Windows Analysis Report
nvtoaowsdkrthja.exe

Overview

General Information

Sample name: nvtoaowsdkrthja.exe
Analysis ID: 1639460
MD5: 01967ccbacb4b490ce4115c92c25bdcc
SHA1: e50b4a140aeebef17d61169e86032d0834fedbf3
SHA256: 4896f29c189d4c177029dc1c9e5a8e916bbf72146a405417b65eedee90f994a7
Tags: exeRemcosRATuser-aachum
Infos:

Detection

Remcos
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Joe Sandbox ML detected suspicious sample
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: nvtoaowsdkrthja.exe Avira: detected
Found malware configuration
Source: nvtoaowsdkrthja.exe Malware Configuration Extractor: Remcos {"Host:Port:Password": ["193.124.47.250:9323:0", "angelasdw12394.ru:9323:0", "angela2qwdw394.ru:9323:0", "angela2q32fds94.ru:9323:0", "angeladwedwefds94.ru:9323:0", "angeladwqwe94.ru:9323:0", "angel234se94.ru:9323:1"], "Assigned name": "svhostd", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "6\u0004C\u0004@\u0004=\u00040\u0004;\u0004K\u0004.\u0000d\u0000a\u0000t", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
Multi AV Scanner detection for submitted file
Source: nvtoaowsdkrthja.exe Virustotal: Detection: 75% Perma Link
Source: nvtoaowsdkrthja.exe ReversingLabs: Detection: 86%
Yara detected Remcos RAT
Source: Yara match File source: nvtoaowsdkrthja.exe, type: SAMPLE
Source: Yara match File source: 0.2.nvtoaowsdkrthja.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.nvtoaowsdkrthja.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.852857645.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3319209365.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: nvtoaowsdkrthja.exe PID: 7052, type: MEMORYSTR
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.8% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_0042B8A7 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 0_2_0042B8A7
Source: nvtoaowsdkrthja.exe, 00000000.00000002.3319209365.000000000044D000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_75e64847-0
Uses 32bit PE files
Source: nvtoaowsdkrthja.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_00408047 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 0_2_00408047
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_00408262 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 0_2_00408262
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_004412B9 FindFirstFileExA, 0_2_004412B9
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_0040734E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 0_2_0040734E
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_0040779C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 0_2_0040779C
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_00405CF7 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 0_2_00405CF7
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_00404D5C FindFirstFileW,FindNextFileW, 0_2_00404D5C
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_00414E56 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose, 0_2_00414E56
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_00405183 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 0_2_00405183

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.7:49681 -> 193.124.47.250:9323
Source: Network traffic Suricata IDS: 2032777 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Server Response : 193.124.47.250:9323 -> 192.168.2.7:49681
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: angelasdw12394.ru
Source: Malware configuration extractor URLs: angela2qwdw394.ru
Source: Malware configuration extractor URLs: angela2q32fds94.ru
Source: Malware configuration extractor URLs: angeladwedwefds94.ru
Source: Malware configuration extractor URLs: angeladwqwe94.ru
Source: Malware configuration extractor URLs: angel234se94.ru
Source: Malware configuration extractor IPs: 193.124.47.250
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49681 -> 193.124.47.250:9323
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 178.237.33.50 178.237.33.50
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-REGRU AS-REGRU
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.7:49682 -> 178.237.33.50:80
Source: unknown TCP traffic detected without corresponding DNS query: 193.124.47.250
Source: unknown TCP traffic detected without corresponding DNS query: 193.124.47.250
Source: unknown TCP traffic detected without corresponding DNS query: 193.124.47.250
Source: unknown TCP traffic detected without corresponding DNS query: 193.124.47.250
Source: unknown TCP traffic detected without corresponding DNS query: 193.124.47.250
Source: unknown TCP traffic detected without corresponding DNS query: 193.124.47.250
Source: unknown TCP traffic detected without corresponding DNS query: 193.124.47.250
Source: unknown TCP traffic detected without corresponding DNS query: 193.124.47.250
Source: unknown TCP traffic detected without corresponding DNS query: 193.124.47.250
Source: unknown TCP traffic detected without corresponding DNS query: 193.124.47.250
Source: unknown TCP traffic detected without corresponding DNS query: 193.124.47.250
Source: unknown TCP traffic detected without corresponding DNS query: 193.124.47.250
Source: unknown TCP traffic detected without corresponding DNS query: 193.124.47.250
Source: unknown TCP traffic detected without corresponding DNS query: 193.124.47.250
Source: unknown TCP traffic detected without corresponding DNS query: 193.124.47.250
Source: unknown TCP traffic detected without corresponding DNS query: 193.124.47.250
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_004140CF InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 0_2_004140CF
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: geoplugin.net
Source: nvtoaowsdkrthja.exe, 00000000.00000003.869154496.0000000000727000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/
Source: nvtoaowsdkrthja.exe, 00000000.00000002.3319523290.0000000000701000.00000004.00000020.00020000.00000000.sdmp, nvtoaowsdkrthja.exe, 00000000.00000003.869154496.0000000000727000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp
Source: nvtoaowsdkrthja.exe String found in binary or memory: http://geoplugin.net/json.gp/C
Source: nvtoaowsdkrthja.exe, 00000000.00000002.3319523290.0000000000727000.00000004.00000020.00020000.00000000.sdmp, nvtoaowsdkrthja.exe, 00000000.00000003.869154496.0000000000727000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp?
Source: nvtoaowsdkrthja.exe, 00000000.00000003.869154496.0000000000701000.00000004.00000020.00020000.00000000.sdmp, nvtoaowsdkrthja.exe, 00000000.00000002.3319523290.0000000000701000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpA
Source: nvtoaowsdkrthja.exe, 00000000.00000003.869154496.0000000000701000.00000004.00000020.00020000.00000000.sdmp, nvtoaowsdkrthja.exe, 00000000.00000002.3319523290.0000000000701000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpSystem32
Source: nvtoaowsdkrthja.exe, 00000000.00000002.3319523290.0000000000727000.00000004.00000020.00020000.00000000.sdmp, nvtoaowsdkrthja.exe, 00000000.00000003.869154496.0000000000727000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpg
Source: nvtoaowsdkrthja.exe, 00000000.00000003.869154496.0000000000701000.00000004.00000020.00020000.00000000.sdmp, nvtoaowsdkrthja.exe, 00000000.00000002.3319523290.0000000000701000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gps
Source: nvtoaowsdkrthja.exe, 00000000.00000002.3319523290.00000000006CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp~
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_00410027 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 0_2_00410027
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_00410027 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 0_2_00410027
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_00410027 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 0_2_00410027

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: nvtoaowsdkrthja.exe, type: SAMPLE
Source: Yara match File source: 0.2.nvtoaowsdkrthja.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.nvtoaowsdkrthja.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.852857645.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3319209365.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: nvtoaowsdkrthja.exe PID: 7052, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands
barindex
Contains functionalty to change the wallpaper
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_00415440 SystemParametersInfoW, 0_2_00415440

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: nvtoaowsdkrthja.exe, type: SAMPLE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.nvtoaowsdkrthja.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.0.nvtoaowsdkrthja.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_00414791 OpenProcess,NtSuspendProcess,CloseHandle, 0_2_00414791
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_004147BD OpenProcess,NtResumeProcess,CloseHandle, 0_2_004147BD
Detected potential crypto function
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_0043107D 0_2_0043107D
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_0043712B 0_2_0043712B
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_00420232 0_2_00420232
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_00420375 0_2_00420375
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_00438380 0_2_00438380
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_00446489 0_2_00446489
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_00431495 0_2_00431495
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_0041F69D 0_2_0041F69D
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_0041672B 0_2_0041672B
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_004318CA 0_2_004318CA
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_0042E900 0_2_0042E900
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_0042B9B2 0_2_0042B9B2
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_0044BB70 0_2_0044BB70
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_00430B81 0_2_00430B81
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_0041FB94 0_2_0041FB94
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_0040DC0B 0_2_0040DC0B
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_00417CE2 0_2_00417CE2
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_00431CFF 0_2_00431CFF
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_00445D6B 0_2_00445D6B
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_00447DB3 0_2_00447DB3
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_0042DE5B 0_2_0042DE5B
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_00436EFC 0_2_00436EFC
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: String function: 0042C55C appears 36 times
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: String function: 0042CE30 appears 50 times
Uses 32bit PE files
Source: nvtoaowsdkrthja.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: nvtoaowsdkrthja.exe, type: SAMPLE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.nvtoaowsdkrthja.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.0.nvtoaowsdkrthja.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: classification engine Classification label: mal100.rans.troj.spyw.winEXE@1/1@1/2
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_00411046 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 0_2_00411046
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_0040AA69 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 0_2_0040AA69
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_004141F4 FindResourceA,LoadResource,LockResource,SizeofResource, 0_2_004141F4
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_004134DF OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 0_2_004134DF
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\json[1].json Jump to behavior
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Mutant created: \Sessions\1\BaseNamedObjects\ -TEM3DH
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Command line argument: `ln 0_2_0040A34B
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Command line argument: `ln 0_2_0040A34B
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Command line argument: -Sys 0_2_0040A34B
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Command line argument: Software\ 0_2_0040A34B
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Command line argument: xm 0_2_0040A34B
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Command line argument: Pqm 0_2_0040A34B
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Command line argument: xm 0_2_0040A34B
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Command line argument: xm 0_2_0040A34B
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Command line argument: Exe 0_2_0040A34B
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Command line argument: Exe 0_2_0040A34B
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Command line argument: `ln 0_2_0040A34B
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Command line argument: licence 0_2_0040A34B
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Command line argument: xm 0_2_0040A34B
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Command line argument: System 0_2_0040A34B
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Command line argument: Administrator 0_2_0040A34B
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Command line argument: User 0_2_0040A34B
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Command line argument: xm 0_2_0040A34B
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Command line argument: del 0_2_0040A34B
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Command line argument: del 0_2_0040A34B
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Command line argument: del 0_2_0040A34B
Source: nvtoaowsdkrthja.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: nvtoaowsdkrthja.exe Virustotal: Detection: 75%
Source: nvtoaowsdkrthja.exe ReversingLabs: Detection: 86%
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: nvtoaowsdkrthja.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: nvtoaowsdkrthja.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: nvtoaowsdkrthja.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: nvtoaowsdkrthja.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: nvtoaowsdkrthja.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: nvtoaowsdkrthja.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: nvtoaowsdkrthja.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: nvtoaowsdkrthja.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: nvtoaowsdkrthja.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: nvtoaowsdkrthja.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: nvtoaowsdkrthja.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: nvtoaowsdkrthja.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_004155E6 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 0_2_004155E6
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_0044B538 push eax; ret 0_2_0044B556
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_0044ACD6 push ecx; ret 0_2_0044ACE9
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_0042CE76 push ecx; ret 0_2_0042CE89
Contains functionality to download and launch executables
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_00404AA4 ShellExecuteW,URLDownloadToFileW, 0_2_00404AA4
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_004134DF OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 0_2_004134DF
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_004155E6 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 0_2_004155E6
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 0_2_0041320D
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Window / User API: threadDelayed 4272 Jump to behavior
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Window / User API: threadDelayed 5718 Jump to behavior
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe TID: 7096 Thread sleep count: 4272 > 30 Jump to behavior
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe TID: 7096 Thread sleep time: -12816000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe TID: 7096 Thread sleep count: 5718 > 30 Jump to behavior
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe TID: 7096 Thread sleep time: -17154000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_00408047 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 0_2_00408047
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_00408262 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 0_2_00408262
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_004412B9 FindFirstFileExA, 0_2_004412B9
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_0040734E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 0_2_0040734E
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_0040779C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 0_2_0040779C
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_00405CF7 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 0_2_00405CF7
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_00404D5C FindFirstFileW,FindNextFileW, 0_2_00404D5C
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_00414E56 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose, 0_2_00414E56
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_00405183 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 0_2_00405183
Source: nvtoaowsdkrthja.exe, 00000000.00000002.3319523290.00000000006CE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: nvtoaowsdkrthja.exe, 00000000.00000003.869226064.0000000000742000.00000004.00000020.00020000.00000000.sdmp, nvtoaowsdkrthja.exe, 00000000.00000002.3319523290.0000000000742000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_004327AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004327AC
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_004155E6 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 0_2_004155E6
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_00439723 mov eax, dword ptr fs:[00000030h] 0_2_00439723
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_0040D17F GetProcessHeap,HeapFree, 0_2_0040D17F
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_004327AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004327AC
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_0042CC81 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0042CC81
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_0042CDCF SetUnhandledExceptionFilter, 0_2_0042CDCF
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_0042CFF6 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0042CFF6
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_0041286C mouse_event, 0_2_0041286C
Source: nvtoaowsdkrthja.exe, 00000000.00000002.3319523290.000000000073A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: nvtoaowsdkrthja.exe, 00000000.00000002.3319523290.000000000073A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager_
Source: nvtoaowsdkrthja.exe, 00000000.00000002.3319523290.00000000006CE000.00000004.00000020.00020000.00000000.sdmp, nvtoaowsdkrthja.exe, 00000000.00000002.3319523290.0000000000727000.00000004.00000020.00020000.00000000.sdmp, nvtoaowsdkrthja.exe, 00000000.00000002.3319523290.000000000073A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |Program Manager|
Source: nvtoaowsdkrthja.exe, 00000000.00000002.3319523290.000000000073A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerZ
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_0041455E cpuid 0_2_0041455E
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: GetLocaleInfoA, 0_2_0040AA3D
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00445050
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: EnumSystemLocalesW, 0_2_0043D715
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_00444718
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: GetLocaleInfoA,AllocConsole,AllocConsole,AllocConsole,ExpandEnvironmentStringsA,AllocConsole,ExpandEnvironmentStringsA,AllocConsole, 0_2_0040C892
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: EnumSystemLocalesW, 0_2_004449DB
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: EnumSystemLocalesW, 0_2_00444990
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: EnumSystemLocalesW, 0_2_00444A76
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_00444B03
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: GetLocaleInfoW, 0_2_0043DB9B
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: GetLocaleInfoW, 0_2_00444D53
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00444E7C
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: GetLocaleInfoW, 0_2_00444F83
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_00401DD5 GetLocalTime,CreateEventA,CreateThread, 0_2_00401DD5
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: 0_2_00414359 CreateThread,GetComputerNameExW,GetUserNameW, 0_2_00414359

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: nvtoaowsdkrthja.exe, type: SAMPLE
Source: Yara match File source: 0.2.nvtoaowsdkrthja.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.nvtoaowsdkrthja.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.852857645.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3319209365.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: nvtoaowsdkrthja.exe PID: 7052, type: MEMORYSTR
Contains functionality to steal Chrome passwords or cookies
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0_2_00407F29
Contains functionality to steal Firefox passwords or cookies
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 0_2_00408047
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: \key3.db 0_2_00408047

Remote Access Functionality
barindex
Yara detected Remcos RAT
Source: Yara match File source: nvtoaowsdkrthja.exe, type: SAMPLE
Source: Yara match File source: 0.2.nvtoaowsdkrthja.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.nvtoaowsdkrthja.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.852857645.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3319209365.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: nvtoaowsdkrthja.exe PID: 7052, type: MEMORYSTR
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Users\user\Desktop\nvtoaowsdkrthja.exe Code function: cmd.exe 0_2_00403B74