Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Payment slip_pdf.pif.exe

Overview

General Information

Sample name:Payment slip_pdf.pif.exe
Analysis ID:1638157
MD5:9dd85c31485ec45ec0e45413698ba89a
SHA1:3060711676279d3e8cad80f767fffb359bf43bc0
SHA256:d64cc2c7665ad1a75e68a45a82eddc59a25c056e36ecfdebf6450207ca61ae8e
Tags:exeuser-julianmckein
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Confidence:100%

Signatures

Detected Remcos RAT
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Remcos RAT
Creates autostart registry keys with suspicious names
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Payment slip_pdf.pif.exe (PID: 8184 cmdline: "C:\Users\user\Desktop\Payment slip_pdf.pif.exe" MD5: 9DD85C31485EC45EC0E45413698BA89A)
    • Payment slip_pdf.pif.exe (PID: 1920 cmdline: "C:\Users\user\Desktop\Payment slip_pdf.pif.exe" MD5: 9DD85C31485EC45EC0E45413698BA89A)
      • remcos.exe (PID: 3940 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 9DD85C31485EC45EC0E45413698BA89A)
  • remcos.exe (PID: 4948 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 9DD85C31485EC45EC0E45413698BA89A)
  • remcos.exe (PID: 7956 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 9DD85C31485EC45EC0E45413698BA89A)
  • remcos.exe (PID: 6492 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 9DD85C31485EC45EC0E45413698BA89A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.2108185461.0000000005671000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000000.00000002.1956767588.0000000009A20000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      Process Memory Space: Payment slip_pdf.pif.exe PID: 1920JoeSecurity_RemcosYara detected Remcos RATJoe Security

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: CurrentVersion Autorun Keys Modification
        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Remcos\remcos.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Payment slip_pdf.pif.exe, ProcessId: 1920, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-4U257D
        Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Remcos\remcos.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Payment slip_pdf.pif.exe, ProcessId: 1920, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-4U257D

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2025-03-14T09:09:15.986780+010028032702Potentially Bad Traffic192.168.2.549724216.58.206.78443TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for dropped file
        Source: C:\ProgramData\Remcos\remcos.exeVirustotal: Detection: 24%Perma Link
        Source: C:\ProgramData\Remcos\remcos.exeReversingLabs: Detection: 21%
        Multi AV Scanner detection for submitted file
        Source: Payment slip_pdf.pif.exeVirustotal: Detection: 24%Perma Link
        Source: Payment slip_pdf.pif.exeReversingLabs: Detection: 21%
        Yara detected Remcos RAT
        Source: Yara matchFile source: 0000000C.00000002.2108185461.0000000005671000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Payment slip_pdf.pif.exe PID: 1920, type: MEMORYSTR
        Joe Sandbox ML detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
        Source: Payment slip_pdf.pif.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: unknownHTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49724 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.250.186.129:443 -> 192.168.2.5:49725 version: TLS 1.2
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeCode function: 0_2_00405475 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405475
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeCode function: 0_2_00405E9C FindFirstFileA,FindClose,0_2_00405E9C
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeCode function: 0_2_0040264F FindFirstFileA,0_2_0040264F
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeCode function: 12_2_0040264F FindFirstFileA,12_2_0040264F
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeCode function: 12_2_00405475 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,12_2_00405475
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeCode function: 12_2_00405E9C FindFirstFileA,FindClose,12_2_00405E9C
        Source: C:\ProgramData\Remcos\remcos.exeCode function: 13_2_00405475 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,13_2_00405475
        Source: C:\ProgramData\Remcos\remcos.exeCode function: 13_2_00405E9C FindFirstFileA,FindClose,13_2_00405E9C
        Source: C:\ProgramData\Remcos\remcos.exeCode function: 13_2_0040264F FindFirstFileA,13_2_0040264F
        Source: C:\ProgramData\Remcos\remcos.exeCode function: 15_2_00405475 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,15_2_00405475
        Source: C:\ProgramData\Remcos\remcos.exeCode function: 15_2_00405E9C FindFirstFileA,FindClose,15_2_00405E9C
        Source: C:\ProgramData\Remcos\remcos.exeCode function: 15_2_0040264F FindFirstFileA,15_2_0040264F
        Source: C:\ProgramData\Remcos\remcos.exeCode function: 16_2_00405475 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,16_2_00405475
        Source: C:\ProgramData\Remcos\remcos.exeCode function: 16_2_00405E9C FindFirstFileA,FindClose,16_2_00405E9C
        Source: C:\ProgramData\Remcos\remcos.exeCode function: 16_2_0040264F FindFirstFileA,16_2_0040264F
        Source: C:\ProgramData\Remcos\remcos.exeCode function: 17_2_00405475 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,17_2_00405475
        Source: C:\ProgramData\Remcos\remcos.exeCode function: 17_2_00405E9C FindFirstFileA,FindClose,17_2_00405E9C
        Source: C:\ProgramData\Remcos\remcos.exeCode function: 17_2_0040264F FindFirstFileA,17_2_0040264F
        Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Users\user\AppData\Local\kabinetssekretr\Idriftstte\RegimentetsJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Users\user\AppData\Local\kabinetssekretr\IdriftstteJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Users\userJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Users\user\AppData\Local\kabinetssekretrJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Users\user\AppDataJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49724 -> 216.58.206.78:443
        Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1tGFKOOy5IKzQd8rTIWKS81wv12OARueJ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /download?id=1tGFKOOy5IKzQd8rTIWKS81wv12OARueJ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1tGFKOOy5IKzQd8rTIWKS81wv12OARueJ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /download?id=1tGFKOOy5IKzQd8rTIWKS81wv12OARueJ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
        Source: global trafficDNS traffic detected: DNS query: drive.google.com
        Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
        Source: remcos.exe, remcos.exe, 00000011.00000000.2380438690.0000000000409000.00000008.00000001.01000000.0000000A.sdmp, remcos.exe, 00000011.00000002.2503857103.0000000000409000.00000004.00000001.01000000.0000000A.sdmp, Payment slip_pdf.pif.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
        Source: Payment slip_pdf.pif.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
        Source: Payment slip_pdf.pif.exe, 0000000C.00000003.2016668250.0000000005677000.00000004.00000020.00020000.00000000.sdmp, Payment slip_pdf.pif.exe, 0000000C.00000002.2108185461.000000000565D000.00000004.00000020.00020000.00000000.sdmp, Payment slip_pdf.pif.exe, 0000000C.00000003.2016611503.0000000005677000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
        Source: Payment slip_pdf.pif.exe, 0000000C.00000002.2108185461.0000000005625000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
        Source: Payment slip_pdf.pif.exe, 0000000C.00000002.2165121027.0000000034C90000.00000004.00001000.00020000.00000000.sdmp, Payment slip_pdf.pif.exe, 0000000C.00000002.2108185461.0000000005641000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1tGFKOOy5IKzQd8rTIWKS81wv12OARueJ
        Source: Payment slip_pdf.pif.exe, 0000000C.00000002.2108185461.0000000005671000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
        Source: Payment slip_pdf.pif.exe, 0000000C.00000002.2108185461.000000000565D000.00000004.00000020.00020000.00000000.sdmp, Payment slip_pdf.pif.exe, 0000000C.00000002.2108185461.0000000005641000.00000004.00000020.00020000.00000000.sdmp, Payment slip_pdf.pif.exe, 0000000C.00000003.2016611503.0000000005677000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1tGFKOOy5IKzQd8rTIWKS81wv12OARueJ&export=download
        Source: Payment slip_pdf.pif.exe, 0000000C.00000003.2016668250.0000000005677000.00000004.00000020.00020000.00000000.sdmp, Payment slip_pdf.pif.exe, 0000000C.00000002.2108185461.000000000565D000.00000004.00000020.00020000.00000000.sdmp, Payment slip_pdf.pif.exe, 0000000C.00000003.2016611503.0000000005677000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
        Source: Payment slip_pdf.pif.exe, 0000000C.00000003.2016668250.0000000005677000.00000004.00000020.00020000.00000000.sdmp, Payment slip_pdf.pif.exe, 0000000C.00000002.2108185461.000000000565D000.00000004.00000020.00020000.00000000.sdmp, Payment slip_pdf.pif.exe, 0000000C.00000003.2016611503.0000000005677000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
        Source: Payment slip_pdf.pif.exe, 0000000C.00000003.2016668250.0000000005677000.00000004.00000020.00020000.00000000.sdmp, Payment slip_pdf.pif.exe, 0000000C.00000002.2108185461.000000000565D000.00000004.00000020.00020000.00000000.sdmp, Payment slip_pdf.pif.exe, 0000000C.00000003.2016611503.0000000005677000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
        Source: Payment slip_pdf.pif.exe, 0000000C.00000003.2016668250.0000000005677000.00000004.00000020.00020000.00000000.sdmp, Payment slip_pdf.pif.exe, 0000000C.00000002.2108185461.000000000565D000.00000004.00000020.00020000.00000000.sdmp, Payment slip_pdf.pif.exe, 0000000C.00000003.2016611503.0000000005677000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
        Source: Payment slip_pdf.pif.exe, 0000000C.00000003.2016668250.0000000005677000.00000004.00000020.00020000.00000000.sdmp, Payment slip_pdf.pif.exe, 0000000C.00000002.2108185461.000000000565D000.00000004.00000020.00020000.00000000.sdmp, Payment slip_pdf.pif.exe, 0000000C.00000003.2016611503.0000000005677000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
        Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
        Source: unknownHTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49724 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.250.186.129:443 -> 192.168.2.5:49725 version: TLS 1.2
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeCode function: 0_2_00404FE3 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404FE3

        E-Banking Fraud

        barindex
        Yara detected Remcos RAT
        Source: Yara matchFile source: 0000000C.00000002.2108185461.0000000005671000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Payment slip_pdf.pif.exe PID: 1920, type: MEMORYSTR

        System Summary

        barindex
        Initial sample is a PE file and has a suspicious name
        Source: initial sampleStatic PE information: Filename: Payment slip_pdf.pif.exe
        Source: initial sampleStatic PE information: Filename: Payment slip_pdf.pif.exe
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeCode function: 0_2_0040310B EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_0040310B
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeCode function: 12_2_0040310B EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,12_2_0040310B
        Source: C:\ProgramData\Remcos\remcos.exeCode function: 13_2_0040310B EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,13_2_0040310B
        Source: C:\ProgramData\Remcos\remcos.exeCode function: 15_2_0040310B EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,15_2_0040310B
        Source: C:\ProgramData\Remcos\remcos.exeCode function: 16_2_0040310B EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,16_2_0040310B
        Source: C:\ProgramData\Remcos\remcos.exeCode function: 17_2_0040310B EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,17_2_0040310B
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeCode function: 0_2_004048220_2_00404822
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeCode function: 0_2_004062C30_2_004062C3
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeCode function: 0_2_00406A9A0_2_00406A9A
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeCode function: 12_2_0040482212_2_00404822
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeCode function: 12_2_004062C312_2_004062C3
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeCode function: 12_2_00406A9A12_2_00406A9A
        Source: C:\ProgramData\Remcos\remcos.exeCode function: 13_2_0040482213_2_00404822
        Source: C:\ProgramData\Remcos\remcos.exeCode function: 13_2_004062C313_2_004062C3
        Source: C:\ProgramData\Remcos\remcos.exeCode function: 13_2_00406A9A13_2_00406A9A
        Source: C:\ProgramData\Remcos\remcos.exeCode function: 15_2_0040482215_2_00404822
        Source: C:\ProgramData\Remcos\remcos.exeCode function: 15_2_004062C315_2_004062C3
        Source: C:\ProgramData\Remcos\remcos.exeCode function: 15_2_00406A9A15_2_00406A9A
        Source: C:\ProgramData\Remcos\remcos.exeCode function: 16_2_0040482216_2_00404822
        Source: C:\ProgramData\Remcos\remcos.exeCode function: 16_2_004062C316_2_004062C3
        Source: C:\ProgramData\Remcos\remcos.exeCode function: 16_2_00406A9A16_2_00406A9A
        Source: C:\ProgramData\Remcos\remcos.exeCode function: 17_2_0040482217_2_00404822
        Source: C:\ProgramData\Remcos\remcos.exeCode function: 17_2_004062C317_2_004062C3
        Source: C:\ProgramData\Remcos\remcos.exeCode function: 17_2_00406A9A17_2_00406A9A
        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nsc2507.tmp\System.dll 3B6A5CB2A3C091814FCE297C04FB677F72732FB21615102C62A195FDC2E7DFAC
        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nscFE55.tmp\System.dll 3B6A5CB2A3C091814FCE297C04FB677F72732FB21615102C62A195FDC2E7DFAC
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeCode function: String function: 00402A07 appears 51 times
        Source: C:\ProgramData\Remcos\remcos.exeCode function: String function: 004029EA appears 48 times
        Source: C:\ProgramData\Remcos\remcos.exeCode function: String function: 00402A07 appears 104 times
        Source: C:\ProgramData\Remcos\remcos.exeCode function: String function: 00405B98 appears 77 times
        Source: C:\ProgramData\Remcos\remcos.exeCode function: String function: 00405BBA appears 39 times
        Source: Payment slip_pdf.pif.exe, 00000000.00000002.1906497905.000000000044B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamemervrdiafgifts jeglasset.exeD vs Payment slip_pdf.pif.exe
        Source: Payment slip_pdf.pif.exe, 0000000C.00000000.1902439673.000000000044B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamemervrdiafgifts jeglasset.exeD vs Payment slip_pdf.pif.exe
        Source: Payment slip_pdf.pif.exeBinary or memory string: OriginalFilenamemervrdiafgifts jeglasset.exeD vs Payment slip_pdf.pif.exe
        Source: Payment slip_pdf.pif.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: classification engineClassification label: mal100.troj.evad.winEXE@8/25@2/2
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeCode function: 0_2_004042E6 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_004042E6
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeCode function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,0_2_00402036
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeFile created: C:\Users\user\AppData\Local\kabinetssekretrJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-4U257D
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeFile created: C:\Users\user\AppData\Local\Temp\nsp6083.tmpJump to behavior
        Source: Payment slip_pdf.pif.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: Payment slip_pdf.pif.exeVirustotal: Detection: 24%
        Source: Payment slip_pdf.pif.exeReversingLabs: Detection: 21%
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeFile read: C:\Users\user\Desktop\Payment slip_pdf.pif.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\Payment slip_pdf.pif.exe "C:\Users\user\Desktop\Payment slip_pdf.pif.exe"
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeProcess created: C:\Users\user\Desktop\Payment slip_pdf.pif.exe "C:\Users\user\Desktop\Payment slip_pdf.pif.exe"
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
        Source: unknownProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
        Source: unknownProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
        Source: unknownProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeProcess created: C:\Users\user\Desktop\Payment slip_pdf.pif.exe "C:\Users\user\Desktop\Payment slip_pdf.pif.exe"Jump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: shfolder.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: riched20.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: usp10.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: msls31.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: version.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: shfolder.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wldp.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: propsys.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: profapi.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: riched20.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: usp10.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: msls31.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: version.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: shfolder.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wldp.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: propsys.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: profapi.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: riched20.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: usp10.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: msls31.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: version.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: shfolder.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wldp.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: propsys.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: profapi.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: riched20.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: usp10.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: msls31.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: version.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: shfolder.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wldp.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: propsys.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: profapi.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: riched20.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: usp10.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: msls31.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeFile written: C:\Users\user\AppData\Local\kabinetssekretr\Idriftstte\craniom.iniJump to behavior

        Data Obfuscation

        barindex
        Yara detected GuLoader
        Source: Yara matchFile source: 00000000.00000002.1956767588.0000000009A20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeCode function: 0_2_00405EC3 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405EC3
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeCode function: 0_2_10002CE0 push eax; ret 0_2_10002D0E
        Source: C:\ProgramData\Remcos\remcos.exeFile created: C:\Users\user\AppData\Local\Temp\nscFE55.tmp\System.dllJump to dropped file
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeFile created: C:\Users\user\AppData\Local\Temp\nsv644C.tmp\System.dllJump to dropped file
        Source: C:\ProgramData\Remcos\remcos.exeFile created: C:\Users\user\AppData\Local\Temp\nsoDBD9.tmp\System.dllJump to dropped file
        Source: C:\ProgramData\Remcos\remcos.exeFile created: C:\Users\user\AppData\Local\Temp\nsgAF89.tmp\System.dllJump to dropped file
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeFile created: C:\ProgramData\Remcos\remcos.exeJump to dropped file
        Source: C:\ProgramData\Remcos\remcos.exeFile created: C:\Users\user\AppData\Local\Temp\nsc2507.tmp\System.dllJump to dropped file
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeFile created: C:\ProgramData\Remcos\remcos.exeJump to dropped file

        Boot Survival

        barindex
        Creates autostart registry keys with suspicious names
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-4U257DJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-4U257DJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-4U257DJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-4U257DJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-4U257DJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Switches to a custom stack to bypass stack traces
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeAPI/Special instruction interceptor: Address: 9D2BC5A
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeAPI/Special instruction interceptor: Address: 4D8BC5A
        Tries to detect virtualization through RDTSC time measurements
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeRDTSC instruction interceptor: First address: 9CEDC9F second address: 9CEDC9F instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F646D1FA9E6h 0x00000006 test al, bl 0x00000008 inc ebp 0x00000009 test ah, ch 0x0000000b inc ebx 0x0000000c rdtsc
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeRDTSC instruction interceptor: First address: 4D4DC9F second address: 4D4DC9F instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F646C7DB176h 0x00000006 test al, bl 0x00000008 inc ebp 0x00000009 test ah, ch 0x0000000b inc ebx 0x0000000c rdtsc
        Source: C:\ProgramData\Remcos\remcos.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nscFE55.tmp\System.dllJump to dropped file
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsv644C.tmp\System.dllJump to dropped file
        Source: C:\ProgramData\Remcos\remcos.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsoDBD9.tmp\System.dllJump to dropped file
        Source: C:\ProgramData\Remcos\remcos.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsgAF89.tmp\System.dllJump to dropped file
        Source: C:\ProgramData\Remcos\remcos.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsc2507.tmp\System.dllJump to dropped file
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeCode function: 0_2_00405475 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405475
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeCode function: 0_2_00405E9C FindFirstFileA,FindClose,0_2_00405E9C
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeCode function: 0_2_0040264F FindFirstFileA,0_2_0040264F
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeCode function: 12_2_0040264F FindFirstFileA,12_2_0040264F
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeCode function: 12_2_00405475 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,12_2_00405475
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeCode function: 12_2_00405E9C FindFirstFileA,FindClose,12_2_00405E9C
        Source: C:\ProgramData\Remcos\remcos.exeCode function: 13_2_00405475 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,13_2_00405475
        Source: C:\ProgramData\Remcos\remcos.exeCode function: 13_2_00405E9C FindFirstFileA,FindClose,13_2_00405E9C
        Source: C:\ProgramData\Remcos\remcos.exeCode function: 13_2_0040264F FindFirstFileA,13_2_0040264F
        Source: C:\ProgramData\Remcos\remcos.exeCode function: 15_2_00405475 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,15_2_00405475
        Source: C:\ProgramData\Remcos\remcos.exeCode function: 15_2_00405E9C FindFirstFileA,FindClose,15_2_00405E9C
        Source: C:\ProgramData\Remcos\remcos.exeCode function: 15_2_0040264F FindFirstFileA,15_2_0040264F
        Source: C:\ProgramData\Remcos\remcos.exeCode function: 16_2_00405475 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,16_2_00405475
        Source: C:\ProgramData\Remcos\remcos.exeCode function: 16_2_00405E9C FindFirstFileA,FindClose,16_2_00405E9C
        Source: C:\ProgramData\Remcos\remcos.exeCode function: 16_2_0040264F FindFirstFileA,16_2_0040264F
        Source: C:\ProgramData\Remcos\remcos.exeCode function: 17_2_00405475 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,17_2_00405475
        Source: C:\ProgramData\Remcos\remcos.exeCode function: 17_2_00405E9C FindFirstFileA,FindClose,17_2_00405E9C
        Source: C:\ProgramData\Remcos\remcos.exeCode function: 17_2_0040264F FindFirstFileA,17_2_0040264F
        Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Users\user\AppData\Local\kabinetssekretr\Idriftstte\RegimentetsJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Users\user\AppData\Local\kabinetssekretr\IdriftstteJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Users\userJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Users\user\AppData\Local\kabinetssekretrJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Users\user\AppDataJump to behavior
        Source: C:\ProgramData\Remcos\remcos.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
        Source: Payment slip_pdf.pif.exe, 0000000C.00000002.2108185461.0000000005641000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}$
        Source: Payment slip_pdf.pif.exe, 0000000C.00000002.2108185461.000000000565D000.00000004.00000020.00020000.00000000.sdmp, Payment slip_pdf.pif.exe, 0000000C.00000002.2108185461.0000000005625000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: Payment slip_pdf.pif.exe, 0000000C.00000002.2108185461.000000000565D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW=A(
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeAPI call chain: ExitProcess graph end nodegraph_0-3917
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeAPI call chain: ExitProcess graph end nodegraph_0-3756
        Source: C:\ProgramData\Remcos\remcos.exeAPI call chain: ExitProcess graph end nodegraph_13-2815
        Source: C:\ProgramData\Remcos\remcos.exeAPI call chain: ExitProcess graph end nodegraph_13-2974
        Source: C:\ProgramData\Remcos\remcos.exeAPI call chain: ExitProcess graph end nodegraph_15-2815
        Source: C:\ProgramData\Remcos\remcos.exeAPI call chain: ExitProcess graph end nodegraph_15-2974
        Source: C:\ProgramData\Remcos\remcos.exeAPI call chain: ExitProcess graph end nodegraph_16-2818
        Source: C:\ProgramData\Remcos\remcos.exeAPI call chain: ExitProcess graph end nodegraph_16-2977
        Source: C:\ProgramData\Remcos\remcos.exeAPI call chain: ExitProcess graph end nodegraph_17-2920
        Source: C:\ProgramData\Remcos\remcos.exeAPI call chain: ExitProcess graph end nodegraph_17-3079
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeCode function: 0_2_00405EC3 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405EC3
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeProcess created: C:\Users\user\Desktop\Payment slip_pdf.pif.exe "C:\Users\user\Desktop\Payment slip_pdf.pif.exe"Jump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeCode function: 0_2_00405BBA GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_00405BBA

        Stealing of Sensitive Information

        barindex
        Yara detected Remcos RAT
        Source: Yara matchFile source: 0000000C.00000002.2108185461.0000000005671000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Payment slip_pdf.pif.exe PID: 1920, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Detected Remcos RAT
        Source: C:\Users\user\Desktop\Payment slip_pdf.pif.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-4U257DJump to behavior
        Yara detected Remcos RAT
        Source: Yara matchFile source: 0000000C.00000002.2108185461.0000000005671000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Payment slip_pdf.pif.exe PID: 1920, type: MEMORYSTR

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
        Native API        		11
        Registry Run Keys / Startup Folder        		11
        Process Injection        		1
        Masquerading        		OS Credential Dumping31
        Security Software Discovery        		Remote Services1
        Archive Collected Data        		11
        Encrypted Channel        		Exfiltration Over Other Network Medium1
        System Shutdown/Reboot
        CredentialsDomainsDefault AccountsScheduled Task/Job1
        DLL Side-Loading        		11
        Registry Run Keys / Startup Folder        		11
        Process Injection        		LSASS Memory4
        File and Directory Discovery        		Remote Desktop Protocol1
        Clipboard Data        		1
        Remote Access Software        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
        DLL Side-Loading        		1
        Deobfuscate/Decode Files or Information        		Security Account Manager23
        System Information Discovery        		SMB/Windows Admin SharesData from Network Shared Drive1
        Ingress Tool Transfer        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
        Obfuscated Files or Information        		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture2
        Non-Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        DLL Side-Loading        		LSA SecretsInternet Connection DiscoverySSHKeylogging13
        Application Layer Protocol        		Scheduled TransferData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1638157 Sample: Payment slip_pdf.pif.exe Startdate: 14/03/2025 Architecture: WINDOWS Score: 100 42 drive.usercontent.google.com 2->42 44 drive.google.com 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected GuLoader 2->48 50 Yara detected Remcos RAT 2->50 52 4 other signatures 2->52 8 Payment slip_pdf.pif.exe 1 40 2->8         started        11 remcos.exe 22 2->11         started        13 remcos.exe 22 2->13         started        15 remcos.exe 22 2->15         started        signatures3 process4 file5 30 C:\Users\user\AppData\Local\...\System.dll, PE32 8->30 dropped 17 Payment slip_pdf.pif.exe 2 10 8->17         started        32 C:\Users\user\AppData\Local\...\System.dll, PE32 11->32 dropped 34 C:\Users\user\AppData\Local\...\System.dll, PE32 13->34 dropped 36 C:\Users\user\AppData\Local\...\System.dll, PE32 15->36 dropped process6 dnsIp7 38 drive.usercontent.google.com 142.250.186.129, 443, 49725 GOOGLEUS United States 17->38 40 drive.google.com 216.58.206.78, 443, 49724 GOOGLEUS United States 17->40 26 C:\ProgramData\Remcos\remcos.exe, PE32 17->26 dropped 54 Detected Remcos RAT 17->54 56 Creates autostart registry keys with suspicious names 17->56 22 remcos.exe 22 17->22         started        file8 signatures9 process10 file11 28 C:\Users\user\AppData\Local\...\System.dll, PE32 22->28 dropped 58 Multi AV Scanner detection for dropped file 22->58 signatures12

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.