Loading ...

Play interactive tourEdit tour

Analysis Report Pdf Document.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:220999
Start date:07.04.2020
Start time:22:09:50
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 11m 15s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Pdf Document.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:18
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.phis.troj.spyw.evad.winEXE@29/8@7/3
EGA Information:
  • Successful, ratio: 85.7%
HDC Information:
  • Successful, ratio: 85.9% (good quality ratio 84.1%)
  • Quality average: 84.6%
  • Quality standard deviation: 24.1%
HCA Information:
  • Successful, ratio: 85%
  • Number of executed functions: 206
  • Number of non-executed functions: 291
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
  • Excluded IPs from analysis (whitelisted): 216.58.207.46, 2.18.68.82, 2.20.143.16, 2.20.143.23
  • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, fs.microsoft.com, audownload.windowsupdate.nsatc.net, drive.google.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
  • Execution Graph export aborted for target mshta.exe, PID 4076 because there are no executed function
  • Report creation exceeded maximum time and may have missing disassembly code information.
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadVirtualMemory calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Remcos
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Contains functionality to modify the execution of threads in other processes
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Spearphishing Link1Scripting1Registry Run Keys / Startup Folder1Access Token Manipulation1Software Packing31Credential Dumping1System Time Discovery1Remote File Copy1Data from Local System1Data Encrypted1Uncommonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaExecution through API1Scheduled Task1Process Injection112Deobfuscate/Decode Files or Information1Credentials in Files1Account Discovery1Remote ServicesEmail Collection11Exfiltration Over Other Network MediumRemote File Copy1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesGraphical User Interface1Application Shimming1Scheduled Task1Scripting1Input Capture11Security Software Discovery221Windows Remote ManagementInput Capture11Automated ExfiltrationStandard Cryptographic Protocol12Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseCommand-Line Interface1System FirmwareApplication Shimming1Obfuscated Files or Information2Credentials in Registry2File and Directory Discovery2Logon ScriptsClipboard Data2Data EncryptedRemote Access Tools1SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationScheduled Task1Shortcut ModificationFile System Permissions WeaknessMasquerading111Account ManipulationSystem Information Discovery38Shared WebrootData StagedScheduled TransferStandard Non-Application Layer Protocol2Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceModify Registry1Brute ForceVirtualization/Sandbox Evasion1Third-party SoftwareScreen CaptureData Transfer Size LimitsStandard Application Layer Protocol13Jamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskVirtualization/Sandbox Evasion1Two-Factor Authentication InterceptionProcess Discovery4Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionAccess Token Manipulation1Bash HistoryApplication Window Discovery11Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess Injection112Input PromptSystem Owner/User Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction
Trusted RelationshipPowerShellChange Default File AssociationExploitation for Privilege EscalationScriptingKeychainRemote System Discovery1Taint Shared ContentAudio CaptureCommonly Used PortConnection ProxyData Encrypted for Impact

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Found malware configurationShow sources
Source: Pdf Document.exe.5108.0.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}
Multi AV Scanner detection for domain / URLShow sources
Source: u864246.nsupdate.infoVirustotal: Detection: 6%Perma Link
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\Public\Cuytcex.exeVirustotal: Detection: 16%Perma Link
Source: C:\Users\Public\Cuytcex.exeReversingLabs: Detection: 12%
Source: C:\Users\Public\Cuytnet.exeVirustotal: Detection: 10%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: Pdf Document.exeReversingLabs: Detection: 12%
Yara detected Remcos RATShow sources
Source: Yara matchFile source: 00000011.00000002.919210054.0000000003090000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.1216946067.0000000004340000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000011.00000002.919539941.0000000004370000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.904625962.0000000002C90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.1209151390.0000000002CA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.905140966.0000000004390000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Pdf Document.exe PID: 5108, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Cuytcex.exe PID: 1836, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Cuytcex.exe PID: 2416, type: MEMORY
Source: Yara matchFile source: 17.2.Cuytcex.exe.3090000.6.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Pdf Document.exe.4340000.9.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Pdf Document.exe.4340000.9.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.Cuytcex.exe.4390000.9.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 17.2.Cuytcex.exe.3090000.6.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 17.2.Cuytcex.exe.4370000.9.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.Cuytcex.exe.2c90000.6.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Pdf Document.exe.2ca0000.7.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Pdf Document.exe.2ca0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.Cuytcex.exe.4390000.9.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.Cuytcex.exe.2c90000.6.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 17.2.Cuytcex.exe.4370000.9.unpack, type: UNPACKEDPE
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 0.2.Pdf Document.exe.4340000.9.unpackAvira: Label: BDS/Backdoor.Gen
Source: 17.2.Cuytcex.exe.3090000.6.unpackAvira: Label: TR/Crypt.Morphine.Gen
Source: 0.2.Pdf Document.exe.2ca0000.7.unpackAvira: Label: TR/Crypt.Morphine.Gen
Source: 14.2.Cuytcex.exe.2c90000.6.unpackAvira: Label: TR/Crypt.Morphine.Gen
Source: 14.2.Cuytcex.exe.4390000.9.unpackAvira: Label: BDS/Backdoor.Gen
Source: 17.2.Cuytcex.exe.4370000.9.unpackAvira: Label: BDS/Backdoor.Gen

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_00409074 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,0_2_00409074
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_00405B20 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405B20
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 8_2_0040A1A7 FindFirstFileW,FindNextFileW,8_2_0040A1A7
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 8_1_0040A1A7 FindFirstFileW,FindNextFileW,8_1_0040A1A7
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 9_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,9_2_00407898
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 10_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,10_2_0040702D
Source: C:\Users\Public\Cuytnet.exeCode function: 13_2_00404320 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,13_2_00404320
Source: C:\Users\Public\Cuytcex.exeCode function: 14_2_00409074 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,14_2_00409074
Source: C:\Users\Public\Cuytcex.exeCode function: 14_2_00405B20 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,14_2_00405B20

Networking:

barindex
Connects to a URL shortener serviceShow sources
Source: unknownDNS query: name: is.gd
Source: unknownDNS query: name: is.gd
Source: unknownDNS query: name: is.gd
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.5:49752 -> 185.140.53.21:2404
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 172.217.23.97 172.217.23.97
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: GET /TGKGYYYYZ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: is.gd
Source: global trafficHTTP traffic detected: GET /TGKGYYYYZ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: is.gd
Source: global trafficHTTP traffic detected: GET /TGKGYYYYZ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: is.gd
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /TGKGYYYYZ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: is.gd
Source: global trafficHTTP traffic detected: GET /TGKGYYYYZ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: is.gd
Source: global trafficHTTP traffic detected: GET /TGKGYYYYZ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: is.gd
Found strings which match to known social media urlsShow sources
Source: Cuytcex.exe, 00000011.00000003.913688775.0000000000681000.00000004.00000001.sdmpString found in binary or memory: *.google.com.au*.google.com.br*.google.com.co*.google.com.mx*.google.com.tr*.google.com.vn*.google.de*.google.es*.google.fr*.google.hu*.google.it*.google.nl*.google.pl*.google.pt*.googleadapis.com*.googleapis.cn*.googlecnapps.cn*.googlecommerce.com*.googlevideo.com*.gstatic.cn*.gstatic.com*.gstaticcnapps.cn*.gvt1.com*.gvt2.com*.metric.gstatic.com*.urchin.com*.url.google.com*.wear.gkecnapps.cn*.youtube-nocookie.com*.youtube.com*.youtubeeducation.com*.youtubekids.com*.yt.be*.ytimg.comandroid.clients.google.comandroid.comdeveloper.android.google.cndevelopers.android.google.cng.coggpht.cngkecnapps.cngoo.glgoogle-analytics.comgoogle.comgooglecnapps.cngooglecommerce.comsource.android.google.cnurchin.comwww.goo.glyoutu.beyoutube.comyoutubeeducation.comyoutubekids.comyt.beooRm equals www.youtube.com (Youtube)
Source: Pdf Document.exe, 00000000.00000003.847702090.0000000005111000.00000004.00000001.sdmp, Pdf Document.exe, 00000008.00000002.846510124.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: Pdf Document.exe, 00000000.00000003.847702090.0000000005111000.00000004.00000001.sdmp, Pdf Document.exe, 00000008.00000002.846510124.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: Pdf Document.exe, 00000009.00000002.845249992.0000000000400000.00000040.00000001.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: Pdf Document.exe, 00000008.00000003.845815726.0000000000930000.00000004.00000001.sdmpString found in binary or memory: file://192.168.2.1/all/install/schedule.txthttps://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/en-us/welcomeie11/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: Pdf Document.exe, 00000008.00000003.845815726.0000000000930000.00000004.00000001.sdmpString found in binary or memory: file://192.168.2.1/all/install/schedule.txthttps://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/en-us/welcomeie11/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: Pdf Document.exe, 00000008.00000003.845014939.0000000000930000.00000004.00000001.sdmpString found in binary or memory: file://192.168.2.1/all/install/schedule.txthttps://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/en-us/welcomeie11/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginpe equals www.facebook.com (Facebook)
Source: Pdf Document.exe, 00000008.00000003.845014939.0000000000930000.00000004.00000001.sdmpString found in binary or memory: file://192.168.2.1/all/install/schedule.txthttps://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/en-us/welcomeie11/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginpe equals www.yahoo.com (Yahoo)
Source: Pdf Document.exeString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: Pdf Document.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: is.gd
Urls found in memory or binary dataShow sources
Source: Cuytcex.exe, 00000011.00000003.914001157.0000000000669000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudFlareIncECCCA-2.crt0
Source: Cuytcex.exe, 00000011.00000003.913688775.0000000000681000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Cuytcex.exe, 00000011.00000003.913688775.0000000000681000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1.crl0
Source: Cuytcex.exe, 00000011.00000003.913688775.0000000000681000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: Cuytcex.exe, 00000011.00000003.914001157.0000000000669000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudFlareIncECCCA2.crl06
Source: Cuytcex.exe, 00000011.00000003.914001157.0000000000669000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: Cuytcex.exe, 00000011.00000003.914001157.0000000000669000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudFlareIncECCCA2.crl0L
Source: Pdf Document.exe, 00000000.00000002.1207513715.0000000002210000.00000004.00000001.sdmp, Cuytcex.exe, 0000000E.00000002.902121412.00000000021F0000.00000004.00000001.sdmp, Cuytcex.exe, 00000011.00000002.915605680.00000000021D0000.00000004.00000001.sdmpString found in binary or memory: http://is.gd/TGKGYYY$
Source: Pdf Document.exe, 00000000.00000002.1207513715.0000000002210000.00000004.00000001.sdmp, Cuytcex.exe, 0000000E.00000002.902121412.00000000021F0000.00000004.00000001.sdmp, Cuytcex.exe, 00000011.00000002.915605680.00000000021D0000.00000004.00000001.sdmpString found in binary or memory: http://is.gd/TGKGYYY$C
Source: Pdf Document.exe, 00000000.00000002.1207513715.0000000002210000.00000004.00000001.sdmp, Cuytcex.exe, 0000000E.00000002.902121412.00000000021F0000.00000004.00000001.sdmp, Cuytcex.exe, 00000011.00000002.915605680.00000000021D0000.00000004.00000001.sdmpString found in binary or memory: http://is.gd/TGKGYYYYZ
Source: Pdf Document.exeString found in binary or memory: http://mvc2006.narod.ru
Source: Pdf Document.exeString found in binary or memory: http://mvc2006.narod.ruopen
Source: Cuytcex.exe, 00000011.00000003.914001157.0000000000669000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: Cuytcex.exe, 00000011.00000003.914001157.0000000000669000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
Source: Cuytcex.exe, 00000011.00000003.913688775.0000000000681000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
Source: Cuytcex.exe, 00000011.00000003.913688775.0000000000681000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o10
Source: Cuytcex.exe, 00000011.00000003.913688775.0000000000681000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: Pdf Document.exeString found in binary or memory: http://www.ebuddy.com
Source: Pdf Document.exeString found in binary or memory: http://www.imvu.com
Source: Pdf Document.exe, 00000009.00000002.845249992.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: Pdf Document.exe, 00000009.00000002.845249992.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.imvu.comr
Source: Pdf Document.exe, 00000009.00000002.846003516.000000000090B000.00000004.00000040.sdmpString found in binary or memory: http://www.imvu.comta
Source: Pdf Document.exe, 00000008.00000002.846425516.0000000000192000.00000004.00000010.sdmpString found in binary or memory: http://www.nirsoft.net
Source: Pdf Document.exe, Pdf Document.exe, 0000000A.00000002.844481960.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
Source: Cuytcex.exe, 00000011.00000003.913688775.0000000000681000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: Cuytcex.exe, 00000011.00000003.913688775.0000000000681000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/Persistent-AuthWWW-AuthenticateAccept-EncodingVaryNID=
Source: Cuytcex.exe, 00000011.00000003.913688775.0000000000681000.00000004.00000001.sdmpString found in binary or memory: https://doc-14-04-docs.googleusercontent.com/
Source: Cuytcex.exe, 00000011.00000003.913688775.0000000000681000.00000004.00000001.sdmpString found in binary or memory: https://doc-14-04-docs.googleusercontent.com/%WO
Source: Cuytcex.exe, 00000011.00000003.913688775.0000000000681000.00000004.00000001.sdmp, Cuytcex.exe, 00000011.00000002.915193002.0000000000638000.00000004.00000020.sdmpString found in binary or memory: https://doc-14-04-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/63taunaj
Source: Cuytcex.exe, 00000011.00000003.913688775.0000000000681000.00000004.00000001.sdmp, Cuytcex.exe, 00000011.00000002.915193002.0000000000638000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/u/0/uc?id=1oiXhaAX3zkO54_iyPBRHg-xFx0TqSwBL&export=download
Source: Cuytcex.exe, 00000011.00000003.913659730.0000000000676000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/u/0/uc?id=1oiXhaAX3zkO54_iyPBRHg-xFx0TqSwBL&export=download/
Source: Cuytcex.exe, 00000011.00000002.915193002.0000000000638000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/u/0/uc?id=1oiXhaAX3zkO54_iyPBRHg-xFx0TqSwBL&export=downloadG
Source: Cuytcex.exe, 00000011.00000002.915193002.0000000000638000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/u/0/uc?id=1oiXhaAX3zkO54_iyPBRHg-xFx0TqSwBL&export=downloado
Source: Cuytcex.exe, 00000011.00000003.913688775.0000000000681000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/u/0/uc?id=1oiXhaAX3zkO54_iyPBRHg-xFx0TqSwBL&export=downloadv0
Source: Cuytcex.exe, 00000011.00000003.913688775.0000000000681000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com0
Source: Cuytcex.exe, 00000011.00000003.913688775.0000000000681000.00000004.00000001.sdmpString found in binary or memory: https://google.com/
Source: Cuytcex.exe, 00000011.00000003.913688775.0000000000681000.00000004.00000001.sdmpString found in binary or memory: https://is.gd/
Source: Cuytcex.exe, 00000011.00000003.913688775.0000000000681000.00000004.00000001.sdmpString found in binary or memory: https://is.gd/TGKGYYYYZ
Source: Pdf Document.exeString found in binary or memory: https://login.yahoo.com/config/login
Source: Cuytcex.exe, 00000011.00000003.913688775.0000000000681000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
Source: Cuytcex.exe, 00000011.00000003.913688775.0000000000681000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: Cuytcex.exe, 00000011.00000003.914001157.0000000000669000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: Pdf Document.exeString found in binary or memory: https://www.google.com
Source: Pdf Document.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboardShow sources
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 8_2_0040FDCB OpenClipboard,GetLastError,DeleteFileW,8_2_0040FDCB
Contains functionality to read the clipboard dataShow sources
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_00424B0C GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,0_2_00424B0C
Contains functionality to retrieve information about pressed keystrokesShow sources
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_0043B444 GetKeyboardState,0_2_0043B444

E-Banking Fraud:

barindex
Yara detected Remcos RATShow sources
Source: Yara matchFile source: 00000011.00000002.919210054.0000000003090000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.1216946067.0000000004340000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000011.00000002.919539941.0000000004370000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.904625962.0000000002C90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.1209151390.0000000002CA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.905140966.0000000004390000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Pdf Document.exe PID: 5108, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Cuytcex.exe PID: 1836, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Cuytcex.exe PID: 2416, type: MEMORY
Source: Yara matchFile source: 17.2.Cuytcex.exe.3090000.6.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Pdf Document.exe.4340000.9.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Pdf Document.exe.4340000.9.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.Cuytcex.exe.4390000.9.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 17.2.Cuytcex.exe.3090000.6.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 17.2.Cuytcex.exe.4370000.9.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.Cuytcex.exe.2c90000.6.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Pdf Document.exe.2ca0000.7.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Pdf Document.exe.2ca0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.Cuytcex.exe.4390000.9.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.Cuytcex.exe.2c90000.6.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 17.2.Cuytcex.exe.4370000.9.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000011.00000002.919210054.0000000003090000.00000004.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
Source: 00000011.00000002.919210054.0000000003090000.00000004.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
Source: 00000000.00000002.1216946067.0000000004340000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000002.1216946067.0000000004340000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
Source: 00000011.00000002.919539941.0000000004370000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
Source: 00000011.00000002.919539941.0000000004370000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
Source: 0000000E.00000002.904625962.0000000002C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000E.00000002.904625962.0000000002C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
Source: 00000000.00000002.1209151390.0000000002CA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000002.1209151390.0000000002CA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
Source: 0000000A.00000002.844481960.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0000000E.00000002.905140966.0000000004390000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000E.00000002.905140966.0000000004390000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
Source: 17.2.Cuytcex.exe.3090000.6.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.Cuytcex.exe.3090000.6.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 10.2.Pdf Document.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0.2.Pdf Document.exe.4340000.9.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.Pdf Document.exe.4340000.9.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 0.2.Pdf Document.exe.4340000.9.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.Pdf Document.exe.4340000.9.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 14.2.Cuytcex.exe.4390000.9.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.Cuytcex.exe.4390000.9.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 17.2.Cuytcex.exe.3090000.6.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.Cuytcex.exe.3090000.6.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 17.2.Cuytcex.exe.4370000.9.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.Cuytcex.exe.4370000.9.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 14.2.Cuytcex.exe.2c90000.6.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.Cuytcex.exe.2c90000.6.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 0.2.Pdf Document.exe.2ca0000.7.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.Pdf Document.exe.2ca0000.7.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 0.2.Pdf Document.exe.2ca0000.7.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.Pdf Document.exe.2ca0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 14.2.Cuytcex.exe.4390000.9.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.Cuytcex.exe.4390000.9.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 14.2.Cuytcex.exe.2c90000.6.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.Cuytcex.exe.2c90000.6.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 17.2.Cuytcex.exe.4370000.9.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.Cuytcex.exe.4370000.9.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Initial sample is a PE file and has a suspicious nameShow sources
Source: initial sampleStatic PE information: Filename: Pdf Document.exe
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_0043E3D4 NtdllDefWindowProc_A,GetCapture,0_2_0043E3D4
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_00459BDC NtdllDefWindowProc_A,0_2_00459BDC
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_0045A380 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_0045A380
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_0044E448 GetSubMenu,SaveDC,RestoreDC,7337B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_0044E448
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_0045A430 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_0045A430
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_00431F38 NtdllDefWindowProc_A,0_2_00431F38
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 8_2_0040A5A9 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,8_2_0040A5A9
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 8_1_0040A5A9 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,8_1_0040A5A9
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 9_2_00402CAC NtdllDefWindowProc_A,9_2_00402CAC
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 9_2_00402D66 NtdllDefWindowProc_A,9_2_00402D66
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 10_2_00401808 NtdllDefWindowProc_A,10_2_00401808
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 10_2_0040174E NtdllDefWindowProc_A,10_2_0040174E
Source: C:\Users\Public\Cuytcex.exeCode function: 14_2_0043E3D4 NtdllDefWindowProc_A,GetCapture,14_2_0043E3D4
Source: C:\Users\Public\Cuytcex.exeCode function: 14_2_00459BDC NtdllDefWindowProc_A,14_2_00459BDC
Source: C:\Users\Public\Cuytcex.exeCode function: 14_2_0045A380 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,14_2_0045A380
Source: C:\Users\Public\Cuytcex.exeCode function: 14_2_0044E448 GetSubMenu,SaveDC,RestoreDC,7337B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,14_2_0044E448
Source: C:\Users\Public\Cuytcex.exeCode function: 14_2_0045A430 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,14_2_0045A430
Source: C:\Users\Public\Cuytcex.exeCode function: 14_2_00431F38 NtdllDefWindowProc_A,14_2_00431F38
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_0045408C0_2_0045408C
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_0044E4480_2_0044E448
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 8_2_004360CE8_2_004360CE
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 8_2_0040509C8_2_0040509C
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 8_2_004051998_2_00405199
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 8_2_0043C2D08_2_0043C2D0
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 8_2_004404068_2_00440406
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 8_2_0040451D8_2_0040451D
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 8_2_004045FF8_2_004045FF
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 8_2_0040458E8_2_0040458E
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 8_2_004046908_2_00404690
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 8_2_00414A518_2_00414A51
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 8_2_00404C088_2_00404C08
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 8_2_00406C8E8_2_00406C8E
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 8_2_00415DF38_2_00415DF3
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 8_2_00416E5C8_2_00416E5C
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 8_2_00410FE48_2_00410FE4
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 8_1_004360CE8_1_004360CE
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 8_1_0040509C8_1_0040509C
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 8_1_004051998_1_00405199
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 8_1_0043C2D08_1_0043C2D0
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 8_1_004404068_1_00440406
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 8_1_0040451D8_1_0040451D
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 8_1_004045FF8_1_004045FF
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 8_1_0040458E8_1_0040458E
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 8_1_004046908_1_00404690
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 8_1_00414A518_1_00414A51
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 8_1_00404C088_1_00404C08
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 8_1_00406C8E8_1_00406C8E
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 9_2_004050C29_2_004050C2
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 9_2_004014AB9_2_004014AB
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 9_2_004051339_2_00405133
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 9_2_004051A49_2_004051A4
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 9_2_004012469_2_00401246
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 9_2_0040CA469_2_0040CA46
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 9_2_004052359_2_00405235
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 9_2_004032C89_2_004032C8
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 9_2_004222D99_2_004222D9
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 9_2_004016899_2_00401689
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 9_2_00402F609_2_00402F60
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 9_1_004222D99_1_004222D9
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 10_2_00404DE510_2_00404DE5
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 10_2_00404E5610_2_00404E56
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 10_2_00404EC710_2_00404EC7
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 10_2_00404F5810_2_00404F58
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 10_2_0040BF6B10_2_0040BF6B
Source: C:\Users\Public\Cuytcex.exeCode function: 14_2_0045408C14_2_0045408C
Source: C:\Users\Public\Cuytcex.exeCode function: 14_2_0044E44814_2_0044E448
Source: C:\Users\Public\Cuytcex.exeCode function: 14_2_02C911B014_2_02C911B0
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: String function: 00444C5E appears 36 times
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: String function: 0040924D appears 62 times
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: String function: 004166E8 appears 65 times
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: String function: 00416A91 appears 172 times
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: String function: 00445190 appears 70 times
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: String function: 00406BF0 appears 61 times
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: String function: 00416849 appears 121 times
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: String function: 00444C70 appears 39 times
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: String function: 00412084 appears 39 times
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: String function: 00404774 appears 75 times
Source: C:\Users\Public\Cuytcex.exeCode function: String function: 00406BF0 appears 61 times
Source: C:\Users\Public\Cuytcex.exeCode function: String function: 02CA532E appears 47 times
Source: C:\Users\Public\Cuytcex.exeCode function: String function: 00404774 appears 75 times
PE file contains strange resourcesShow sources
Source: Pdf Document.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Cuytcex.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: Pdf Document.exe, 00000000.00000003.847846983.00000000051B1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs Pdf Document.exe
Source: Pdf Document.exe, 00000000.00000002.1209043698.0000000002BF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Pdf Document.exe
Source: Pdf Document.exe, 00000000.00000002.1208998662.0000000002AA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs Pdf Document.exe
Source: Pdf Document.exe, 00000000.00000002.1216873444.0000000004310000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamecomctl32.DLL.MUIj% vs Pdf Document.exe
Source: Pdf Document.exe, 00000000.00000002.1208949643.0000000002A80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs Pdf Document.exe
Source: Pdf Document.exe, 00000000.00000002.1207088321.0000000000640000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Pdf Document.exe
Source: Pdf Document.exe, 00000000.00000002.1208965742.0000000002A90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs Pdf Document.exe
Source: Pdf Document.exeBinary or memory string: OriginalFileName vs Pdf Document.exe
Source: Pdf Document.exeBinary or memory string: OriginalFilename vs Pdf Document.exe
Source: Pdf Document.exe, 00000009.00000001.842822358.0000000000422000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs Pdf Document.exe
Searches for the Microsoft Outlook file pathShow sources
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Uses reg.exe to modify the Windows registryShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
Yara signature matchShow sources
Source: 00000011.00000002.919210054.0000000003090000.00000004.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000011.00000002.919210054.0000000003090000.00000004.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 00000011.00000002.919347843.0000000004320000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Modified_SystemExeFileName_in_File date = 2018-12-11, hash2 = f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e, author = Florian Roth, description = Detecst a variant of a system file name often used by attackers to cloak their activity, reference = https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group, score = 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
Source: 00000000.00000002.1216946067.0000000004340000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000002.1216946067.0000000004340000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 00000011.00000002.919539941.0000000004370000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000011.00000002.919539941.0000000004370000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0000000E.00000002.904625962.0000000002C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000E.00000002.904625962.0000000002C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 00000000.00000002.1209151390.0000000002CA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000002.1209151390.0000000002CA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0000000E.00000002.904932329.0000000004340000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Modified_SystemExeFileName_in_File date = 2018-12-11, hash2 = f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e, author = Florian Roth, description = Detecst a variant of a system file name often used by attackers to cloak their activity, reference = https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group, score = 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
Source: 0000000A.00000002.844481960.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0000000E.00000002.905140966.0000000004390000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000E.00000002.905140966.0000000004390000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 17.2.Cuytcex.exe.3090000.6.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.Cuytcex.exe.3090000.6.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 10.2.Pdf Document.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 14.2.Cuytcex.exe.4340000.8.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_Modified_SystemExeFileName_in_File date = 2018-12-11, hash2 = f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e, author = Florian Roth, description = Detecst a variant of a system file name often used by attackers to cloak their activity, reference = https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group, score = 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
Source: 0.2.Pdf Document.exe.4340000.9.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.Pdf Document.exe.4340000.9.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0.2.Pdf Document.exe.4340000.9.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.Pdf Document.exe.4340000.9.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 14.2.Cuytcex.exe.4390000.9.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.Cuytcex.exe.4390000.9.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 17.2.Cuytcex.exe.3090000.6.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.Cuytcex.exe.3090000.6.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 17.2.Cuytcex.exe.4370000.9.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.Cuytcex.exe.4370000.9.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 14.2.Cuytcex.exe.2c90000.6.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.Cuytcex.exe.2c90000.6.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 17.2.Cuytcex.exe.4320000.8.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_Modified_SystemExeFileName_in_File date = 2018-12-11, hash2 = f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e, author = Florian Roth, description = Detecst a variant of a system file name often used by attackers to cloak their activity, reference = https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group, score = 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
Source: 0.2.Pdf Document.exe.2ca0000.7.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.Pdf Document.exe.2ca0000.7.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0.2.Pdf Document.exe.2ca0000.7.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.Pdf Document.exe.2ca0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 14.2.Cuytcex.exe.4390000.9.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.Cuytcex.exe.4390000.9.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 14.2.Cuytcex.exe.2c90000.6.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.Cuytcex.exe.2c90000.6.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 17.2.Cuytcex.exe.4370000.9.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.Cuytcex.exe.4370000.9.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Classification labelShow sources
Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@29/8@7/3
Contains functionality for error loggingShow sources
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_00421DB0 GetLastError,FormatMessageA,0_2_00421DB0
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 9_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification,9_2_00410DE1
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_0040922E GetDiskFreeSpaceA,0_2_0040922E
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 8_2_00413C19 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,FindCloseChangeNotification,free,Process32NextW,FindCloseChangeNotification,8_2_00413C19
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_00417848 FindResourceA,0_2_00417848
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\Pdf Document.exeFile created: C:\Users\Public\Cuytcex.exeJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3368:120:WilError_01
Source: C:\Users\user\Desktop\Pdf Document.exeMutant created: \Sessions\1\BaseNamedObjects\Fixed-S5LK5J
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\Pdf Document.exeFile created: C:\Users\user\AppData\Local\Temp\idivjyksgtfsayrqkmiioczitJump to behavior
Executes batch filesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Natso.bat' '
Parts of this applications are using Borland Delphi (Probably coded in Delphi)Show sources
Source: C:\Users\user\Desktop\Pdf Document.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\Pdf Document.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\Public\Cuytnet.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\Public\Cuytcex.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\Public\Cuytcex.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\Public\Cuytnet.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Cuytcex.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Cuytcex.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Queries a list of all open handlesShow sources
Source: C:\Users\user\Desktop\Pdf Document.exeSystem information queried: HandleInformationJump to behavior
Reads ini filesShow sources
Source: C:\Users\user\Desktop\Pdf Document.exeFile read: C:\Windows\win.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\Pdf Document.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\Pdf Document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Pdf Document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Pdf Document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Pdf Document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\Public\Cuytcex.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\Public\Cuytcex.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\Public\Cuytcex.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\Public\Cuytcex.exeFile read: C:\Windows\System32\drivers\etc\hosts
SQL strings found in memory and binary dataShow sources
Source: Pdf Document.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: Pdf Document.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Pdf Document.exe, 00000000.00000003.847702090.0000000005111000.00000004.00000001.sdmp, Pdf Document.exe, 00000008.00000002.846510124.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: Pdf Document.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: Pdf Document.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: Pdf Document.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: Pdf Document.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Sample is known by AntivirusShow sources
Source: Pdf Document.exeReversingLabs: Detection: 12%
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\Pdf Document.exeFile read: C:\Users\user\Desktop\Pdf Document.exeJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\Pdf Document.exe 'C:\Users\user\Desktop\Pdf Document.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Natso.bat' '
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe reg add hkcu\Environment /v windir /d 'cmd /c start /min C:\Users\Public\Yako.bat reg delete hkcu\Environment /v windir /f && REM '
Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
Source: unknownProcess created: C:\Users\user\Desktop\Pdf Document.exe 'C:\Users\user\Desktop\Pdf Document.exe' /stext 'C:\Users\user\AppData\Local\Temp\idivjyksgtfsayrqkmiioczit'
Source: unknownProcess created: C:\Users\user\Desktop\Pdf Document.exe 'C:\Users\user\Desktop\Pdf Document.exe' /stext 'C:\Users\user\AppData\Local\Temp\txnnkqvtubxxdmfutxdcqhtzcqoi'
Source: unknownProcess created: C:\Users\user\Desktop\Pdf Document.exe 'C:\Users\user\Desktop\Pdf Document.exe' /stext 'C:\Users\user\AppData\Local\Temp\datgljgnijpcnsbykhqdbtgilxgrclx'
Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe 'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\Public\Cuyt.hta' {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
Source: unknownProcess created: C:\Users\Public\Cuytnet.exe 'C:\Users\Public\Cuytnet.exe'
Source: unknownProcess created: C:\Users\Public\Cuytcex.exe Cuytcex.exe
Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe 'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\Public\Cuyt.hta' {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
Source: unknownProcess created: C:\Users\Public\Cuytnet.exe 'C:\Users\Public\Cuytnet.exe'
Source: unknownProcess created: C:\Users\Public\Cuytcex.exe Cuytcex.exe
Source: C:\Users\user\Desktop\Pdf Document.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Natso.bat' 'Jump to behavior
Source: C:\Users\user\Desktop\Pdf Document.exeProcess created: C:\Users\user\Desktop\Pdf Document.exe 'C:\Users\user\Desktop\Pdf Document.exe' /stext 'C:\Users\user\AppData\Local\Temp\idivjyksgtfsayrqkmiioczit'Jump to behavior
Source: C:\Users\user\Desktop\Pdf Document.exeProcess created: C:\Users\user\Desktop\Pdf Document.exe 'C:\Users\user\Desktop\Pdf Document.exe' /stext 'C:\Users\user\AppData\Local\Temp\txnnkqvtubxxdmfutxdcqhtzcqoi'Jump to behavior
Source: C:\Users\user\Desktop\Pdf Document.exeProcess created: C:\Users\user\Desktop\Pdf Document.exe 'C:\Users\user\Desktop\Pdf Document.exe' /stext 'C:\Users\user\AppData\Local\Temp\datgljgnijpcnsbykhqdbtgilxgrclx'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add hkcu\Environment /v windir /d 'cmd /c start /min C:\Users\Public\Yako.bat reg delete hkcu\Environment /v windir /f && REM 'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /IJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Users\Public\Cuytnet.exe 'C:\Users\Public\Cuytnet.exe' Jump to behavior
Source: C:\Users\Public\Cuytnet.exeProcess created: C:\Users\Public\Cuytcex.exe Cuytcex.exeJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Users\Public\Cuytnet.exe 'C:\Users\Public\Cuytnet.exe'
Source: C:\Users\Public\Cuytnet.exeProcess created: C:\Users\Public\Cuytcex.exe Cuytcex.exe
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\Pdf Document.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32Jump to behavior
Tries to open an application configuration file (.cfg)Show sources
Source: C:\Users\user\Desktop\Pdf Document.exeFile opened: C:\Users\user\Desktop\Pdf Document.cfgJump to behavior
Uses Rich Edit ControlsShow sources
Source: C:\Users\user\Desktop\Pdf Document.exeFile opened: C:\Windows\SysWOW64\RICHED32.DLLJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Checks if Microsoft Office is installedShow sources
Source: C:\Users\user\Desktop\Pdf Document.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: Pdf Document.exe

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\Pdf Document.exeUnpacked PE file: 8.2.Pdf Document.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\user\Desktop\Pdf Document.exeUnpacked PE file: 9.2.Pdf Document.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\Desktop\Pdf Document.exeUnpacked PE file: 10.2.Pdf Document.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Detected unpacking (creates a PE file in dynamic memory)Show sources
Source: C:\Users\user\Desktop\Pdf Document.exeUnpacked PE file: 0.2.Pdf Document.exe.4340000.9.unpack
Source: C:\Users\Public\Cuytcex.exeUnpacked PE file: 14.2.Cuytcex.exe.4390000.9.unpack
Source: C:\Users\Public\Cuytcex.exeUnpacked PE file: 17.2.Cuytcex.exe.4370000.9.unpack
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\Desktop\Pdf Document.exeUnpacked PE file: 8.2.Pdf Document.exe.400000.0.unpack
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_004630B8 VirtualAlloc,VirtualAlloc,LoadLibraryA,GetProcAddress,GetProcAddress,VirtualProtect,0_2_004630B8
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_00445A60 push 00445AEDh; ret 0_2_00445AE5
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_0042805C push 00428088h; ret 0_2_00428080
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_0041A0E4 push ecx; mov dword ptr [esp], edx0_2_0041A0E6
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_00428160 push 0042818Ch; ret 0_2_00428184
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_0040E204 push 0040E380h; ret 0_2_0040E378
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_00432378 push 004323BBh; ret 0_2_004323B3
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_0042C3F0 push 0042C43Ch; ret 0_2_0042C434
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_004323F0 push 0043241Ch; ret 0_2_00432414
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_0040E382 push 0040E3F3h; ret 0_2_0040E3EB
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_0040E384 push 0040E3F3h; ret 0_2_0040E3EB
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_004146FE push 00414776h; ret 0_2_0041476E
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_004066B4 push 00406705h; ret 0_2_004066FD
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_00414778 push 00414820h; ret 0_2_00414818
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_0045E778 push 0045E7A4h; ret 0_2_0045E79C
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_00414700 push 00414776h; ret 0_2_0041476E
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_0045E718 push 0045E74Bh; ret 0_2_0045E743
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_004647E4 push 00464810h; ret 0_2_00464808
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_00446790 push ecx; mov dword ptr [esp], edx0_2_00446794
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_0045E7B0 push 0045E7DCh; ret 0_2_0045E7D4
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_0045E800 push 0045E82Ch; ret 0_2_0045E824
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_0046481C push 00464842h; ret 0_2_0046483A
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_0045E838 push 0045E864h; ret 0_2_0045E85C
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_004288EC push 00428918h; ret 0_2_00428910
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_0045E8F0 push 0045E933h; ret 0_2_0045E92B
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_004068FC push 00406928h; ret 0_2_00406920
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_0045E888 push 0045E8CBh; ret 0_2_0045E8C3
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_0045E954 push 0045E9A0h; ret 0_2_0045E998
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_0041490C push 00414938h; ret 0_2_00414930
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_00448910 push 0044893Ch; ret 0_2_00448934
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_0042A928 push 0042A960h; ret 0_2_0042A958
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_0042892C push 00428958h; ret 0_2_00428950

Persistence and Installation Behavior:

barindex
Uses cmd line tools excessively to alter registry or file dataShow sources
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Drops PE filesShow sources
Source: C:\Users\user\Desktop\Pdf Document.exeFile created: C:\Users\Public\Cuytnet.exeJump to dropped file
Source: C:\Users\user\Desktop\Pdf Document.exeFile created: C:\Users\Public\Cuytcex.exeJump to dropped file
Drops PE files to the user directoryShow sources
Source: C:\Users\user\Desktop\Pdf Document.exeFile created: C:\Users\Public\Cuytnet.exeJump to dropped file
Source: C:\Users\user\Desktop\Pdf Document.exeFile created: C:\Users\Public\Cuytcex.exeJump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directoryShow sources
Source: C:\Users\user\Desktop\Pdf Document.exeFile created: C:\Users\Public\Cuytnet.exeJump to dropped file
Source: C:\Users\user\Desktop\Pdf Document.exeFile created: C:\Users\Public\Cuytcex.exeJump to dropped file
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
Creates an autostart registry keyShow sources
Source: C:\Users\user\Desktop\Pdf Document.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run CuytJump to behavior
Source: C:\Users\user\Desktop\Pdf Document.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run CuytJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_00459C64 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,0_2_00459C64
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_0045A380 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_0045A380
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_004283A4 IsIconic,GetWindowPlacement,GetWindowRect,0_2_004283A4
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_004403AC IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,0_2_004403AC
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_0045A430 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_0045A430
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_00456C4C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,0_2_00456C4C
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_00440CD0 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,0_2_00440CD0
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_0043FAF8 IsIconic,GetCapture,0_2_0043FAF8
Source: C:\Users\Public\Cuytcex.exeCode function: 14_2_00459C64 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,14_2_00459C64
Source: C:\Users\Public\Cuytcex.exeCode function: 14_2_0045A380 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,14_2_0045A380
Source: C:\Users\Public\Cuytcex.exeCode function: 14_2_004283A4 IsIconic,GetWindowPlacement,GetWindowRect,14_2_004283A4
Source: C:\Users\Public\Cuytcex.exeCode function: 14_2_004403AC IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,14_2_004403AC
Source: C:\Users\Public\Cuytcex.exeCode function: 14_2_0045A430 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,14_2_0045A430
Source: C:\Users\Public\Cuytcex.exeCode function: 14_2_00456C4C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,14_2_00456C4C
Source: C:\Users\Public\Cuytcex.exeCode function: 14_2_00440CD0 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,14_2_00440CD0
Source: C:\Users\Public\Cuytcex.exeCode function: 14_2_0043FAF8 IsIconic,GetCapture,14_2_0043FAF8
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_0042AFF0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0042AFF0
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\Pdf Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Pdf Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Pdf Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Pdf Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Pdf Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Pdf Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Pdf Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Pdf Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Pdf Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Yara detected Windows Security DisablerShow sources
Source: Yara matchFile source: 0000000E.00000002.907353750.0000000004A00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.1217984879.0000000004890000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000011.00000002.919347843.0000000004320000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.1217151374.0000000004543000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.904932329.0000000004340000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000011.00000002.921055235.0000000004A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.1209068698.0000000002C50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Pdf Document.exe PID: 5108, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Cuytcex.exe PID: 1836, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Cuytcex.exe PID: 2416, type: MEMORY
Source: Yara matchFile source: C:\Users\Public\Yako.bat, type: DROPPED
Source: Yara matchFile source: 14.2.Cuytcex.exe.4340000.8.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Pdf Document.exe.2c50000.6.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 17.2.Cuytcex.exe.4320000.8.raw.unpack, type: UNPACKEDPE
Contains functionality to detect sleep reduction / modificationsShow sources
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_004349640_2_00434964
Source: C:\Users\Public\Cuytcex.exeCode function: 14_2_0043496414_2_00434964
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)Show sources
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 8_2_0040A5A9 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,8_2_0040A5A9
Contains functionality to detect sandboxes (mouse cursor move detection)Show sources
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,0_2_004591C0
Source: C:\Users\Public\Cuytcex.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,14_2_004591C0
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Users\user\Desktop\Pdf Document.exeWindow / User API: threadDelayed 690Jump to behavior
Found large amount of non-executed APIsShow sources
Source: C:\Users\Public\Cuytcex.exeAPI coverage: 9.3 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\Pdf Document.exe TID: 4936Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Pdf Document.exe TID: 3480Thread sleep time: -6900000s >= -30000sJump to behavior
Source: C:\Users\Public\Cuytcex.exe TID: 4996Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\Public\Cuytcex.exe TID: 3936Thread sleep time: -30000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\Desktop\Pdf Document.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_00409074 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,0_2_00409074
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_00405B20 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405B20
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 8_2_0040A1A7 FindFirstFileW,FindNextFileW,8_2_0040A1A7
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 8_1_0040A1A7 FindFirstFileW,FindNextFileW,8_1_0040A1A7
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 9_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,9_2_00407898
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 10_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,10_2_0040702D
Source: C:\Users\Public\Cuytnet.exeCode function: 13_2_00404320 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,13_2_00404320
Source: C:\Users\Public\Cuytcex.exeCode function: 14_2_00409074 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,14_2_00409074
Source: C:\Users\Public\Cuytcex.exeCode function: 14_2_00405B20 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,14_2_00405B20
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_0042234C GetSystemInfo,0_2_0042234C
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: Cuytcex.exe, 00000011.00000003.913688775.0000000000681000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: Cuytcex.exe, 00000011.00000003.914001157.0000000000669000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW,
Program exit pointsShow sources
Source: C:\Users\user\Desktop\Pdf Document.exeAPI call chain: ExitProcess graph end nodegraph_0-36471
Source: C:\Users\Public\Cuytnet.exeAPI call chain: ExitProcess graph end node
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\Pdf Document.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)Show sources
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 8_2_0040A5A9 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,8_2_0040A5A9
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_004630B8 VirtualAlloc,VirtualAlloc,LoadLibraryA,GetProcAddress,GetProcAddress,VirtualProtect,0_2_004630B8
Contains functionality to read the PEBShow sources
Source: C:\Users\Public\Cuytcex.exeCode function: 14_2_02C911B0 mov eax, dword ptr fs:[00000030h]14_2_02C911B0
Source: C:\Users\Public\Cuytcex.exeCode function: 14_2_02C911B0 mov eax, dword ptr fs:[00000030h]14_2_02C911B0
Enables debug privilegesShow sources
Source: C:\Users\user\Desktop\Pdf Document.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\Desktop\Pdf Document.exeMemory written: C:\Users\user\Desktop\Pdf Document.exe base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Pdf Document.exeMemory written: C:\Users\user\Desktop\Pdf Document.exe base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Pdf Document.exeMemory written: C:\Users\user\Desktop\Pdf Document.exe base: 400000 value starts with: 4D5AJump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\Pdf Document.exeProcess created: C:\Users\user\Desktop\Pdf Document.exe 'C:\Users\user\Desktop\Pdf Document.exe' /stext 'C:\Users\user\AppData\Local\Temp\idivjyksgtfsayrqkmiioczit'Jump to behavior
Source: C:\Users\user\Desktop\Pdf Document.exeProcess created: C:\Users\user\Desktop\Pdf Document.exe 'C:\Users\user\Desktop\Pdf Document.exe' /stext 'C:\Users\user\AppData\Local\Temp\txnnkqvtubxxdmfutxdcqhtzcqoi'Jump to behavior
Source: C:\Users\user\Desktop\Pdf Document.exeProcess created: C:\Users\user\Desktop\Pdf Document.exe 'C:\Users\user\Desktop\Pdf Document.exe' /stext 'C:\Users\user\AppData\Local\Temp\datgljgnijpcnsbykhqdbtgilxgrclx'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add hkcu\Environment /v windir /d 'cmd /c start /min C:\Users\Public\Yako.bat reg delete hkcu\Environment /v windir /f && REM 'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /IJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Users\Public\Cuytnet.exe 'C:\Users\Public\Cuytnet.exe' Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Users\Public\Cuytnet.exe 'C:\Users\Public\Cuytnet.exe'
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: Pdf Document.exe, 00000000.00000002.1207560973.00000000023A0000.00000004.00000040.sdmpBinary or memory string: Program Manager
Source: Pdf Document.exe, 00000000.00000002.1207413289.0000000000E00000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: Pdf Document.exe, 00000000.00000002.1207413289.0000000000E00000.00000002.00000001.sdmpBinary or memory string: Progman
Source: Pdf Document.exe, 00000000.00000002.1218335635.0000000005163000.00000004.00000001.sdmpBinary or memory string: art];L0|cmd|Program Manager|cmd|328|cmd|354109_
Source: Pdf Document.exe, 00000000.00000002.1207413289.0000000000E00000.00000002.00000001.sdmpBinary or memory string: hProgram ManagerWE
Source: Pdf Document.exe, 00000000.00000002.1218335635.0000000005163000.00000004.00000001.sdmpBinary or memory string: art]@L0|cmd|Program Manager|cmd|6140860|cmd|6484406A
Source: Pdf Document.exe, 00000000.00000002.1207413289.0000000000E00000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,0_2_00405CF8
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: GetLocaleInfoA,0_2_00406640
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: GetLocaleInfoA,GetACP,0_2_0040D228
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: GetLocaleInfoA,0_2_0040BB54
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: GetLocaleInfoA,0_2_0040BB08
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,0_2_00405E03
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_02C55EA4
Source: C:\Users\Public\Cuytnet.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,13_2_004044F8
Source: C:\Users\Public\Cuytnet.exeCode function: GetLocaleInfoA,13_2_004048DC
Source: C:\Users\Public\Cuytnet.exeCode function: GetLocaleInfoA,GetACP,13_2_0040791C
Source: C:\Users\Public\Cuytnet.exeCode function: GetLocaleInfoA,13_2_00406778
Source: C:\Users\Public\Cuytnet.exeCode function: GetLocaleInfoA,13_2_004067C4
Source: C:\Users\Public\Cuytcex.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,14_2_00405CF8
Source: C:\Users\Public\Cuytcex.exeCode function: GetLocaleInfoA,14_2_00406640
Source: C:\Users\Public\Cuytcex.exeCode function: GetLocaleInfoA,GetACP,14_2_0040D228
Source: C:\Users\Public\Cuytcex.exeCode function: GetLocaleInfoA,14_2_0040BB54
Source: C:\Users\Public\Cuytcex.exeCode function: GetLocaleInfoA,14_2_0040BB08
Source: C:\Users\Public\Cuytcex.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,14_2_00405E03
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\Public\Cuytcex.exeCode function: 14_2_02CA3921 cpuid 14_2_02CA3921
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\Pdf Document.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Pdf Document.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_0040A5A8 GetLocalTime,0_2_0040A5A8
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 9_2_00407C79 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,9_2_00407C79
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: 0_2_00445A60 GetVersion,0_2_00445A60
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\Pdf Document.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Remcos RATShow sources
Source: Yara matchFile source: 00000011.00000002.919210054.0000000003090000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.1216946067.0000000004340000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000011.00000002.919539941.0000000004370000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.904625962.0000000002C90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.1209151390.0000000002CA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.905140966.0000000004390000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Pdf Document.exe PID: 5108, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Cuytcex.exe PID: 1836, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Cuytcex.exe PID: 2416, type: MEMORY
Source: Yara matchFile source: 17.2.Cuytcex.exe.3090000.6.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Pdf Document.exe.4340000.9.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Pdf Document.exe.4340000.9.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.Cuytcex.exe.4390000.9.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 17.2.Cuytcex.exe.3090000.6.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 17.2.Cuytcex.exe.4370000.9.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.Cuytcex.exe.2c90000.6.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Pdf Document.exe.2ca0000.7.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Pdf Document.exe.2ca0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.Cuytcex.exe.4390000.9.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.Cuytcex.exe.2c90000.6.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 17.2.Cuytcex.exe.4370000.9.unpack, type: UNPACKEDPE
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\Desktop\Pdf Document.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\Desktop\Pdf Document.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\cert9.dbJump to behavior
Source: C:\Users\user\Desktop\Pdf Document.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\pkcs11.txtJump to behavior
Source: C:\Users\user\Desktop\Pdf Document.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\key4.dbJump to behavior
Source: C:\Users\user\Desktop\Pdf Document.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\places.sqliteJump to behavior
Source: C:\Users\user\Desktop\Pdf Document.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
Source: C:\Users\user\Desktop\Pdf Document.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Tries to steal Instant Messenger accounts or passwordsShow sources
Source: C:\Users\user\Desktop\Pdf Document.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
Source: C:\Users\user\Desktop\Pdf Document.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
Source: C:\Users\user\Desktop\Pdf Document.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
Source: C:\Users\user\Desktop\Pdf Document.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
Source: C:\Users\user\Desktop\Pdf Document.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Users\user\Desktop\Pdf Document.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
Source: C:\Users\user\Desktop\Pdf Document.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
Source: C:\Users\user\Desktop\Pdf Document.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
Source: C:\Users\user\Desktop\Pdf Document.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
Tries to steal Mail credentials (via file registry)Show sources
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword10_2_00402D74
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword10_2_00402D74
Source: C:\Users\user\Desktop\Pdf Document.exeCode function: ESMTPPassword10_2_004033B1
Yara detected WebBrowserPassView password recovery toolShow sources
Source: Yara matchFile source: 00000000.00000003.847702090.0000000005111000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.848176025.0000000005411000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000008.00000001.841740352.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000008.00000002.846510124.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Pdf Document.exe PID: 5108, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Pdf Document.exe PID: 3996, type: MEMORY
Source: Yara matchFile source: 8.2.Pdf Document.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 8.1.Pdf Document.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 8.2.Pdf Document.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 8.1.Pdf Document.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected Remcos RATShow sources
Source: Pdf Document.exe, 00000000.00000002.1216946067.0000000004340000.00000040.00000001.sdmpString found in binary or memory: Remcos_Mutex_Inj
Source: Pdf Document.exe, 00000000.00000002.1216946067.0000000004340000.00000040.00000001.sdmpString found in binary or memory: NormalAccess level: Administratorlicence (32 bit) (64 bit)ProductNameInjRemcos_Mutex_InjWDSoftware\licence_code.txt-lSetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\1SETTINGS2.5.0 Propth_unencoverridev
Source: Cuytcex.exeString found in binary or memory: Remcos_Mutex_Inj
Source: Cuytcex.exe, 0000000E.00000002.904625962.0000000002C90000.00000004.00000001.sdmpString found in binary or memory: NormalAccess level: Administratorlicence (32 bit) (64 bit)ProductNameInjRemcos_Mutex_InjWDSoftware\licence_code.txt-lSetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\1SETTINGS2.5.0 Propth_unencoverridev
Source: Cuytcex.exe, 00000011.00000002.919210054.0000000003090000.00000004.00000001.sdmpString found in binary or memory: Remcos_Mutex_Inj
Source: Cuytcex.exe, 00000011.00000002.919210054.0000000003090000.00000004.00000001.sdmpString found in binary or memory: NormalAccess level: Administratorlicence (32 bit) (64 bit)ProductNameInjRemcos_Mutex_InjWDSoftware\licence_code.txt-lSetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\1SETTINGS2.5.0 Propth_unencoverridev
Source: Cuytcex.exe, 00000011.00000003.913688775.0000000000681000.00000004.00000001.sdmpString found in binary or memory: Remcos_Mutex_Injom
Yara detected Remcos RATShow sources
Source: Yara matchFile source: 00000011.00000002.919210054.0000000003090000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.1216946067.0000000004340000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000011.00000002.919539941.0000000004370000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.904625962.0000000002C90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.1209151390.0000000002CA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.905140966.0000000004390000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Pdf Document.exe PID: 5108, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Cuytcex.exe PID: 1836, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Cuytcex.exe PID: 2416, type: MEMORY
Source: Yara matchFile source: 17.2.Cuytcex.exe.3090000.6.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Pdf Document.exe.4340000.9.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Pdf Document.exe.4340000.9.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.Cuytcex.exe.4390000.9.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 17.2.Cuytcex.exe.3090000.6.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 17.2.Cuytcex.exe.4370000.9.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.Cuytcex.exe.2c90000.6.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Pdf Document.exe.2ca0000.7.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Pdf Document.exe.2ca0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.Cuytcex.exe.4390000.9.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.Cuytcex.exe.2c90000.6.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 17.2.Cuytcex.exe.4370000.9.unpack, type: UNPACKEDPE

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView"], "Version": ""}

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language