Loading ...

Play interactive tourEdit tour

Analysis Report 30634.bin

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:225121
Start date:24.04.2020
Start time:13:42:09
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 19s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:30634.bin (renamed file extension from bin to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.evad.winEXE@6/13@33/1
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 46.3% (good quality ratio 44.8%)
  • Quality average: 83%
  • Quality standard deviation: 26.3%
HCA Information:
  • Successful, ratio: 53%
  • Number of executed functions: 76
  • Number of non-executed functions: 163
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Excluded IPs from analysis (whitelisted): 205.185.216.10, 205.185.216.42, 72.247.224.69
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, cds.d2s7q6s2.hwcdn.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Remcos
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsExecution through API2Application Shimming1Access Token Manipulation1Masquerading11Credential DumpingSystem Time Discovery1Application Deployment SoftwareClipboard Data1Data Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Replication Through Removable MediaService ExecutionPort MonitorsProcess Injection111Software Packing3Network SniffingVirtualization/Sandbox Evasion1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumUncommonly Used Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesApplication Shimming1Virtualization/Sandbox Evasion1Input CaptureProcess Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingAccess Token Manipulation1Credentials in FilesApplication Window Discovery1Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol1SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessProcess Injection111Account ManipulationSecurity Software Discovery13Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceDeobfuscate/Decode Files or Information1Brute ForceRemote System Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskObfuscated Files or Information3Two-Factor Authentication InterceptionSystem Network Configuration Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistoryFile and Directory Discovery3Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess InjectionInput PromptSystem Information Discovery14Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\aaa.dllAvira: detection malicious, Label: TR/Agent.wlufu
Source: C:\ProgramData\zkgzol.pngAvira: detection malicious, Label: BDS/Backdoor.Gen
Antivirus detection for sampleShow sources
Source: 30634.exeAvira: detection malicious, Label: TR/AD.Remcos.ifaau
Multi AV Scanner detection for domain / URLShow sources
Source: xyz345.spdns.deVirustotal: Detection: 6%Perma Link
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\aaa.dllVirustotal: Detection: 19%Perma Link
Source: C:\Users\user\AppData\Local\Temp\aaa.dllReversingLabs: Detection: 70%
Multi AV Scanner detection for submitted fileShow sources
Source: 30634.exeVirustotal: Detection: 69%Perma Link
Source: 30634.exeReversingLabs: Detection: 83%
Yara detected Remcos RATShow sources
Source: Yara matchFile source: 00000000.00000002.1280294789.0000000000620000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.1404585609.00000000074E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ProsoftKck.exe PID: 2296, type: MEMORY
Source: Yara matchFile source: dropped/zkgzol.png, type: DROPPED
Source: Yara matchFile source: C:\ProgramData\zkgzol.png, type: DROPPED
Source: Yara matchFile source: 0.2.30634.exe.620000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.2.ProsoftKck.exe.74e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.2.ProsoftKck.exe.74e0000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.30634.exe.620000.2.raw.unpack, type: UNPACKEDPE
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\aaa.dllJoe Sandbox ML: detected
Source: C:\ProgramData\zkgzol.pngJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 2.2.ProsoftKck.exe.74e0000.2.unpackAvira: Label: BDS/Backdoor.Gen
Source: 0.2.30634.exe.620000.2.unpackAvira: Label: BDS/Backdoor.Gen

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_0040672B FindFirstFileW,FindClose,0_2_0040672B
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_00405AFA CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405AFA
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_00402868 FindFirstFileW,0_2_00402868
Enumerates the file systemShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior

Networking:

barindex
Uses nslookup.exe to query domainsShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\System32\nslookup.exe
Source: unknownProcess created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\System32\nslookup.exe
Source: C:\Users\user\Desktop\30634.exeProcess created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\System32\nslookup.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeProcess created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\System32\nslookup.exeJump to behavior
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.6:49946 -> 185.244.30.12:7894
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: xyz345.spdns.de
Urls found in memory or binary dataShow sources
Source: 30634.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: test.iniString found in binary or memory: http://nsis.sourceforge.net/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboardShow sources
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_0040558F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040558F

E-Banking Fraud:

barindex
Yara detected Remcos RATShow sources
Source: Yara matchFile source: 00000000.00000002.1280294789.0000000000620000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.1404585609.00000000074E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ProsoftKck.exe PID: 2296, type: MEMORY
Source: Yara matchFile source: dropped/zkgzol.png, type: DROPPED
Source: Yara matchFile source: C:\ProgramData\zkgzol.png, type: DROPPED
Source: Yara matchFile source: 0.2.30634.exe.620000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.2.ProsoftKck.exe.74e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.2.ProsoftKck.exe.74e0000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.30634.exe.620000.2.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000000.00000002.1280294789.0000000000620000.00000004.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
Source: 00000002.00000002.1404585609.00000000074E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
Source: dropped/zkgzol.png, type: DROPPEDMatched rule: REMCOS_RAT_variants Author: unknown
Source: C:\ProgramData\zkgzol.png, type: DROPPEDMatched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.30634.exe.620000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 2.2.ProsoftKck.exe.74e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 2.2.ProsoftKck.exe.74e0000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.30634.exe.620000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A522D9 NtAllocateVirtualMemory,0_2_72A522D9
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A51A0F NtAllocateVirtualMemory,0_2_72A51A0F
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A52A70 NtMapViewOfSection,0_2_72A52A70
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A51B9F NtAllocateVirtualMemory,0_2_72A51B9F
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A52BFC NtAllocateVirtualMemory,NtAllocateVirtualMemory,0_2_72A52BFC
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A4F3DE NtOpenSection,NtMapViewOfSection,0_2_72A4F3DE
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A52BDA NtDelayExecution,0_2_72A52BDA
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A53BDA NtCreateSection,NtMapViewOfSection,0_2_72A53BDA
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A51F03 NtAllocateVirtualMemory,0_2_72A51F03
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A53B60 NtOpenSection,0_2_72A53B60
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A52751 NtAllocateVirtualMemory,0_2_72A52751
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A53CA6 NtAllocateVirtualMemory,NtReadFile,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtQuerySystemInformation,0_2_72A53CA6
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A53487 NtClose,NtQueryInformationProcess,0_2_72A53487
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A518C0 NtAllocateVirtualMemory,0_2_72A518C0
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A5243E NtAllocateVirtualMemory,0_2_72A5243E
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A52077 NtAllocateVirtualMemory,0_2_72A52077
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A52596 NtAllocateVirtualMemory,0_2_72A52596
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A51DF2 NtAllocateVirtualMemory,0_2_72A51DF2
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A52D1C NtQueryInformationProcess,CreateProcessW,NtWriteFile,NtQueryInformationProcess,NtAllocateVirtualMemory,NtAllocateVirtualMemory,0_2_72A52D1C
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A5217B NtAllocateVirtualMemory,0_2_72A5217B
Contains functionality to shutdown / reboot the systemShow sources
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034A5
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_00404DCC0_2_00404DCC
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_00406AF20_2_00406AF2
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A340090_2_72A34009
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A42AD10_2_72A42AD1
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A5AE350_2_72A5AE35
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A432790_2_72A43279
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A396590_2_72A39659
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A34BAA0_2_72A34BAA
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A5D3890_2_72A5D389
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A41FED0_2_72A41FED
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A443F10_2_72A443F1
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A383040_2_72A38304
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A883110_2_72A88311
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72ABFC2A0_2_72ABFC2A
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A82C2A0_2_72A82C2A
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72ABDC3A0_2_72ABDC3A
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72AC5C300_2_72AC5C30
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72AC3C6A0_2_72AC3C6A
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A9F9830_2_72A9F983
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72AC7D960_2_72AC7D96
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A5D1FC0_2_72A5D1FC
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A5911D0_2_72A5911D
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A4255F0_2_72A4255F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A340092_2_72A34009
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A91AB82_2_72A91AB8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A42AD12_2_72A42AD1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A8D2242_2_72A8D224
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A73A342_2_72A73A34
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A7A23C2_2_72A7A23C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A862342_2_72A86234
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A6C2672_2_72A6C267
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A5FA752_2_72A5FA75
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A962712_2_72A96271
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A432792_2_72A43279
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A34BAA2_2_72A34BAA
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A5D3892_2_72A5D389
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A9039C2_2_72A9039C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A443F12_2_72A443F1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A7E3FD2_2_72A7E3FD
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A84BC52_2_72A84BC5
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A95B322_2_72A95B32
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A383042_2_72A38304
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A883112_2_72A88311
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A7A3182_2_72A7A318
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A8CB612_2_72A8CB61
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A94B742_2_72A94B74
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A620AD2_2_72A620AD
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A6C8B92_2_72A6C8B9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A628812_2_72A62881
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A6808C2_2_72A6808C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A638FA2_2_72A638FA
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A788362_2_72A78836
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A6C01D2_2_72A6C01D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A6F8642_2_72A6F864
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A7C0632_2_72A7C063
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A9207C2_2_72A9207C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A860732_2_72A86073
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A7E1BF2_2_72A7E1BF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A9F9832_2_72A9F983
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A821E42_2_72A821E4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A7F9E92_2_72A7F9E9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A5D1FC2_2_72A5D1FC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A6D1C82_2_72A6D1C8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A5911D2_2_72A5911D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A881132_2_72A88113
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A701762_2_72A70176
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A949732_2_72A94973
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A8E9482_2_72A8E948
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A7F9572_2_72A7F957
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A91E8C2_2_72A91E8C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A866E92_2_72A866E9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A916CC2_2_72A916CC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A67EDB2_2_72A67EDB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A5AE352_2_72A5AE35
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A946012_2_72A94601
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A6C6562_2_72A6C656
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A396592_2_72A39659
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A827BD2_2_72A827BD
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A41FED2_2_72A41FED
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A8EFDF2_2_72A8EFDF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A5F4B82_2_72A5F4B8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A774E52_2_72A774E5
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72ABFC2A2_2_72ABFC2A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A82C2A2_2_72A82C2A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72ABDC3A2_2_72ABDC3A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72AC5C302_2_72AC5C30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72AC3C6A2_2_72AC3C6A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A734402_2_72A73440
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A9644E2_2_72A9644E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A8245F2_2_72A8245F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A7EC5A2_2_72A7EC5A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A63DA12_2_72A63DA1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A5F5822_2_72A5F582
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72AC7D962_2_72AC7D96
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A8BD962_2_72A8BD96
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A7EDE02_2_72A7EDE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A925C02_2_72A925C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A6854D2_2_72A6854D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A945592_2_72A94559
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A4255F2_2_72A4255F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A8C5542_2_72A8C554
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_73AA1B5F2_2_73AA1B5F
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\30634.exeCode function: String function: 72A36800 appears 42 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: String function: 72A36800 appears 42 times
PE file contains strange resourcesShow sources
Source: 30634.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: 30634.exe, 00000000.00000002.1278804583.00000000001D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameOLEACCRC.DLLj% vs 30634.exe
Yara signature matchShow sources
Source: 00000000.00000002.1280294789.0000000000620000.00000004.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000002.00000002.1404585609.00000000074E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: dropped/zkgzol.png, type: DROPPEDMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\ProgramData\zkgzol.png, type: DROPPEDMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.30634.exe.620000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.ProsoftKck.exe.74e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.ProsoftKck.exe.74e0000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.30634.exe.620000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)Show sources
Source: aaa.dll.0.drStatic PE information: Section: .vlizer ZLIB complexity 0.993495971723
Source: aaa.dll.2.drStatic PE information: Section: .vlizer ZLIB complexity 0.993495971723
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.evad.winEXE@6/13@33/1
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034A5
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_00404850 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404850
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_00402104 CoCreateInstance,0_2_00402104
Creates files inside the user directoryShow sources
Source: C:\Windows\SysWOW64\nslookup.exeFile created: C:\Users\user\AppData\Roaming\dataJump to behavior
Creates mutexesShow sources
Source: C:\Windows\SysWOW64\nslookup.exeMutant created: \Sessions\1\BaseNamedObjects\update-6U9PLU
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\30634.exeFile created: C:\Users\user\AppData\Local\Temp\nsi528.tmpJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: 30634.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Users\user\Desktop\30634.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\30634.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: 30634.exeVirustotal: Detection: 69%
Source: 30634.exeReversingLabs: Detection: 83%
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\30634.exeFile read: C:\Users\user\Desktop\30634.exeJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\30634.exe 'C:\Users\user\Desktop\30634.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\System32\nslookup.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\System32\nslookup.exe
Source: C:\Users\user\Desktop\30634.exeProcess created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\System32\nslookup.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeProcess created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\System32\nslookup.exeJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\30634.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: 30634.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_73AA1B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,2_2_73AA1B5F
PE file contains sections with non-standard namesShow sources
Source: aaa.dll.0.drStatic PE information: section name: .vlizer
Source: aaa.dll.2.drStatic PE information: section name: .vlizer
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A5FE0D push esi; mov dword ptr [esp], 00000248h0_2_72A5FE2E
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A5FE0D push ebx; mov dword ptr [esp], edi0_2_72A5FEE3
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A5FE0D push edi; mov dword ptr [esp], 4F6806A8h0_2_72A5FF49
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A73FCF push 46B7151Dh; mov dword ptr [esp], edx0_2_72A740C0
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A73FCF push ecx; mov dword ptr [esp], 000000B0h0_2_72A740D2
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A73FCF push ebx; mov dword ptr [esp], esi0_2_72A74154
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A73FCF push edi; mov dword ptr [esp], 05B59B7Ah0_2_72A74166
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A73FCF push edx; mov dword ptr [esp], esi0_2_72A74184
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A73FCF push ecx; mov dword ptr [esp], esi0_2_72A74193
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A73FCF push ebx; mov dword ptr [esp], ebp0_2_72A741A9
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A73FCF push ebp; mov dword ptr [esp], 000000B4h0_2_72A7422E
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A73FCF push esi; mov dword ptr [esp], edx0_2_72A74273
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A73FCF push edx; mov dword ptr [esp], ecx0_2_72A742A5
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A73FCF push ebx; mov dword ptr [esp], 6D7761B4h0_2_72A7433A
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A73FCF push edi; mov dword ptr [esp], esi0_2_72A74386
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A73FCF push esi; mov dword ptr [esp], 00000248h0_2_72A74393
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A73FCF push eax; mov dword ptr [esp], 3B1DAE29h0_2_72A743BC
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A73FCF push 50B4A46Ah; mov dword ptr [esp], ebp0_2_72A74454
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A73FCF push edx; mov dword ptr [esp], ebx0_2_72A744DD
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A913D6 push esi; mov dword ptr [esp], ecx0_2_72A913F0
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A913D6 push edi; mov dword ptr [esp], edx0_2_72A91411
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A913D6 push 36973A25h; mov dword ptr [esp], eax0_2_72A91473
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A88311 push edi; mov dword ptr [esp], edx0_2_72A88338
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A88311 push eax; mov dword ptr [esp], ebp0_2_72A883C0
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A88311 push 4A98D635h; mov dword ptr [esp], ebx0_2_72A8841B
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A88311 push esi; mov dword ptr [esp], 0004F5A2h0_2_72A884B1
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A88311 push 4430B6E0h; mov dword ptr [esp], ebp0_2_72A885B3
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A88311 push eax; mov dword ptr [esp], 00000000h0_2_72A885DE
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A88311 push 4C2C7C67h; mov dword ptr [esp], esi0_2_72A885FC
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A88311 push 4D055B11h; mov dword ptr [esp], edx0_2_72A88664
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72ABFC2A push ecx; mov dword ptr [esp], 3D7B5386h0_2_72ABFC4B
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .vlizer entropy: 7.99664045049
Source: initial sampleStatic PE information: section name: .vlizer entropy: 7.99664045049

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\Desktop\30634.exeFile created: C:\Users\user\AppData\Local\Temp\nsy588.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeFile created: C:\Users\user\AppData\Local\Temp\nsd2909.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeFile created: C:\Users\user\AppData\Local\Temp\aaa.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeFile created: C:\ProgramData\zkgzol.pngJump to dropped file
Drops PE files to the application program directory (C:\ProgramData)Show sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeFile created: C:\ProgramData\zkgzol.pngJump to dropped file
Drops files with a non-matching file extension (content does not match file extension)Show sources
Source: C:\Users\user\Desktop\30634.exeFile created: C:\ProgramData\zkgzol.png
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeFile created: C:\ProgramData\zkgzol.pngJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A34009 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_72A34009
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\30634.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\nslookup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\nslookup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Windows\SysWOW64\nslookup.exeWindow / User API: threadDelayed 443Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_2-16424
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeAPI coverage: 8.6 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\SysWOW64\nslookup.exe TID: 2400Thread sleep count: 443 > 30Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe TID: 2400Thread sleep time: -4430000s >= -30000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\Desktop\30634.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\nslookup.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\nslookup.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_0040672B FindFirstFileW,FindClose,0_2_0040672B
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_00405AFA CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405AFA
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_00402868 FindFirstFileW,0_2_00402868
Enumerates the file systemShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Program exit pointsShow sources
Source: C:\Users\user\Desktop\30634.exeAPI call chain: ExitProcess graph end nodegraph_0-15550
Source: C:\Users\user\Desktop\30634.exeAPI call chain: ExitProcess graph end nodegraph_0-15706
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeAPI call chain: ExitProcess graph end nodegraph_2-16426
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\30634.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A346AA IsDebuggerPresent,0_2_72A346AA
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)Show sources
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A3F703 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_72A3F703
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_73AA1B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,2_2_73AA1B5F
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A52A70 mov eax, dword ptr fs:[00000030h]0_2_72A52A70
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A4F3DE mov eax, dword ptr fs:[00000030h]0_2_72A4F3DE
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A4F3DE mov eax, dword ptr fs:[00000030h]0_2_72A4F3DE
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A53BDA mov eax, dword ptr fs:[00000030h]0_2_72A53BDA
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A53CA6 mov eax, dword ptr fs:[00000030h]0_2_72A53CA6
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A53487 mov eax, dword ptr fs:[00000030h]0_2_72A53487
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A53487 mov eax, dword ptr fs:[00000030h]0_2_72A53487
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A52D1C mov eax, dword ptr fs:[00000030h]0_2_72A52D1C
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A4F558 mov eax, dword ptr fs:[00000030h]0_2_72A4F558
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A4F4F6 mov eax, dword ptr fs:[00000030h]0_2_72A4F4F6
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A52A70 mov eax, dword ptr fs:[00000030h]2_2_72A52A70
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A4F3DE mov eax, dword ptr fs:[00000030h]2_2_72A4F3DE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A4F3DE mov eax, dword ptr fs:[00000030h]2_2_72A4F3DE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A53BDA mov eax, dword ptr fs:[00000030h]2_2_72A53BDA
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A53CA6 mov eax, dword ptr fs:[00000030h]2_2_72A53CA6
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A53487 mov eax, dword ptr fs:[00000030h]2_2_72A53487
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A53487 mov eax, dword ptr fs:[00000030h]2_2_72A53487
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A52D1C mov eax, dword ptr fs:[00000030h]2_2_72A52D1C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A4F558 mov eax, dword ptr fs:[00000030h]2_2_72A4F558
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A4F4F6 mov eax, dword ptr fs:[00000030h]2_2_72A4F4F6
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A3BB18 GetProcessHeap,0_2_72A3BB18
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A3ADCB SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_72A3ADCB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeCode function: 2_2_72A3ADCB SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_72A3ADCB

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another processShow sources
Source: C:\Users\user\Desktop\30634.exeSection loaded: C:\ProgramData\zkgzol.png target: C:\Windows\SysWOW64\nslookup.exe protection: readonlyJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeSection loaded: C:\ProgramData\zkgzol.png target: C:\Windows\SysWOW64\nslookup.exe protection: readonlyJump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\30634.exeProcess created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\System32\nslookup.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exeProcess created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\System32\nslookup.exeJump to behavior

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A353CB cpuid 0_2_72A353CB
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_72A3C2AB ___initmbctable,_strlen,__calloc_crt,_strlen,__calloc_crt,_free,_free,__invoke_watson,GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_72A3C2AB
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\30634.exeCode function: 0_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034A5

Stealing of Sensitive Information:

barindex
Yara detected Remcos RATShow sources
Source: Yara matchFile source: 00000000.00000002.1280294789.0000000000620000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.1404585609.00000000074E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ProsoftKck.exe PID: 2296, type: MEMORY
Source: Yara matchFile source: dropped/zkgzol.png, type: DROPPED
Source: Yara matchFile source: C:\ProgramData\zkgzol.png, type: DROPPED
Source: Yara matchFile source: 0.2.30634.exe.620000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.2.ProsoftKck.exe.74e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.2.ProsoftKck.exe.74e0000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.30634.exe.620000.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected Remcos RATShow sources
Source: Yara matchFile source: 00000000.00000002.1280294789.0000000000620000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.1404585609.00000000074E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ProsoftKck.exe PID: 2296, type: MEMORY
Source: Yara matchFile source: dropped/zkgzol.png, type: DROPPED
Source: Yara matchFile source: C:\ProgramData\zkgzol.png, type: DROPPED
Source: Yara matchFile source: 0.2.30634.exe.620000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.2.ProsoftKck.exe.74e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.2.ProsoftKck.exe.74e0000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.30634.exe.620000.2.raw.unpack, type: UNPACKEDPE

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

TimeTypeDescription
13:43:33AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BIT87A6.tmp
13:43:35API Interceptor590x Sleep call for process: nslookup.exe modified
13:43:46AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProsoftKck.exe

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
30634.exe69%VirustotalBrowse
30634.exe84%ReversingLabsWin32.Trojan.Remcos
30634.exe100%AviraTR/AD.Remcos.ifaau

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\aaa.dll100%AviraTR/Agent.wlufu
C:\ProgramData\zkgzol.png100%AviraBDS/Backdoor.Gen
C:\Users\user\AppData\Local\Temp\aaa.dll100%Joe Sandbox ML
C:\ProgramData\zkgzol.png100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\aaa.dll20%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\aaa.dll70%ReversingLabsWin32.Trojan.Injector
C:\Users\user\AppData\Local\Temp\nsd2909.tmp\System.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\nsd2909.tmp\System.dll0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\nsy588.tmp\System.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\nsy588.tmp\System.dll0%MetadefenderBrowse

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
2.2.ProsoftKck.exe.74e0000.2.unpack100%AviraBDS/Backdoor.GenDownload File
0.2.30634.exe.620000.2.unpack100%AviraBDS/Backdoor.GenDownload File

Domains

SourceDetectionScannerLabelLink
xyz345.spdns.de7%VirustotalBrowse

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

SourceRuleDescriptionAuthorStrings
dropped/zkgzol.pngJoeSecurity_RemcosYara detected Remcos RATJoe Security
    C:\ProgramData\zkgzol.pngJoeSecurity_RemcosYara detected Remcos RATJoe Security
      dropped/zkgzol.pngREMCOS_RAT_variantsunknownunknown
      • 0x157ac:$str_a1: C:\Windows\System32\cmd.exe
      • 0x15470:$str_a2: C:\WINDOWS\system32\userinit.exe
      • 0x157c8:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x157c8:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x14d80:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
      • 0x154fc:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
      • 0x14964:$str_b2: Executing file:
      • 0x1584c:$str_b3: GetDirectListeningPort
      • 0x152bc:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
      • 0x15598:$str_b6: \restart.vbs
      • 0x154e4:$str_b7: \update.vbs
      • 0x1543c:$str_b8: \uninstall.vbs
      • 0x14920:$str_b9: Downloaded file:
      • 0x14934:$str_b10: Downloading file:
      • 0x14690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
      • 0x14980:$str_b12: Failed to upload file:
      • 0x1588c:$str_b13: StartForward
      • 0x15870:$str_b14: StopForward
      • 0x153ac:$str_b15: fso.DeleteFile "
      • 0x15410:$str_b16: On Error Resume Next
      • 0x15378:$str_b17: fso.DeleteFolder "
      C:\ProgramData\zkgzol.pngREMCOS_RAT_variantsunknownunknown
      • 0x157ac:$str_a1: C:\Windows\System32\cmd.exe
      • 0x15470:$str_a2: C:\WINDOWS\system32\userinit.exe
      • 0x157c8:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x157c8:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x14d80:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
      • 0x154fc:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
      • 0x14964:$str_b2: Executing file:
      • 0x1584c:$str_b3: GetDirectListeningPort
      • 0x152bc:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
      • 0x15598:$str_b6: \restart.vbs
      • 0x154e4:$str_b7: \update.vbs
      • 0x1543c:$str_b8: \uninstall.vbs
      • 0x14920:$str_b9: Downloaded file:
      • 0x14934:$str_b10: Downloading file:
      • 0x14690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
      • 0x14980:$str_b12: Failed to upload file:
      • 0x1588c:$str_b13: StartForward
      • 0x15870:$str_b14: StopForward
      • 0x153ac:$str_b15: fso.DeleteFile "
      • 0x15410:$str_b16: On Error Resume Next
      • 0x15378:$str_b17: fso.DeleteFolder "

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.1280294789.0000000000620000.00000004.00000001.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000000.00000002.1280294789.0000000000620000.00000004.00000001.sdmpREMCOS_RAT_variantsunknownunknown
        • 0x157ac:$str_a1: C:\Windows\System32\cmd.exe
        • 0x15470:$str_a2: C:\WINDOWS\system32\userinit.exe
        • 0x157c8:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x157c8:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x14d80:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x154fc:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x14964:$str_b2: Executing file:
        • 0x1584c:$str_b3: GetDirectListeningPort
        • 0x152bc:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x15598:$str_b6: \restart.vbs
        • 0x154e4:$str_b7: \update.vbs
        • 0x1543c:$str_b8: \uninstall.vbs
        • 0x14920:$str_b9: Downloaded file:
        • 0x14934:$str_b10: Downloading file:
        • 0x14690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
        • 0x14980:$str_b12: Failed to upload file:
        • 0x1588c:$str_b13: StartForward
        • 0x15870:$str_b14: StopForward
        • 0x153ac:$str_b15: fso.DeleteFile "
        • 0x15410:$str_b16: On Error Resume Next
        • 0x15378:$str_b17: fso.DeleteFolder "
        00000002.00000002.1404585609.00000000074E0000.00000004.00000001.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000002.00000002.1404585609.00000000074E0000.00000004.00000001.sdmpREMCOS_RAT_variantsunknownunknown
          • 0x157ac:$str_a1: C:\Windows\System32\cmd.exe
          • 0x15470:$str_a2: C:\WINDOWS\system32\userinit.exe
          • 0x157c8:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x157c8:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x14d80:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
          • 0x154fc:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
          • 0x14964:$str_b2: Executing file:
          • 0x1584c:$str_b3: GetDirectListeningPort
          • 0x152bc:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
          • 0x15598:$str_b6: \restart.vbs
          • 0x154e4:$str_b7: \update.vbs
          • 0x1543c:$str_b8: \uninstall.vbs
          • 0x14920:$str_b9: Downloaded file:
          • 0x14934:$str_b10: Downloading file:
          • 0x14690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
          • 0x14980:$str_b12: Failed to upload file:
          • 0x1588c:$str_b13: StartForward
          • 0x15870:$str_b14: StopForward
          • 0x153ac:$str_b15: fso.DeleteFile "
          • 0x15410:$str_b16: On Error Resume Next
          • 0x15378:$str_b17: fso.DeleteFolder "
          Process Memory Space: ProsoftKck.exe PID: 2296JoeSecurity_RemcosYara detected Remcos RATJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.30634.exe.620000.2.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              0.2.30634.exe.620000.2.unpackREMCOS_RAT_variantsunknownunknown
              • 0x157ac:$str_a1: C:\Windows\System32\cmd.exe
              • 0x15470:$str_a2: C:\WINDOWS\system32\userinit.exe
              • 0x157c8:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x157c8:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x14d80:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
              • 0x154fc:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
              • 0x14964:$str_b2: Executing file:
              • 0x1584c:$str_b3: GetDirectListeningPort
              • 0x152bc:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
              • 0x15598:$str_b6: \restart.vbs
              • 0x154e4:$str_b7: \update.vbs
              • 0x1543c:$str_b8: \uninstall.vbs
              • 0x14920:$str_b9: Downloaded file:
              • 0x14934:$str_b10: Downloading file:
              • 0x14690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
              • 0x14980:$str_b12: Failed to upload file:
              • 0x1588c:$str_b13: StartForward
              • 0x15870:$str_b14: StopForward
              • 0x153ac:$str_b15: fso.DeleteFile "
              • 0x15410:$str_b16: On Error Resume Next
              • 0x15378:$str_b17: fso.DeleteFolder "
              2.2.ProsoftKck.exe.74e0000.2.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                2.2.ProsoftKck.exe.74e0000.2.raw.unpackREMCOS_RAT_variantsunknownunknown
                • 0x157ac:$str_a1: C:\Windows\System32\cmd.exe
                • 0x15470:$str_a2: C:\WINDOWS\system32\userinit.exe
                • 0x157c8:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x157c8:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x14d80:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                • 0x154fc:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                • 0x14964:$str_b2: Executing file:
                • 0x1584c:$str_b3: GetDirectListeningPort
                • 0x152bc:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                • 0x15598:$str_b6: \restart.vbs
                • 0x154e4:$str_b7: \update.vbs
                • 0x1543c:$str_b8: \uninstall.vbs
                • 0x14920:$str_b9: Downloaded file:
                • 0x14934:$str_b10: Downloading file:
                • 0x14690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
                • 0x14980:$str_b12: Failed to upload file:
                • 0x1588c:$str_b13: StartForward
                • 0x15870:$str_b14: StopForward
                • 0x153ac:$str_b15: fso.DeleteFile "
                • 0x15410:$str_b16: On Error Resume Next
                • 0x15378:$str_b17: fso.DeleteFolder "
                2.2.ProsoftKck.exe.74e0000.2.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  0.2.30634.exe.620000.2.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                    2.2.ProsoftKck.exe.74e0000.2.unpackREMCOS_RAT_variantsunknownunknown
                    • 0x157ac:$str_a1: C:\Windows\System32\cmd.exe
                    • 0x15470:$str_a2: C:\WINDOWS\system32\userinit.exe
                    • 0x157c8:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x157c8:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x14d80:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                    • 0x154fc:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                    • 0x14964:$str_b2: Executing file:
                    • 0x1584c:$str_b3: GetDirectListeningPort
                    • 0x152bc:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                    • 0x15598:$str_b6: \restart.vbs
                    • 0x154e4:$str_b7: \update.vbs
                    • 0x1543c:$str_b8: \uninstall.vbs
                    • 0x14920:$str_b9: Downloaded file:
                    • 0x14934:$str_b10: Downloading file:
                    • 0x14690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
                    • 0x14980:$str_b12: Failed to upload file:
                    • 0x1588c:$str_b13: StartForward
                    • 0x15870:$str_b14: StopForward
                    • 0x153ac:$str_b15: fso.DeleteFile "
                    • 0x15410:$str_b16: On Error Resume Next
                    • 0x15378:$str_b17: fso.DeleteFolder "
                    0.2.30634.exe.620000.2.raw.unpackREMCOS_RAT_variantsunknownunknown
                    • 0x157ac:$str_a1: C:\Windows\System32\cmd.exe
                    • 0x15470:$str_a2: C:\WINDOWS\system32\userinit.exe
                    • 0x157c8:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x157c8:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x14d80:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                    • 0x154fc:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                    • 0x14964:$str_b2: Executing file:
                    • 0x1584c:$str_b3: GetDirectListeningPort
                    • 0x152bc:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                    • 0x15598:$str_b6: \restart.vbs
                    • 0x154e4:$str_b7: \update.vbs
                    • 0x1543c:$str_b8: \uninstall.vbs
                    • 0x14920:$str_b9: Downloaded file:
                    • 0x14934:$str_b10: Downloading file:
                    • 0x14690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
                    • 0x14980:$str_b12: Failed to upload file:
                    • 0x1588c:$str_b13: StartForward
                    • 0x15870:$str_b14: StopForward
                    • 0x153ac:$str_b15: fso.DeleteFile "
                    • 0x15410:$str_b16: On Error Resume Next
                    • 0x15378:$str_b17: fso.DeleteFolder "

                    Sigma Overview

                    No Sigma rule has matched

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASN

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    unknownhttps://us4.campaign-archive.com/?u=ed789afcd6358ef0a492aaae3&id=6ae6fd1dadGet hashmaliciousBrowse
                    • 108.177.126.157
                    ChromeStandaloneSetup64.exeGet hashmaliciousBrowse
                    • 239.255.255.250
                    http://coronavirus-map.comGet hashmaliciousBrowse
                    • 52.222.172.81
                    http://prepaidgift.co/$wz$Vip72.exeGet hashmaliciousBrowse
                    • 104.31.82.54
                    https://jimmycheap.pw/download/qooqle_update.batGet hashmaliciousBrowse
                    • 37.1.211.61
                    http://info.driverguidecdn.com/?v=1.03&c=59a98ea7&at=1219694231&cntr=0Get hashmaliciousBrowse
                    • 52.18.92.253
                    fattura_28.xlsGet hashmaliciousBrowse
                    • 192.168.2.255
                    Judgement_04222020_616.vbsGet hashmaliciousBrowse
                    • 156.239.159.218
                    http://pinangcitygroup.asia/wp-content/uploads/2020/04/docs_cgj/93646/Judgement_04222020_93646.zipGet hashmaliciousBrowse
                    • 58.84.43.65
                    https://storage.googleapis.com/anthrexs/windowsx.htm?email=ssantander@talgo.comGet hashmaliciousBrowse
                    • 104.27.186.182
                    dPviWx34BE.exeGet hashmaliciousBrowse
                    • 127.0.0.1
                    ATT77489.htmGet hashmaliciousBrowse
                    • 104.16.132.229
                    https://storage.googleapis.com/anthrexs/windowsx.htm?email=charan.t@ctrls.inGet hashmaliciousBrowse
                    • 104.27.186.182
                    http://iekaitori.net/kenjin/1/?&cm_mmca3=RICUGKOYXOVR4FFQ&cm_mmca1=UK&cm_mmca4=-1112170105&cm_mmc=AdieEmail_MKTG-_-Newsletter-_-_20180526_Interaction_All-_-PromoGet hashmaliciousBrowse
                    • 183.90.253.49
                    svhost.exeGet hashmaliciousBrowse
                    • 51.75.190.228
                    https://slack-redir.net/link?url=https%3A%2F%2Fsway.office.com%2FFiNfEBiO60JdRRzG%3Fref%3DLink&v=3&data=02|01|ross.harris@stockland.com.au|9ccd5251c38b451ddf1408d7e728d11c|931beaf228f34ca6a665563743d082fc|0|0|637232034909199441&sdata=9Vw2rwCHGwrQsRiJ2OYVkK3rGe/8hzIv7P5PUs1ZWR0=&reserved=0Get hashmaliciousBrowse
                    • 52.114.128.9
                    https://1327torlaw.com/estate/invest/esqGet hashmaliciousBrowse
                    • 104.16.132.229
                    https://maurojanot.com.br/auUS.htmlGet hashmaliciousBrowse
                    • 192.185.216.143
                    http://u15039259.ct.sendgrid.net/ls/click?upn=TbT7oYPbzENTV1Uwoo2UIL9P47v-2FoJeQAXSGu-2BQhbLzqLjbhu7PCBYENsoi2fq6qzUxYyQqAd20zlSXbMvxToy-2B-2BT2SssjPB8FBjya3vRwRxcpuG-2FgThfCq2WJvDzRthWGjq_rmw3PVlMnB7-2BhrjO5-2BOy5V-2FlLeHCUQ34CYt7UaOBJh0wB1hR2yuMKf7URwuYvRVEOFFxI-2BAuzU5VYBEmTPAwwZFbuxZSgA-2BgUBvaRBAtOoL26ZZkc0wjWE5PlNLNgcrQmBcsk9n0CFME2JhvW5HXJWM3dSBrPIPGaxdCtgysaPU8E9Q9MCANXKrTc3OuEcw-2BRHgpty9ImTbWNcdpt73sy8FfViPnfQzWuKH-2FB1cDcMM-3DGet hashmaliciousBrowse
                    • 167.89.115.54
                    749dd3optoor.exeGet hashmaliciousBrowse
                    • 45.147.201.55

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    C:\Users\user\AppData\Local\Temp\nsy588.tmp\System.dllf_001c3e.exeGet hashmaliciousBrowse
                      f_000418.exeGet hashmaliciousBrowse
                        FileZilla_3.47.2.1_win64_sponsored-setup.exeGet hashmaliciousBrowse
                          f_000418.exeGet hashmaliciousBrowse
                            file-info-install__19.exeGet hashmaliciousBrowse
                              https://download.filezilla-project.org/client/FileZilla_3.47.2.1_win64_sponsored-setup.exeGet hashmaliciousBrowse
                                FileZilla_3.47.1_win64_sponsored-setup.exeGet hashmaliciousBrowse
                                  filezilla_3.46.3_win64_sponsored-setup.exeGet hashmaliciousBrowse
                                    https://download.filezilla-project.org/client/FileZilla_3.47.1_win64_sponsored-setup.exeGet hashmaliciousBrowse
                                      FileZilla_3.46.3_win64_sponsored-setup.exeGet hashmaliciousBrowse
                                        Transaction_884773732_cryptocurrency.exeGet hashmaliciousBrowse
                                          FileZilla_3.46.3_win64_sponsored-setup (2).exeGet hashmaliciousBrowse
                                            https://download.filezilla-project.org/client/FileZilla_3.46.3_win64_sponsored-setup.exeGet hashmaliciousBrowse
                                              FileZilla_3.46.3_win32_sponsored-setup.exeGet hashmaliciousBrowse
                                                FileZilla_3.46.3_win64_sponsored-setup.exeGet hashmaliciousBrowse
                                                  nhm_windows_1.9.2.20.exeGet hashmaliciousBrowse
                                                    nhm_windows_1.9.2.21.exeGet hashmaliciousBrowse
                                                      FileZilla_3.46.3_win32_sponsored-setup.exeGet hashmaliciousBrowse
                                                        HJ43WVFWKP.exeGet hashmaliciousBrowse
                                                          o45rYYL0gG.exeGet hashmaliciousBrowse
                                                            C:\Users\user\AppData\Local\Temp\nsd2909.tmp\System.dllf_001c3e.exeGet hashmaliciousBrowse
                                                              f_000418.exeGet hashmaliciousBrowse
                                                                FileZilla_3.47.2.1_win64_sponsored-setup.exeGet hashmaliciousBrowse
                                                                  f_000418.exeGet hashmaliciousBrowse
                                                                    file-info-install__19.exeGet hashmaliciousBrowse
                                                                      https://download.filezilla-project.org/client/FileZilla_3.47.2.1_win64_sponsored-setup.exeGet hashmaliciousBrowse
                                                                        FileZilla_3.47.1_win64_sponsored-setup.exeGet hashmaliciousBrowse
                                                                          filezilla_3.46.3_win64_sponsored-setup.exeGet hashmaliciousBrowse
                                                                            https://download.filezilla-project.org/client/FileZilla_3.47.1_win64_sponsored-setup.exeGet hashmaliciousBrowse
                                                                              FileZilla_3.46.3_win64_sponsored-setup.exeGet hashmaliciousBrowse
                                                                                Transaction_884773732_cryptocurrency.exeGet hashmaliciousBrowse
                                                                                  FileZilla_3.46.3_win64_sponsored-setup (2).exeGet hashmaliciousBrowse
                                                                                    https://download.filezilla-project.org/client/FileZilla_3.46.3_win64_sponsored-setup.exeGet hashmaliciousBrowse
                                                                                      FileZilla_3.46.3_win32_sponsored-setup.exeGet hashmaliciousBrowse
                                                                                        FileZilla_3.46.3_win64_sponsored-setup.exeGet hashmaliciousBrowse
                                                                                          nhm_windows_1.9.2.20.exeGet hashmaliciousBrowse
                                                                                            nhm_windows_1.9.2.21.exeGet hashmaliciousBrowse
                                                                                              FileZilla_3.46.3_win32_sponsored-setup.exeGet hashmaliciousBrowse
                                                                                                HJ43WVFWKP.exeGet hashmaliciousBrowse
                                                                                                  o45rYYL0gG.exeGet hashmaliciousBrowse

                                                                                                    Screenshots

                                                                                                    Thumbnails

                                                                                                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.