Windows Analysis Report
ORIGINAL INVOICE COAU7230734290 pdf.bat.exe

Overview

General Information

Sample name: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe
Analysis ID: 1640058
MD5: 9117fe086de9bb304d000560408106e5
SHA1: a5af5ed15a0e7f96ceba428a1bf3822d81a95f6f
SHA256: 2dce3c887b0b2f9bb9f433c429924dbb8b05bc67318ad05b3a739151d67e363d
Tags: exeuser-threatcat_ch
Infos:

Detection

Remcos, GuLoader
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Detected Remcos RAT
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Remcos RAT
Creates autostart registry keys with suspicious names
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Sample has a suspicious name (potential lure to open the executable)
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
JA3 SSL client fingerprint seen in connection with other malware
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\Remcos\remcos.exe ReversingLabs: Detection: 22%
Source: C:\ProgramData\Remcos\remcos.exe Virustotal: Detection: 23% Perma Link
Multi AV Scanner detection for submitted file
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Virustotal: Detection: 23% Perma Link
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe ReversingLabs: Detection: 22%
Yara detected Remcos RAT
Source: Yara match File source: 00000009.00000002.1673415355.00000000049E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe PID: 6128, type: MEMORYSTR
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Uses 32bit PE files
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 142.250.185.78:443 -> 192.168.2.4:49727 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.225:443 -> 192.168.2.4:49728 version: TLS 1.2
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Code function: 0_2_00406354 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_00406354
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Code function: 0_2_00406214 FindFirstFileA,FindClose, 0_2_00406214
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Code function: 0_2_004029DA FindFirstFileA, 0_2_004029DA
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Code function: 9_2_00406354 DeleteFileA,lstrcatA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 9_2_00406354
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Code function: 9_2_00406214 FindFirstFileA,FindClose, 9_2_00406214
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Code function: 9_2_004029DA FindFirstFileA, 9_2_004029DA
Source: C:\ProgramData\Remcos\remcos.exe Code function: 14_2_00406354 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 14_2_00406354
Source: C:\ProgramData\Remcos\remcos.exe Code function: 14_2_00406214 FindFirstFileA,FindClose, 14_2_00406214
Source: C:\ProgramData\Remcos\remcos.exe Code function: 14_2_004029DA FindFirstFileA, 14_2_004029DA

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49733 -> 196.251.80.28:2404
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49735 -> 196.251.80.28:2404
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49727 -> 142.250.185.78:443
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49730 -> 142.250.185.206:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1fWgBdsqFCpAAZN81IQJKc_PEbkpu8LYG HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1fWgBdsqFCpAAZN81IQJKc_PEbkpu8LYG&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1fWgBdsqFCpAAZN81IQJKc_PEbkpu8LYG HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1fWgBdsqFCpAAZN81IQJKc_PEbkpu8LYG&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: drive.google.com
Source: global traffic DNS traffic detected: DNS query: drive.usercontent.google.com
Source: remcos.exe, remcos.exe, 0000000E.00000002.2793249084.0000000000408000.00000002.00000001.01000000.0000000C.sdmp, remcos.exe, 0000000E.00000000.2007675389.0000000000408000.00000002.00000001.01000000.0000000C.sdmp, remcos.exe, 0000000F.00000002.2793047460.0000000000408000.00000002.00000001.01000000.0000000C.sdmp, remcos.exe, 0000000F.00000000.2256528109.0000000000408000.00000002.00000001.01000000.0000000C.sdmp, ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, remcos.exe.9.dr String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, remcos.exe.9.dr String found in binary or memory: http://nsis.sf.net/NSIS_Error...
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000003.1592752203.0000000004A23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000002.1673415355.00000000049A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/S
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000002.1673415355.00000000049A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/k
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000002.1673415355.00000000049E5000.00000004.00000020.00020000.00000000.sdmp, ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000002.1677680771.0000000006500000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1fWgBdsqFCpAAZN81IQJKc_PEbkpu8LYG
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000002.1673415355.00000000049E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1fWgBdsqFCpAAZN81IQJKc_PEbkpu8LYGJP
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000003.1631972221.0000000004A5A000.00000004.00000020.00020000.00000000.sdmp, ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000003.1652528178.0000000004A5A000.00000004.00000020.00020000.00000000.sdmp, ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000002.1673415355.0000000004A23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000002.1673415355.00000000049E5000.00000004.00000020.00020000.00000000.sdmp, ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000003.1652528178.0000000004A23000.00000004.00000020.00020000.00000000.sdmp, ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000002.1673415355.0000000004A23000.00000004.00000020.00020000.00000000.sdmp, ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000003.1592752203.0000000004A23000.00000004.00000020.00020000.00000000.sdmp, ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000003.1631972221.0000000004A23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1fWgBdsqFCpAAZN81IQJKc_PEbkpu8LYG&export=download
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000003.1631972221.0000000004A23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1fWgBdsqFCpAAZN81IQJKc_PEbkpu8LYG&export=downloadFB
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000003.1631972221.0000000004A23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1fWgBdsqFCpAAZN81IQJKc_PEbkpu8LYG&export=downloadn
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000003.1631972221.0000000004A5A000.00000004.00000020.00020000.00000000.sdmp, ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000003.1652528178.0000000004A5A000.00000004.00000020.00020000.00000000.sdmp, ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000002.1673415355.0000000004A23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/f)
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000003.1592752203.0000000004A23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ssl.gstatic.com
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000003.1592752203.0000000004A23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com;report-uri
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000003.1592752203.0000000004A23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000003.1592752203.0000000004A23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000003.1592752203.0000000004A23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown HTTPS traffic detected: 142.250.185.78:443 -> 192.168.2.4:49727 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.225:443 -> 192.168.2.4:49728 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Code function: 0_2_00404881 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageA,CreatePopupMenu,LdrInitializeThunk,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,LdrInitializeThunk,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,LdrInitializeThunk,SetClipboardData,CloseClipboard, 0_2_00404881

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000009.00000002.1673415355.00000000049E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe PID: 6128, type: MEMORYSTR

System Summary
barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe
Sample has a suspicious name (potential lure to open the executable)
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Static file information: Suspicious name
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Code function: 0_2_004034CE EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,DeleteFileA,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx, 0_2_004034CE
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Code function: 9_2_00403519 lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,DeleteFileA,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx, 9_2_00403519
Source: C:\ProgramData\Remcos\remcos.exe Code function: 14_2_004034CE EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,DeleteFileA,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx, 14_2_004034CE
Creates files inside the system directory
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe File created: C:\Windows\resources\0809 Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Code function: 0_2_0040417B 0_2_0040417B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Code function: 0_2_6EB82288 0_2_6EB82288
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Code function: 9_2_0040417B 9_2_0040417B
Source: C:\ProgramData\Remcos\remcos.exe Code function: 14_2_0040417B 14_2_0040417B
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\nsd1A26.tmp\System.dll C85142F86E1EC02F7EF8D5BA31B22031DE3DE9A16BCE519D5482B824AFB277EB
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\nsg5579.tmp\System.dll C85142F86E1EC02F7EF8D5BA31B22031DE3DE9A16BCE519D5482B824AFB277EB
Sample file is different than original file name gathered from version info
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000000.00000002.1507179105.00000000007B7000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameklummer lothario.exe4 vs ORIGINAL INVOICE COAU7230734290 pdf.bat.exe
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000002.1654055666.00000000007B7000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameklummer lothario.exe4 vs ORIGINAL INVOICE COAU7230734290 pdf.bat.exe
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000002.1673415355.0000000004A7E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameklum vs ORIGINAL INVOICE COAU7230734290 pdf.bat.exe
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Binary or memory string: OriginalFilenameklummer lothario.exe4 vs ORIGINAL INVOICE COAU7230734290 pdf.bat.exe
Uses 32bit PE files
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.evad.winEXE@9/13@4/2
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Code function: 0_2_004034CE EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,DeleteFileA,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx, 0_2_004034CE
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Code function: 9_2_00403519 lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,DeleteFileA,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx, 9_2_00403519
Source: C:\ProgramData\Remcos\remcos.exe Code function: 14_2_004034CE EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,DeleteFileA,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx, 14_2_004034CE
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Code function: 0_2_00403DF4 GetDlgItem,SetWindowTextA,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,LdrInitializeThunk,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,EnableWindow, 0_2_00403DF4
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Code function: 0_2_00402300 LdrInitializeThunk,CoCreateInstance,MultiByteToWideChar,LdrInitializeThunk, 0_2_00402300
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe File created: C:\Users\user\Videos\Kolorer131 Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Mutant created: \Sessions\1\BaseNamedObjects\Rmc-4U257D
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe File created: C:\Users\user\AppData\Local\Temp\nss4EC6.tmp Jump to behavior
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Virustotal: Detection: 23%
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe ReversingLabs: Detection: 22%
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe File read: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe"
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Process created: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe"
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: unknown Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: unknown Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Process created: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe" Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: userenv.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: propsys.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: profapi.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: riched20.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: usp10.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: msls31.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: userenv.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: propsys.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: profapi.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: riched20.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: usp10.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: msls31.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: userenv.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: propsys.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: profapi.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: riched20.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: usp10.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: msls31.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.1534421307.00000000067BC000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2759956391.00000000066BC000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Code function: 0_2_6EB82288 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,lstrcpyA,GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, 0_2_6EB82288
Drops PE files
Source: C:\ProgramData\Remcos\remcos.exe File created: C:\Users\user\AppData\Local\Temp\nsg5579.tmp\System.dll Jump to dropped file
Source: C:\ProgramData\Remcos\remcos.exe File created: C:\Users\user\AppData\Local\Temp\nssA4F1.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe File created: C:\ProgramData\Remcos\remcos.exe Jump to dropped file
Source: C:\ProgramData\Remcos\remcos.exe File created: C:\Users\user\AppData\Local\Temp\nsd1A26.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe File created: C:\Users\user\AppData\Local\Temp\nsi4F73.tmp\System.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe File created: C:\ProgramData\Remcos\remcos.exe Jump to dropped file

Boot Survival
barindex
Creates autostart registry keys with suspicious names
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-4U257D Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-4U257D Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-4U257D Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-4U257D Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-4U257D Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe API/Special instruction interceptor: Address: 685503A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe API/Special instruction interceptor: Address: 301503A
Source: C:\ProgramData\Remcos\remcos.exe API/Special instruction interceptor: Address: 675503A
Source: C:\ProgramData\Remcos\remcos.exe API/Special instruction interceptor: Address: 301503A
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe RDTSC instruction interceptor: First address: 6814C39 second address: 6814C39 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FB129233DAFh 0x00000006 test dx, ax 0x00000009 inc ebp 0x0000000a test bl, FFFFFFECh 0x0000000d inc ebx 0x0000000e cmp eax, 1CBCAFA4h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe RDTSC instruction interceptor: First address: 2FD4C39 second address: 2FD4C39 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FB129233B7Fh 0x00000006 test dx, ax 0x00000009 inc ebp 0x0000000a test bl, FFFFFFECh 0x0000000d inc ebx 0x0000000e cmp eax, 1CBCAFA4h 0x00000013 rdtsc
Source: C:\ProgramData\Remcos\remcos.exe RDTSC instruction interceptor: First address: 6714C39 second address: 6714C39 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FB129233DAFh 0x00000006 test dx, ax 0x00000009 inc ebp 0x0000000a test bl, FFFFFFECh 0x0000000d inc ebx 0x0000000e cmp eax, 1CBCAFA4h 0x00000013 rdtsc
Source: C:\ProgramData\Remcos\remcos.exe RDTSC instruction interceptor: First address: 2FD4C39 second address: 2FD4C39 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FB129233B7Fh 0x00000006 test dx, ax 0x00000009 inc ebp 0x0000000a test bl, FFFFFFECh 0x0000000d inc ebx 0x0000000e cmp eax, 1CBCAFA4h 0x00000013 rdtsc
Found dropped PE file which has not been started or loaded
Source: C:\ProgramData\Remcos\remcos.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg5579.tmp\System.dll Jump to dropped file
Source: C:\ProgramData\Remcos\remcos.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nssA4F1.tmp\System.dll Jump to dropped file
Source: C:\ProgramData\Remcos\remcos.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsd1A26.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsi4F73.tmp\System.dll Jump to dropped file
Found evaded block containing many API calls
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Evaded block: after key decision
Source: C:\ProgramData\Remcos\remcos.exe Evaded block: after key decision
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Code function: 0_2_00406354 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_00406354
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Code function: 0_2_00406214 FindFirstFileA,FindClose, 0_2_00406214
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Code function: 0_2_004029DA FindFirstFileA, 0_2_004029DA
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Code function: 9_2_00406354 DeleteFileA,lstrcatA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 9_2_00406354
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Code function: 9_2_00406214 FindFirstFileA,FindClose, 9_2_00406214
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Code function: 9_2_004029DA FindFirstFileA, 9_2_004029DA
Source: C:\ProgramData\Remcos\remcos.exe Code function: 14_2_00406354 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 14_2_00406354
Source: C:\ProgramData\Remcos\remcos.exe Code function: 14_2_00406214 FindFirstFileA,FindClose, 14_2_00406214
Source: C:\ProgramData\Remcos\remcos.exe Code function: 14_2_004029DA FindFirstFileA, 14_2_004029DA
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000002.1673415355.00000000049E5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000002.1673415355.00000000049E5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000002.1673415355.00000000049A8000.00000004.00000020.00020000.00000000.sdmp, ORIGINAL INVOICE COAU7230734290 pdf.bat.exe, 00000009.00000002.1673415355.0000000004A08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe API call chain: ExitProcess graph end node
Source: C:\ProgramData\Remcos\remcos.exe API call chain: ExitProcess graph end node
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Code function: 0_2_0040154A PostQuitMessage,LdrInitializeThunk,Sleep,SetForegroundWindow,LdrInitializeThunk,ShowWindow,ShowWindow,ShowWindow,SetFileAttributesA,GetFileAttributesA,SetCurrentDirectoryA,MoveFileA,GetFullPathNameA,GetShortPathNameA,SearchPathA,lstrcatA,CompareFileTime,LdrInitializeThunk,SetFileTime,CloseHandle,lstrcatA, 0_2_0040154A
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Code function: 0_2_6EB82288 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,lstrcpyA,GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, 0_2_6EB82288
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Process created: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe" Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Code function: 0_2_004034CE EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,DeleteFileA,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx, 0_2_004034CE

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000009.00000002.1673415355.00000000049E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe PID: 6128, type: MEMORYSTR

Remote Access Functionality
barindex
Detected Remcos RAT
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734290 pdf.bat.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-4U257D Jump to behavior
Yara detected Remcos RAT
Source: Yara match File source: 00000009.00000002.1673415355.00000000049E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ORIGINAL INVOICE COAU7230734290 pdf.bat.exe PID: 6128, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1640058 Sample: ORIGINAL INVOICE COAU723073... Startdate: 16/03/2025 Architecture: WINDOWS Score: 100 41 drive.usercontent.google.com 2->41 43 drive.google.com 2->43 49 Suricata IDS alerts for network traffic 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected GuLoader 2->53 55 6 other signatures 2->55 9 ORIGINAL INVOICE COAU7230734290 pdf.bat.exe 1 25 2->9         started        12 remcos.exe 16 2->12         started        14 remcos.exe 16 2->14         started        signatures3 process4 file5 31 C:\Users\user\AppData\Local\...\System.dll, PE32 9->31 dropped 16 ORIGINAL INVOICE COAU7230734290 pdf.bat.exe 2 10 9->16         started        33 C:\Users\user\AppData\Local\...\System.dll, PE32 12->33 dropped 35 C:\Users\user\AppData\Local\...\System.dll, PE32 14->35 dropped process6 dnsIp7 37 drive.usercontent.google.com 142.250.185.225, 443, 49728 GOOGLEUS United States 16->37 39 drive.google.com 142.250.185.78, 443, 49727 GOOGLEUS United States 16->39 27 C:\ProgramData\Remcos\remcos.exe, PE32 16->27 dropped 45 Detected Remcos RAT 16->45 47 Creates autostart registry keys with suspicious names 16->47 21 remcos.exe 16 16->21         started        file8 signatures9 process10 file11 29 C:\Users\user\AppData\Local\...\System.dll, PE32 21->29 dropped 57 Multi AV Scanner detection for dropped file 21->57 59 Tries to detect virtualization through RDTSC time measurements 21->59 61 Switches to a custom stack to bypass stack traces 21->61 25 remcos.exe 21->25         started        signatures12 process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.185.78
 drive.google.com United States
15169 GOOGLEUS false
142.250.185.225
 drive.usercontent.google.com United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
drive.google.com 142.250.185.78 true
drive.usercontent.google.com 142.250.185.225 true