktop\Payment slip_pdf.pif.exe"
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: unknown Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: unknown Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: unknown Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Process created: C:\Users\user\Desktop\Payment slip_pdf.pif.exe "C:\Users\user\Desktop\Payment slip_pdf.pif.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: propsys.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: profapi.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: riched20.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: usp10.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: msls31.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: propsys.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: profapi.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: riched20.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: usp10.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: msls31.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: propsys.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: profapi.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: riched20.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: usp10.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: msls31.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: propsys.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: profapi.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: riched20.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: usp10.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: msls31.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe File written: C:\Users\user\AppData\Local\kabinetssekretr\Idriftstte\craniom.ini Jump to behavior

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.1956767588.0000000009A20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Code function: 0_2_00405EC3 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405EC3
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Code function: 0_2_10002CE0 push eax; ret 0_2_10002D0E
Drops PE files
Source: C:\ProgramData\Remcos\remcos.exe File created: C:\Users\user\AppData\Local\Temp\nscFE55.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe File created: C:\Users\user\AppData\Local\Temp\nsv644C.tmp\System.dll Jump to dropped file
Source: C:\ProgramData\Remcos\remcos.exe File created: C:\Users\user\AppData\Local\Temp\nsoDBD9.tmp\System.dll Jump to dropped file
Source: C:\ProgramData\Remcos\remcos.exe File created: C:\Users\user\AppData\Local\Temp\nsgAF89.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe File created: C:\ProgramData\Remcos\remcos.exe Jump to dropped file
Source: C:\ProgramData\Remcos\remcos.exe File created: C:\Users\user\AppData\Local\Temp\nsc2507.tmp\System.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe File created: C:\ProgramData\Remcos\remcos.exe Jump to dropped file

Boot Survival
barindex
Creates autostart registry keys with suspicious names
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-4U257D Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-4U257D Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-4U257D Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-4U257D Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-4U257D Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe API/Special instruction interceptor: Address: 9D2BC5A
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe API/Special instruction interceptor: Address: 4D8BC5A
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe RDTSC instruction interceptor: First address: 9CEDC9F second address: 9CEDC9F instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F646D1FA9E6h 0x00000006 test al, bl 0x00000008 inc ebp 0x00000009 test ah, ch 0x0000000b inc ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe RDTSC instruction interceptor: First address: 4D4DC9F second address: 4D4DC9F instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F646C7DB176h 0x00000006 test al, bl 0x00000008 inc ebp 0x00000009 test ah, ch 0x0000000b inc ebx 0x0000000c rdtsc
Found dropped PE file which has not been started or loaded
Source: C:\ProgramData\Remcos\remcos.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nscFE55.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsv644C.tmp\System.dll Jump to dropped file
Source: C:\ProgramData\Remcos\remcos.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsoDBD9.tmp\System.dll Jump to dropped file
Source: C:\ProgramData\Remcos\remcos.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsgAF89.tmp\System.dll Jump to dropped file
Source: C:\ProgramData\Remcos\remcos.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsc2507.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Code function: 0_2_00405475 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_00405475
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Code function: 0_2_00405E9C FindFirstFileA,FindClose, 0_2_00405E9C
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Code function: 0_2_0040264F FindFirstFileA, 0_2_0040264F
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Code function: 12_2_0040264F FindFirstFileA, 12_2_0040264F
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Code function: 12_2_00405475 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 12_2_00405475
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Code function: 12_2_00405E9C FindFirstFileA,FindClose, 12_2_00405E9C
Source: C:\ProgramData\Remcos\remcos.exe Code function: 13_2_00405475 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 13_2_00405475
Source: C:\ProgramData\Remcos\remcos.exe Code function: 13_2_00405E9C FindFirstFileA,FindClose, 13_2_00405E9C
Source: C:\ProgramData\Remcos\remcos.exe Code function: 13_2_0040264F FindFirstFileA, 13_2_0040264F
Source: C:\ProgramData\Remcos\remcos.exe Code function: 15_2_00405475 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 15_2_00405475
Source: C:\ProgramData\Remcos\remcos.exe Code function: 15_2_00405E9C FindFirstFileA,FindClose, 15_2_00405E9C
Source: C:\ProgramData\Remcos\remcos.exe Code function: 15_2_0040264F FindFirstFileA, 15_2_0040264F
Source: C:\ProgramData\Remcos\remcos.exe Code function: 16_2_00405475 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 16_2_00405475
Source: C:\ProgramData\Remcos\remcos.exe Code function: 16_2_00405E9C FindFirstFileA,FindClose, 16_2_00405E9C
Source: C:\ProgramData\Remcos\remcos.exe Code function: 16_2_0040264F FindFirstFileA, 16_2_0040264F
Source: C:\ProgramData\Remcos\remcos.exe Code function: 17_2_00405475 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 17_2_00405475
Source: C:\ProgramData\Remcos\remcos.exe Code function: 17_2_00405E9C FindFirstFileA,FindClose, 17_2_00405E9C
Source: C:\ProgramData\Remcos\remcos.exe Code function: 17_2_0040264F FindFirstFileA, 17_2_0040264F
Source: C:\ProgramData\Remcos\remcos.exe File opened: C:\Users\user\AppData\Local\kabinetssekretr\Idriftstte\Regimentets Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe File opened: C:\Users\user\AppData\Local\kabinetssekretr\Idriftstte Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe File opened: C:\Users\user Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe File opened: C:\Users\user\AppData\Local\kabinetssekretr Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: Payment slip_pdf.pif.exe, 0000000C.00000002.2108185461.0000000005641000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}$
Source: Payment slip_pdf.pif.exe, 0000000C.00000002.2108185461.000000000565D000.00000004.00000020.00020000.00000000.sdmp, Payment slip_pdf.pif.exe, 0000000C.00000002.2108185461.0000000005625000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Payment slip_pdf.pif.exe, 0000000C.00000002.2108185461.000000000565D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW=A(
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe API call chain: ExitProcess graph end node
Source: C:\ProgramData\Remcos\remcos.exe API call chain: ExitProcess graph end node
Source: C:\ProgramData\Remcos\remcos.exe API call chain: ExitProcess graph end node
Source: C:\ProgramData\Remcos\remcos.exe API call chain: ExitProcess graph end node
Source: C:\ProgramData\Remcos\remcos.exe API call chain: ExitProcess graph end node
Source: C:\ProgramData\Remcos\remcos.exe API call chain: ExitProcess graph end node
Source: C:\ProgramData\Remcos\remcos.exe API call chain: ExitProcess graph end node
Source: C:\ProgramData\Remcos\remcos.exe API call chain: ExitProcess graph end node
Source: C:\ProgramData\Remcos\remcos.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Code function: 0_2_00405EC3 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405EC3
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Process created: C:\Users\user\Desktop\Payment slip_pdf.pif.exe "C:\Users\user\Desktop\Payment slip_pdf.pif.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Code function: 0_2_00405BBA GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA, 0_2_00405BBA

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 0000000C.00000002.2108185461.0000000005671000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment slip_pdf.pif.exe PID: 1920, type: MEMORYSTR

Remote Access Functionality
barindex
Detected Remcos RAT
Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-4U257D Jump to behavior
Yara detected Remcos RAT
Source: Yara match File source: 0000000C.00000002.2108185461.0000000005671000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment slip_pdf.pif.exe PID: 1920, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1638157 Sample: Payment slip_pdf.pif.exe Startdate: 14/03/2025 Architecture: WINDOWS Score: 100 42 drive.usercontent.google.com 2->42 44 drive.google.com 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected GuLoader 2->48 50 Yara detected Remcos RAT 2->50 52 4 other signatures 2->52 8 Payment slip_pdf.pif.exe 1 40 2->8         started        11 remcos.exe 22 2->11         started        13 remcos.exe 22 2->13         started        15 remcos.exe 22 2->15         started        signatures3 process4 file5 30 C:\Users\user\AppData\Local\...\System.dll, PE32 8->30 dropped 17 Payment slip_pdf.pif.exe 2 10 8->17         started        32 C:\Users\user\AppData\Local\...\System.dll, PE32 11->32 dropped 34 C:\Users\user\AppData\Local\...\System.dll, PE32 13->34 dropped 36 C:\Users\user\AppData\Local\...\System.dll, PE32 15->36 dropped process6 dnsIp7 38 drive.usercontent.google.com 142.250.186.129, 443, 49725 GOOGLEUS United States 17->38 40 drive.google.com 216.58.206.78, 443, 49724 GOOGLEUS United States 17->40 26 C:\ProgramData\Remcos\remcos.exe, PE32 17->26 dropped 54 Detected Remcos RAT 17->54 56 Creates autostart registry keys with suspicious names 17->56 22 remcos.exe 22 17->22         started        file8 signatures9 process10 file11 28 C:\Users\user\AppData\Local\...\System.dll, PE32 22->28 dropped 58 Multi AV Scanner detection for dropped file 22->58 signatures12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.186.129
 drive.usercontent.google.com United States
15169 GOOGLEUS false
216.58.206.78
 drive.google.com United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
drive.google.com 216.58.206.78 true
drive.usercontent.google.com 142.250.186.129 true