Analysis Report CompanyLicense.exe

Overview

General Information

Sample Name: CompanyLicense.exe
Analysis ID: 341661
MD5: ace3e9fc3a2277aa4e72881c9f204642
SHA1: 50337a4aa52b65cac5fd2745c3fe7d88d503d00f
SHA256: c6cf35735aff0eba459a6a1f4b65722ba08dfb0beed54b0df8e9be3ec3edba98

Most interesting Screenshot:

Detection

Remcos GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Sigma detected: Remcos
Yara detected GuLoader
Yara detected Remcos RAT
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Creates autostart registry keys with suspicious values (likely registry only malware)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Yara detected Remcos RAT
Source: Yara match File source: Process Memory Space: CompanyLicense.exe PID: 6572, type: MEMORY

Compliance:

barindex
Uses 32bit PE files
Source: CompanyLicense.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 185.140.53.253:2048
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.140.53.253 185.140.53.253
Source: unknown DNS traffic detected: queries for: onedrive.live.com
Source: CompanyLicense.exe, 00000001.00000002.998526794.0000000000562000.00000040.00000001.sdmp String found in binary or memory: https://onedrive.live.com/download?cid=3EA7AF3CF2A8B6E2&resid=3EA7AF3CF2A8B6E2%21118&authkey=AM5VKIx

E-Banking Fraud:

barindex
Yara detected Remcos RAT
Source: Yara match File source: Process Memory Space: CompanyLicense.exe PID: 6572, type: MEMORY

System Summary:

barindex
Contains functionality to call native functions
Source: C:\Users\user\Desktop\CompanyLicense.exe Code function: 0_2_020A08D5 EnumWindows,NtSetInformationThread, 0_2_020A08D5
Source: C:\Users\user\Desktop\CompanyLicense.exe Code function: 0_2_020A8B16 NtProtectVirtualMemory, 0_2_020A8B16
Source: C:\Users\user\Desktop\CompanyLicense.exe Code function: 0_2_020A474B NtSetInformationThread, 0_2_020A474B
Source: C:\Users\user\Desktop\CompanyLicense.exe Code function: 0_2_020A0D52 NtWriteVirtualMemory,TerminateProcess, 0_2_020A0D52
Source: C:\Users\user\Desktop\CompanyLicense.exe Code function: 0_2_020A8E25 NtProtectVirtualMemory, 0_2_020A8E25
Source: C:\Users\user\Desktop\CompanyLicense.exe Code function: 0_2_020A38A7 NtWriteVirtualMemory, 0_2_020A38A7
Source: C:\Users\user\Desktop\CompanyLicense.exe Code function: 0_2_020A34CD NtWriteVirtualMemory, 0_2_020A34CD
Source: C:\Users\user\Desktop\CompanyLicense.exe Code function: 0_2_020A36D0 NtWriteVirtualMemory, 0_2_020A36D0
Source: C:\Users\user\Desktop\CompanyLicense.exe Code function: 0_2_020A0917 NtSetInformationThread, 0_2_020A0917
Source: C:\Users\user\Desktop\CompanyLicense.exe Code function: 0_2_020A35EF NtWriteVirtualMemory, 0_2_020A35EF
Source: C:\Users\user\Desktop\CompanyLicense.exe Code function: 0_2_020A35E2 NtWriteVirtualMemory, 0_2_020A35E2
Source: C:\Users\user\Desktop\CompanyLicense.exe Code function: 1_2_00568B16 NtProtectVirtualMemory, 1_2_00568B16
Source: C:\Users\user\Desktop\CompanyLicense.exe Code function: 1_2_00568EC6 NtSetInformationThread, 1_2_00568EC6
Source: C:\Users\user\Desktop\CompanyLicense.exe Code function: 1_2_00569248 NtSetInformationThread, 1_2_00569248
Source: C:\Users\user\Desktop\CompanyLicense.exe Code function: 1_2_0056910C NtSetInformationThread, 1_2_0056910C
Source: C:\Users\user\Desktop\CompanyLicense.exe Code function: 1_2_00569436 NtSetInformationThread, 1_2_00569436
Source: C:\Users\user\Desktop\CompanyLicense.exe Code function: 1_2_00568FE0 NtSetInformationThread, 1_2_00568FE0
Source: C:\Users\user\Desktop\CompanyLicense.exe Code function: 1_2_005695B9 NtSetInformationThread, 1_2_005695B9
Detected potential crypto function
Source: C:\Users\user\Desktop\CompanyLicense.exe Code function: 0_2_004041A1 0_2_004041A1
PE file contains strange resources
Source: CompanyLicense.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Internering2.exe.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: CompanyLicense.exe, 00000000.00000002.667461596.0000000000415000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSKULPTURUDSTILLING.exe vs CompanyLicense.exe
Source: CompanyLicense.exe, 00000000.00000002.667883059.0000000002090000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs CompanyLicense.exe
Source: CompanyLicense.exe, 00000001.00000000.666580572.0000000000415000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSKULPTURUDSTILLING.exe vs CompanyLicense.exe
Source: CompanyLicense.exe, 00000001.00000002.1001890961.000000001DEF0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs CompanyLicense.exe
Source: CompanyLicense.exe, 00000001.00000002.1001872713.000000001DDA0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemswsock.dll.muij% vs CompanyLicense.exe
Source: CompanyLicense.exe Binary or memory string: OriginalFilenameSKULPTURUDSTILLING.exe vs CompanyLicense.exe
Uses 32bit PE files
Source: CompanyLicense.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal100.troj.evad.winEXE@3/3@74/2
Source: C:\Users\user\Desktop\CompanyLicense.exe File created: C:\Users\user\AppData\Roaming\remcos Jump to behavior
Source: C:\Users\user\Desktop\CompanyLicense.exe Mutant created: \Sessions\1\BaseNamedObjects\idle-C625D6
Source: C:\Users\user\Desktop\CompanyLicense.exe File created: C:\Users\user\AppData\Local\Temp\~DF35090EC034E56AF4.TMP Jump to behavior
Source: CompanyLicense.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\CompanyLicense.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\CompanyLicense.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\CompanyLicense.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\CompanyLicense.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\CompanyLicense.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\CompanyLicense.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\CompanyLicense.exe File read: C:\Users\user\Desktop\CompanyLicense.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\CompanyLicense.exe 'C:\Users\user\Desktop\CompanyLicense.exe'
Source: unknown Process created: C:\Users\user\Desktop\CompanyLicense.exe 'C:\Users\user\Desktop\CompanyLicense.exe'
Source: C:\Users\user\Desktop\CompanyLicense.exe Process created: C:\Users\user\Desktop\CompanyLicense.exe 'C:\Users\user\Desktop\CompanyLicense.exe' Jump to behavior
Source: C:\Users\user\Desktop\CompanyLicense.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.998526794.0000000000562000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CompanyLicense.exe PID: 6572, type: MEMORY
Source: Yara match File source: Process Memory Space: CompanyLicense.exe PID: 5148, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: CompanyLicense.exe PID: 6572, type: MEMORY
Source: Yara match File source: Process Memory Space: CompanyLicense.exe PID: 5148, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\CompanyLicense.exe Code function: 0_2_00405695 push edi; ret 0_2_0040569C
Source: C:\Users\user\Desktop\CompanyLicense.exe Code function: 0_2_020A5757 push edi; ret 0_2_020A575A

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\CompanyLicense.exe File created: C:\Users\user\AppData\Local\Temp\Arsenation\Internering2.exe Jump to dropped file

Boot Survival:

barindex
Creates autostart registry keys with suspicious values (likely registry only malware)
Source: C:\Users\user\Desktop\CompanyLicense.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Hamid C:\Users\user\AppData\Local\Temp\Arsenation\Internering2.vbs Jump to behavior
Source: C:\Users\user\Desktop\CompanyLicense.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Hamid C:\Users\user\AppData\Local\Temp\Arsenation\Internering2.vbs Jump to behavior
Source: C:\Users\user\Desktop\CompanyLicense.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Hamid Jump to behavior
Source: C:\Users\user\Desktop\CompanyLicense.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Hamid Jump to behavior
Source: C:\Users\user\Desktop\CompanyLicense.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Hamid Jump to behavior
Source: C:\Users\user\Desktop\CompanyLicense.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Hamid Jump to behavior
Source: C:\Users\user\Desktop\CompanyLicense.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CompanyLicense.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CompanyLicense.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CompanyLicense.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CompanyLicense.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CompanyLicense.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CompanyLicense.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CompanyLicense.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CompanyLicense.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\CompanyLicense.exe Code function: 0_2_020A0D52 NtWriteVirtualMemory,TerminateProcess, 0_2_020A0D52
Source: C:\Users\user\Desktop\CompanyLicense.exe Code function: 0_2_020A0BD7 TerminateProcess, 0_2_020A0BD7
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\CompanyLicense.exe RDTSC instruction interceptor: First address: 0000000000562BFB second address: 0000000000562BFB instructions:
Tries to detect Any.run
Source: C:\Users\user\Desktop\CompanyLicense.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\CompanyLicense.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\CompanyLicense.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\CompanyLicense.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: CompanyLicense.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\CompanyLicense.exe RDTSC instruction interceptor: First address: 0000000000562BFB second address: 0000000000562BFB instructions:
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\CompanyLicense.exe Code function: 0_2_020A0D52 rdtsc 0_2_020A0D52
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\CompanyLicense.exe Window / User API: threadDelayed 930 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\CompanyLicense.exe TID: 6792 Thread sleep count: 930 > 30 Jump to behavior
Source: C:\Users\user\Desktop\CompanyLicense.exe TID: 6792 Thread sleep time: -9300000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\CompanyLicense.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\CompanyLicense.exe Last function: Thread delayed
Source: CompanyLicense.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\Desktop\CompanyLicense.exe Code function: 0_2_020A08D5 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,?,6DDC21B5,6DDB9555,?,321C9581,?,020A8349 0_2_020A08D5
Hides threads from debuggers
Source: C:\Users\user\Desktop\CompanyLicense.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\CompanyLicense.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\CompanyLicense.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\CompanyLicense.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\CompanyLicense.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\CompanyLicense.exe Code function: 0_2_020A0D52 rdtsc 0_2_020A0D52
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\CompanyLicense.exe Code function: 0_2_020A457E LdrInitializeThunk, 0_2_020A457E
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\CompanyLicense.exe Code function: 0_2_020A2C10 mov eax, dword ptr fs:[00000030h] 0_2_020A2C10
Source: C:\Users\user\Desktop\CompanyLicense.exe Code function: 0_2_020A2259 mov eax, dword ptr fs:[00000030h] 0_2_020A2259
Source: C:\Users\user\Desktop\CompanyLicense.exe Code function: 0_2_020A2C7B mov eax, dword ptr fs:[00000030h] 0_2_020A2C7B
Source: C:\Users\user\Desktop\CompanyLicense.exe Code function: 0_2_020A7679 mov eax, dword ptr fs:[00000030h] 0_2_020A7679
Source: C:\Users\user\Desktop\CompanyLicense.exe Code function: 0_2_020A3CAD mov eax, dword ptr fs:[00000030h] 0_2_020A3CAD
Source: C:\Users\user\Desktop\CompanyLicense.exe Code function: 0_2_020A833C mov eax, dword ptr fs:[00000030h] 0_2_020A833C
Source: C:\Users\user\Desktop\CompanyLicense.exe Code function: 0_2_020A6F42 mov eax, dword ptr fs:[00000030h] 0_2_020A6F42
Source: C:\Users\user\Desktop\CompanyLicense.exe Code function: 1_2_00566F42 mov eax, dword ptr fs:[00000030h] 1_2_00566F42
Source: C:\Users\user\Desktop\CompanyLicense.exe Code function: 1_2_00567679 mov eax, dword ptr fs:[00000030h] 1_2_00567679
Source: C:\Users\user\Desktop\CompanyLicense.exe Code function: 1_2_0056833C mov eax, dword ptr fs:[00000030h] 1_2_0056833C
Source: C:\Users\user\Desktop\CompanyLicense.exe Code function: 1_2_00563CAB mov eax, dword ptr fs:[00000030h] 1_2_00563CAB

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\CompanyLicense.exe Process created: C:\Users\user\Desktop\CompanyLicense.exe 'C:\Users\user\Desktop\CompanyLicense.exe' Jump to behavior
Source: CompanyLicense.exe, 00000001.00000002.998846227.0000000002527000.00000004.00000040.sdmp Binary or memory string: Program Manager
Source: CompanyLicense.exe, 00000001.00000002.998765960.0000000000FC0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: CompanyLicense.exe, 00000001.00000002.998765960.0000000000FC0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: logs.dat.1.dr Binary or memory string: [ Program Manager ]
Source: CompanyLicense.exe, 00000001.00000002.998765960.0000000000FC0000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: CompanyLicense.exe, 00000001.00000002.998846227.0000000002527000.00000004.00000040.sdmp Binary or memory string: Program Managerrgo.org
Source: CompanyLicense.exe, 00000001.00000002.998846227.0000000002527000.00000004.00000040.sdmp Binary or memory string: Program Manager9

Stealing of Sensitive Information:

barindex
Yara detected Remcos RAT
Source: Yara match File source: Process Memory Space: CompanyLicense.exe PID: 6572, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Remcos RAT
Source: Yara match File source: Process Memory Space: CompanyLicense.exe PID: 6572, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 341661 Sample: CompanyLicense.exe Startdate: 19/01/2021 Architecture: WINDOWS Score: 100 21 sheilabeltagy3m.hopto.org 2->21 23 northside.hopto.org 2->23 31 Yara detected GuLoader 2->31 33 Yara detected Remcos RAT 2->33 35 Sigma detected: Remcos 2->35 37 2 other signatures 2->37 7 CompanyLicense.exe 1 2 2->7         started        signatures3 process4 signatures5 39 Creates autostart registry keys with suspicious values (likely registry only malware) 7->39 41 Contains functionality to detect hardware virtualization (CPUID execution measurement) 7->41 43 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 7->43 45 4 other signatures 7->45 10 CompanyLicense.exe 2 12 7->10         started        process6 dnsIp7 25 northside.hopto.org 185.140.53.253, 2048, 49731, 49732 DAVID_CRAIGGG Sweden 10->25 27 192.168.2.1 unknown unknown 10->27 29 4 other IPs or domains 10->29 15 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 10->15 dropped 17 C:\Users\user\AppData\...\Internering2.vbs, ASCII 10->17 dropped 19 C:\Users\user\AppData\...\Internering2.exe, PE32 10->19 dropped 47 Tries to detect Any.run 10->47 49 Hides threads from debuggers 10->49 file8 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.140.53.253
 unknown Sweden
209623 DAVID_CRAIGGG false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
sheilabeltagy3m.hopto.org 185.140.53.253 true
northside.hopto.org 185.140.53.253 true
sqknbg.dm.files.1drv.com unknown unknown
onedrive.live.com unknown unknown