Play interactive tour

Edit tour

Analysis Report New Doc 20211401#_our new price.exe

Overview

General Information

Sample Name:	New Doc 20211401#_our new price.exe
Analysis ID:	342481
MD5:	14a7ac7e8a7cc68ee2040ea5f3bb145e
SHA1:	e7eabd570ec2dce1203d013a11599a8c627b527a
SHA256:	cb3e82e9c93c6b7b44dd782d26d22ad26f323176f8662642397d6d271754768d
Tags:	exenVpnRATRemcosRAT
Most interesting Screenshot:

Detection

Remcos GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Remcos RAT

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Yara detected GuLoader

Contains functionality to hide a thread from the debugger

Creates autostart registry keys with suspicious values (likely registry only malware)

Hides threads from debuggers

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Yara detected VB6 Downloader Generic

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

New Doc 20211401#_our new price.exe (PID: 6344 cmdline: 'C:\Users\user\Desktop\New Doc 20211401#_our new price.exe' MD5: 14A7AC7E8A7CC68EE2040EA5F3BB145E)

New Doc 20211401#_our new price.exe (PID: 6556 cmdline: 'C:\Users\user\Desktop\New Doc 20211401#_our new price.exe' MD5: 14A7AC7E8A7CC68EE2040EA5F3BB145E)

wscript.exe (PID: 7092 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

Indtastningsfacilitet.exe (PID: 5412 cmdline: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe MD5: 14A7AC7E8A7CC68EE2040EA5F3BB145E)

Indtastningsfacilitet.exe (PID: 1340 cmdline: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe MD5: 14A7AC7E8A7CC68EE2040EA5F3BB145E)

wscript.exe (PID: 6284 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

Indtastningsfacilitet.exe (PID: 3808 cmdline: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe MD5: 14A7AC7E8A7CC68EE2040EA5F3BB145E)

Indtastningsfacilitet.exe (PID: 6564 cmdline: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe MD5: 14A7AC7E8A7CC68EE2040EA5F3BB145E)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
0000000E.00000002.344016500.0000000000560000.00000040.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
00000010.00000002.352919337.0000000000560000.00000040.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: Indtastningsfacilitet.exe PID: 1340	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: Indtastningsfacilitet.exe PID: 1340	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: Indtastningsfacilitet.exe PID: 3808	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: Indtastningsfacilitet.exe PID: 3808	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: Indtastningsfacilitet.exe PID: 5412	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: Indtastningsfacilitet.exe PID: 5412	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: New Doc 20211401#_our new price.exe PID: 6344	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: New Doc 20211401#_our new price.exe PID: 6344	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: Indtastningsfacilitet.exe PID: 6564	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: Indtastningsfacilitet.exe PID: 6564	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Click to see the 7 entries

Sigma Overview

System Summary:

Sigma detected: Remcos

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe, ProcessId: 6556, TargetFilename: C:\Users\user\AppData\Roaming\remcos\logs.dat

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe

ReversingLabs: Detection: 13%

Multi AV Scanner detection for submitted file

Show sources

Source: New Doc 20211401#_our new price.exe

ReversingLabs: Detection: 13%

Compliance:

Uses 32bit PE files

Show sources

Source: New Doc 20211401#_our new price.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: oluchi.ddns.net

Source: global traffic

TCP traffic: 192.168.2.7:49726 -> 91.193.75.243:2405

Source: Joe Sandbox View

ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Source: Indtastningsfacilitet.exe, 0000000E.00000002.344883069.0000000000909000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digi
Source: Indtastningsfacilitet.exe, 0000000E.00000002.344901282.000000000092D000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: Indtastningsfacilitet.exe, 0000000E.00000002.344901282.000000000092D000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: Indtastningsfacilitet.exe, 0000000E.00000002.344901282.000000000092D000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: Indtastningsfacilitet.exe, 0000000E.00000002.344844732.00000000008D5000.00000004.00000020.sdmp	String found in binary or memory: https://fkteua.db.files.1drv.com/
Source: Indtastningsfacilitet.exe, 0000000E.00000002.344844732.00000000008D5000.00000004.00000020.sdmp, Indtastningsfacilitet.exe, 0000000E.00000002.344883069.0000000000909000.00000004.00000020.sdmp	String found in binary or memory: https://fkteua.db.files.1drv.com/y4m1K5aXO_hTJZwQ6sRUBeX3MwbIRGCEyLmUsy6a-Tv86ILmUxMJD16_BkowRYABW7o
Source: Indtastningsfacilitet.exe, 0000000E.00000002.344883069.0000000000909000.00000004.00000020.sdmp, Indtastningsfacilitet.exe, 0000000E.00000002.344866328.00000000008F0000.00000004.00000020.sdmp	String found in binary or memory: https://fkteua.db.files.1drv.com/y4m7jo0uscLY3JGQOA8WNtz0kE6mECzmykD9EyNeCFL_ih_emej5aweglDZjRx1WKGH
Source: Indtastningsfacilitet.exe, 0000000E.00000002.344796615.00000000008A7000.00000004.00000020.sdmp	String found in binary or memory: https://onedrive.live.com/
Source: Indtastningsfacilitet.exe, 0000000E.00000002.344844732.00000000008D5000.00000004.00000020.sdmp, Indtastningsfacilitet.exe, 0000000E.00000002.344883069.0000000000909000.00000004.00000020.sdmp, Indtastningsfacilitet.exe, 00000010.00000002.352919337.0000000000560000.00000040.00000001.sdmp	String found in binary or memory: https://onedrive.live.com/download?cid=A32AEA2B4355716B&resid=A32AEA2B4355716B%215171&authkey=APwe6-

System Summary:

Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Code function: 0_2_021508B7 EnumWindows,NtSetInformationThread,
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Code function: 0_2_02158CE9 NtResumeThread,
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Code function: 0_2_0215310A NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Code function: 0_2_021587FD NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Code function: 0_2_02159012 NtResumeThread,
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Code function: 0_2_02157088 NtSetInformationThread,
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Code function: 0_2_021570B8 NtSetInformationThread,
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Code function: 0_2_021536AE NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Code function: 0_2_021592AE NtResumeThread,
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Code function: 0_2_021512DE NtSetInformationThread,
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Code function: 0_2_021534F5 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Code function: 0_2_02158CF3 NtResumeThread,
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Code function: 0_2_021508EF NtSetInformationThread,
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Code function: 0_2_021532EA NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Code function: 0_2_0215911A NtResumeThread,
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Code function: 0_2_02158F0D NtResumeThread,
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Code function: 0_2_02153187 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Code function: 0_2_02156DB9 NtSetInformationThread,
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Code function: 0_2_02158DF2 NtResumeThread,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 12_2_021408B7 EnumWindows,NtSetInformationThread,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 12_2_02148CE9 NtMapViewOfSection,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 12_2_0214310A NtWriteVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 12_2_021487FD NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 12_2_02149012 NtMapViewOfSection,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 12_2_02147088 NtSetInformationThread,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 12_2_021470B8 NtSetInformationThread,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 12_2_021436AE NtWriteVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 12_2_021492AE NtMapViewOfSection,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 12_2_021412DE NtSetInformationThread,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 12_2_021434F5 NtWriteVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 12_2_02148CF3 NtMapViewOfSection,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 12_2_021408EF NtSetInformationThread,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 12_2_021432EA NtWriteVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 12_2_0214911A NtMapViewOfSection,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 12_2_02148F0D NtMapViewOfSection,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 12_2_02143187 NtWriteVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 12_2_02146DB9 NtSetInformationThread,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 12_2_02148DF2 NtMapViewOfSection,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 14_2_00568CE9 NtQueryInformationProcess,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 14_2_005608B7 EnumWindows,NtSetInformationThread,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 14_2_005687FD NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 14_2_00569012 NtQueryInformationProcess,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 14_2_005612DE NtSetInformationThread,NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 14_2_00568CF3 NtQueryInformationProcess,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 14_2_005608EF NtSetInformationThread,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 14_2_00567088 NtSetInformationThread,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 14_2_005670B8 NtSetInformationThread,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 14_2_005692AE NtQueryInformationProcess,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 14_2_0056911A NtQueryInformationProcess,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 14_2_00568F0D NtQueryInformationProcess,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 14_2_00568DF2 NtQueryInformationProcess,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 14_2_00566DB9 NtSetInformationThread,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 15_2_021F08B7 EnumWindows,NtSetInformationThread,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 15_2_021F8CE9 NtMapViewOfSection,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 15_2_021F310A NtWriteVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 15_2_021F87FD NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 15_2_021F9012 NtMapViewOfSection,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 15_2_021F7088 NtSetInformationThread,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 15_2_021F70B8 NtSetInformationThread,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 15_2_021F36AE NtWriteVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 15_2_021F92AE NtMapViewOfSection,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 15_2_021F12DE NtSetInformationThread,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 15_2_021F34F5 NtWriteVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 15_2_021F8CF3 NtMapViewOfSection,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 15_2_021F08EF NtSetInformationThread,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 15_2_021F32EA NtWriteVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 15_2_021F911A NtMapViewOfSection,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 15_2_021F8F0D NtMapViewOfSection,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 15_2_021F3187 NtWriteVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 15_2_021F6DB9 NtSetInformationThread,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 15_2_021F8DF2 NtMapViewOfSection,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 16_2_00568CE9 NtQueryInformationProcess,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 16_2_005608B7 EnumWindows,NtSetInformationThread,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 16_2_005687FD NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 16_2_00569012 NtQueryInformationProcess,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 16_2_005612DE NtSetInformationThread,NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 16_2_00568CF3 NtQueryInformationProcess,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 16_2_005608EF NtSetInformationThread,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 16_2_00567088 NtSetInformationThread,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 16_2_005670B8 NtSetInformationThread,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 16_2_005692AE NtQueryInformationProcess,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 16_2_0056911A NtQueryInformationProcess,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 16_2_00568F0D NtQueryInformationProcess,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 16_2_00568DF2 NtQueryInformationProcess,
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 16_2_00566DB9 NtSetInformationThread,

Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe

Code function: 0_2_004041D8

Source: New Doc 20211401#_our new price.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Indtastningsfacilitet.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: New Doc 20211401#_our new price.exe, 00000000.00000000.254304802.0000000000415000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameBindsaalerne.exe vs New Doc 20211401#_our new price.exe
Source: New Doc 20211401#_our new price.exe, 00000000.00000002.273121164.0000000002140000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs New Doc 20211401#_our new price.exe
Source: New Doc 20211401#_our new price.exe, 00000002.00000000.271623707.0000000000415000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameBindsaalerne.exe vs New Doc 20211401#_our new price.exe
Source: New Doc 20211401#_our new price.exe	Binary or memory string: OriginalFilenameBindsaalerne.exe vs New Doc 20211401#_our new price.exe

Source: New Doc 20211401#_our new price.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.troj.evad.winEXE@13/3@13/2

Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe

File created: C:\Users\user\AppData\Roaming\remcos

Jump to behavior

Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe

Mutant created: \Sessions\1\BaseNamedObjects\Remcos-MNA1IV

Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe

File created: C:\Users\user~1\AppData\Local\Temp\~DF089D9D5C2295B640.TMP

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.vbs'

Source: New Doc 20211401#_our new price.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: New Doc 20211401#_our new price.exe

ReversingLabs: Detection: 13%

Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe

File read: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe 'C:\Users\user\Desktop\New Doc 20211401#_our new price.exe'
Source: unknown	Process created: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe 'C:\Users\user\Desktop\New Doc 20211401#_our new price.exe'
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.vbs'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.vbs'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Process created: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe 'C:\Users\user\Desktop\New Doc 20211401#_our new price.exe'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Process created: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Process created: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe

Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 0000000E.00000002.344016500.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.352919337.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Indtastningsfacilitet.exe PID: 1340, type: MEMORY
Source: Yara match	File source: Process Memory Space: Indtastningsfacilitet.exe PID: 3808, type: MEMORY
Source: Yara match	File source: Process Memory Space: Indtastningsfacilitet.exe PID: 5412, type: MEMORY
Source: Yara match	File source: Process Memory Space: New Doc 20211401#_our new price.exe PID: 6344, type: MEMORY
Source: Yara match	File source: Process Memory Space: Indtastningsfacilitet.exe PID: 6564, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match	File source: Process Memory Space: Indtastningsfacilitet.exe PID: 1340, type: MEMORY
Source: Yara match	File source: Process Memory Space: Indtastningsfacilitet.exe PID: 3808, type: MEMORY
Source: Yara match	File source: Process Memory Space: Indtastningsfacilitet.exe PID: 5412, type: MEMORY
Source: Yara match	File source: Process Memory Space: New Doc 20211401#_our new price.exe PID: 6344, type: MEMORY
Source: Yara match	File source: Process Memory Space: Indtastningsfacilitet.exe PID: 6564, type: MEMORY

Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Code function: 0_2_00406A5D push esp; retf
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Code function: 0_2_0040701C push edx; retn 0035h
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Code function: 0_2_00406830 push 0000007Eh; retf 0016h
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Code function: 0_2_004064D8 push 00000014h; retf 0010h
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Code function: 0_2_004052E0 push 0000007Eh; retf
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Code function: 0_2_004018AE push ds; ret
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Code function: 0_2_00406D74 push 0000007Eh; retf 0016h
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Code function: 0_2_02155AE1 push 01D18579h; retf
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 12_2_02145AE1 push 01D18579h; retf
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 14_2_00565AE1 push 01D18579h; retf
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 15_2_021F5AE1 push 01D18579h; retf
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 16_2_00565AE1 push 01D18579h; retf

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe

File created: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe

Jump to dropped file

Boot Survival:

Creates autostart registry keys with suspicious values (likely registry only malware)

Show sources

Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Brandsson C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.vbs			Jump to behavior
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Brandsson C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.vbs			Jump to behavior

Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Brandsson	Jump to behavior
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Brandsson	Jump to behavior
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Brandsson	Jump to behavior
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Brandsson	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Indtastningsfacilitet.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe

Code function: 0_2_02157802 rdtsc

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe

Window / User API: threadDelayed 602

Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe TID: 5968	Thread sleep count: 602 > 30
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe TID: 5968	Thread sleep time: -6020000s >= -30000s

Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Last function: Thread delayed

Source: Indtastningsfacilitet.exe, 0000000E.00000002.344796615.00000000008A7000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWx
Source: Indtastningsfacilitet.exe, 0000000E.00000002.344866328.00000000008F0000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: Indtastningsfacilitet.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Contains functionality to hide a thread from the debugger

Show sources

Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe

Code function: 0_2_021508B7 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,?,0215074C

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe

Code function: 0_2_02157802 rdtsc

Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe

Code function: 0_2_02154D2A LdrInitializeThunk,

Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Code function: 0_2_02152A8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Code function: 0_2_021520DE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Code function: 0_2_02153B0D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Code function: 0_2_0215812E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Code function: 0_2_02156D40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Code function: 0_2_02157391 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 12_2_02142A8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 12_2_021420DE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 12_2_02143B0D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 12_2_0214812E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 12_2_02146D40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 12_2_02147391 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 14_2_00562A8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 14_2_005620DE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 14_2_00566D40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 14_2_00563B0D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 14_2_0056812E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 14_2_00567391 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 15_2_021F2A8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 15_2_021F20DE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 15_2_021F3B0D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 15_2_021F812E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 15_2_021F6D40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 15_2_021F7391 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 16_2_00562A8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 16_2_005620DE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 16_2_00566D40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 16_2_00563B0D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 16_2_0056812E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Code function: 16_2_00567391 mov eax, dword ptr fs:[00000030h]

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe	Process created: C:\Users\user\Desktop\New Doc 20211401#_our new price.exe 'C:\Users\user\Desktop\New Doc 20211401#_our new price.exe'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Process created: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe
Source: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	Process created: C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe

Source: logs.dat.2.dr	Binary or memory string: [ Program Manager ]
Source: New Doc 20211401#_our new price.exe, 00000002.00000003.454251663.000000001E842000.00000004.00000001.sdmp	Binary or memory string: \|Program Manager\|

Language, Device and Operating System Detection:

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Remote Access Functionality:

Detected Remcos RAT

Show sources

Source: Indtastningsfacilitet.exe, 0000000E.00000002.344844732.00000000008D5000.00000004.00000020.sdmp

String found in binary or memory: Remcos_Mutex_InjSI:,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting11	Registry Run Keys / Startup Folder11	Process Injection12	Masquerading1	OS Credential Dumping	Security Software Discovery521	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder11	Virtualization/Sandbox Evasion22	LSASS Memory	Virtualization/Sandbox Evasion22	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Scripting11	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol11	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
New Doc 20211401#_our new price.exe	13%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe	13%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
oluchi.ddns.net	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://crl3.digi	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
oluchi.ddns.net	91.193.75.243	true	true	1%, Virustotal, Browse	unknown
g.msn.com	unknown	unknown	false		high
onedrive.live.com	unknown	unknown	false		high
fkteua.db.files.1drv.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://fkteua.db.files.1drv.com/	Indtastningsfacilitet.exe, 0000000E.00000002.344844732.00000000008D5000.00000004.00000020.sdmp	false		high
https://onedrive.live.com/download?cid=A32AEA2B4355716B&resid=A32AEA2B4355716B%215171&authkey=APwe6-	Indtastningsfacilitet.exe, 0000000E.00000002.344844732.00000000008D5000.00000004.00000020.sdmp, Indtastningsfacilitet.exe, 0000000E.00000002.344883069.0000000000909000.00000004.00000020.sdmp, Indtastningsfacilitet.exe, 00000010.00000002.352919337.0000000000560000.00000040.00000001.sdmp	false		high
http://crl3.digi	Indtastningsfacilitet.exe, 0000000E.00000002.344883069.0000000000909000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://fkteua.db.files.1drv.com/y4m1K5aXO_hTJZwQ6sRUBeX3MwbIRGCEyLmUsy6a-Tv86ILmUxMJD16_BkowRYABW7o	Indtastningsfacilitet.exe, 0000000E.00000002.344844732.00000000008D5000.00000004.00000020.sdmp, Indtastningsfacilitet.exe, 0000000E.00000002.344883069.0000000000909000.00000004.00000020.sdmp	false		high
https://onedrive.live.com/	Indtastningsfacilitet.exe, 0000000E.00000002.344796615.00000000008A7000.00000004.00000020.sdmp	false		high
https://fkteua.db.files.1drv.com/y4m7jo0uscLY3JGQOA8WNtz0kE6mECzmykD9EyNeCFL_ih_emej5aweglDZjRx1WKGH	Indtastningsfacilitet.exe, 0000000E.00000002.344883069.0000000000909000.00000004.00000020.sdmp, Indtastningsfacilitet.exe, 0000000E.00000002.344866328.00000000008F0000.00000004.00000020.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.193.75.243	unknown	Serbia		209623	DAVID_CRAIGGG	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	342481
Start date:	21.01.2021
Start time:	07:22:53
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 18s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	New Doc 20211401#_our new price.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@13/3@13/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 40.7% (good quality ratio 27.5%) Quality average: 39.3% Quality standard deviation: 31.7%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 52.147.198.201, 104.43.139.144, 92.122.145.220, 2.20.84.85, 13.64.90.137, 13.107.42.13, 13.107.42.12, 205.185.216.10, 205.185.216.42, 51.103.5.159, 51.11.168.160, 92.122.213.247, 92.122.213.194, 52.155.217.156, 20.54.26.129, 52.142.114.176 Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, g-msn-com-nsatc.trafficmanager.net, vip1-par02p.wns.notify.trafficmanager.net, l-0004.l-msedge.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, l-0003.l-msedge.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, odc-db-files-geo.onedrive.akadns.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, odc-db-files-brs.onedrive.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, odc-web-geo.onedrive.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, cds.d2s7q6s2.hwcdn.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, odc-db-files.onedrive.akadns.net.l-0003.dc-msedge.net.l-0003.l-msedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, par02p.wns.notify.trafficmanager.net Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing network information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:24:05	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Brandsson C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.vbs
07:24:13	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Brandsson C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.vbs
07:24:14	API Interceptor	1117x Sleep call for process: New Doc 20211401#_our new price.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
oluchi.ddns.net	RE INCOICE AGAINST INV NO. EX-00120-21 SUPPLY.js	Get hash	malicious	Browse	185.165.153.189
oluchi.ddns.net	Bank Details Changed..exe	Get hash	malicious	Browse	185.244.30.82

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DAVID_CRAIGGG	company profile.exe	Get hash	malicious	Browse	185.140.53.227
	NEWORDERrefno0992883jpg.exe	Get hash	malicious	Browse	185.140.53.253
	richiealvin.exe	Get hash	malicious	Browse	91.193.75.185
	Quotation.exe	Get hash	malicious	Browse	185.140.53.154
	DHL Delivery Shipping Cargo. Pdf.exe	Get hash	malicious	Browse	185.244.30.18
	CompanyLicense.exe	Get hash	malicious	Browse	185.140.53.253
	Purchase Order 2094742424.exe	Get hash	malicious	Browse	185.244.30.132
	PURCHASE OREDER. PRINT. pdf.exe	Get hash	malicious	Browse	91.193.75.45
	PO.exe	Get hash	malicious	Browse	185.140.53.234
	SWIFT.exe	Get hash	malicious	Browse	185.140.53.154
	SecuriteInfo.com.BScope.Trojan-Dropper.Injector.exe	Get hash	malicious	Browse	185.140.53.234
	PROOF OF PAYMENT.exe	Get hash	malicious	Browse	185.140.53.131
	Orden n.#U00ba STL21119, pdf.exe	Get hash	malicious	Browse	185.140.53.129
	Proof of Payment.exe	Get hash	malicious	Browse	185.244.30.51
	DxCHoDnNLn.exe	Get hash	malicious	Browse	185.140.53.202
	T7gzTHDZ7g.rtf	Get hash	malicious	Browse	185.140.53.202
	PO - 2021-000511.exe	Get hash	malicious	Browse	185.244.30.69
	PO AR483-1590436 _ J-3000 PROJT.xlsx	Get hash	malicious	Browse	185.140.53.202
	Qotation.exe	Get hash	malicious	Browse	185.140.53.154
	PO - 2021-000511.exe	Get hash	malicious	Browse	185.244.30.69

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe Download File
Process:	C:\Users\user\Desktop\New Doc 20211401#_our new price.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	5.474945438388249
Encrypted:	false
SSDEEP:	1536:Go4qgC1Zc5NDyFCG1Pc+HdNW2XLnolNIj:Gop1+5N+FCG1PcmN/Lnkmj
MD5:	14A7AC7E8A7CC68EE2040EA5F3BB145E
SHA1:	E7EABD570EC2DCE1203D013A11599A8C627B527A
SHA-256:	CB3E82E9C93C6B7B44DD782D26D22AD26F323176F8662642397D6D271754768D
SHA-512:	AD59B75BBF9CAEA440CB8F45CCE3B6107DB9898455F017265F110AE3EDC510BB20EDD4F9A506D4C28A890FB11B006D1A2503C20FB18D3BFD6358B155880DDEE4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 13%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........I...................................Rich............................PE..L...W~xY................. ...`...............0....@.................................d.......................................4...(....P..T>..................................................................8... ....................................text............ .................. ..`.data........0.......0..............@....rsrc...T>...P...@...@..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.vbs Download File
Process:	C:\Users\user\Desktop\New Doc 20211401#_our new price.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	136
Entropy (8bit):	4.879301401273559
Encrypted:	false
SSDEEP:	3:jfF+m8nhvF3mRD0nacwRE2J5xAIPAo+sLBRovI7LVM:jFqhv9IcNwi23fPA4WvI7C
MD5:	1E014CCA5D292FE677817619DD7BA4ED
SHA1:	A612539B648CD9D37A324E01B105EF4242D94490
SHA-256:	227669767DAA3DA8A3AF893A3F8AA79657D4E28E2217E55292AD21432C7A57E7
SHA-512:	F0BC257DA14376A67FA889319CCC7FF2C1EE42885593F9AEDFA2DDB06548F3245B0E38E9389D4DEEF0299B3CF5C38EEFF263C3D318F90F85139C73A074788FA6
Malicious:	true
Reputation:	low
Preview:	Set W = CreateObject("WScript.Shell")..Set C = W.Exec ("C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe")

C:\Users\user\AppData\Roaming\remcos\logs.dat Download File
Process:	C:\Users\user\Desktop\New Doc 20211401#_our new price.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	85
Entropy (8bit):	4.670712042265206
Encrypted:	false
SSDEEP:	3:ttU6fJMLrA4RXMRPHv33a1oy1aeo:tmeJM/XqdHv3qNIP
MD5:	E52EAA341FF027445F564DBC59F6BDC7
SHA1:	78FB89DA6B341E7E7FA4C8C7096B1A7CFAA80841
SHA-256:	AE36F5D7C06B608DB31D0F5F3F4ACBF0E839EE58C6615ADC29AAC79BF237895D
SHA-512:	56D6D9BA4C075E725650E248DDBECCECB2855E23834BC4F7F9B0615505FDBB12DAFDD551B943DEB2F46BBBBA4DE6F7EE688BB364A2E5DE76265EC0956BE28A2D
Malicious:	true
Reputation:	low
Preview:	..[2021/01/21 07:24:14 Offline Keylogger Started]....[ Run ]....[ Program Manager ]..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.474945438388249
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	New Doc 20211401#_our new price.exe
File size:	98304
MD5:	14a7ac7e8a7cc68ee2040ea5f3bb145e
SHA1:	e7eabd570ec2dce1203d013a11599a8c627b527a
SHA256:	cb3e82e9c93c6b7b44dd782d26d22ad26f323176f8662642397d6d271754768d
SHA512:	ad59b75bbf9caea440cb8f45cce3b6107db9898455f017265f110ae3edc510bb20edd4f9a506d4c28a890fb11b006d1a2503c20fb18d3bfd6358b155880ddee4
SSDEEP:	1536:Go4qgC1Zc5NDyFCG1Pc+HdNW2XLnolNIj:Gop1+5N+FCG1PcmN/Lnkmj
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........I....................................Rich............................PE..L...W~xY................. ...`...............0....@

File Icon


Icon Hash:	0919914f4707077b

Static PE Info

General
Entrypoint:	0x401480
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x59787E57 [Wed Jul 26 11:34:47 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	cdaaae34b462dd94bb47458bdb1adef4

Entrypoint Preview

Instruction
push 0040280Ch
call 00007F26E0A66113h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], ch
mov esp, 5DC5F02Ch
inc esp
mov ecx, FF485C66h
sahf
sbb eax, dword ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax-56h], ah
adc al, 03h
push eax
insb
jns 00007F26E0A66185h
outsd
jnc 00007F26E0A66183h
jne 00007F26E0A66194h
cmp byte ptr [eax], al
and byte ptr [eax], cl
inc ecx
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
add eax, D1D43FADh
movsb
fild dword ptr [edx+43h]
mov ch, 4Dh
imul ebp, dword ptr [edi+eax*4-49h], 09h
scasb
sahf
add esi, ebp
cmc
cld
cmp eax, edi
inc edx
mov dword ptr [4C513B13h], eax
call 00007F272FE0F95Bh
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
test eax, CD000010h
sldt word ptr [eax]
add byte ptr [esi], cl
add byte ptr [eax+72h], dl
outsd
arpl word ptr [ebp+72h], si
popad
je 00007F26E0A66191h
jc 00007F26E0A66183h
je 00007F26E0A66187h
add byte ptr [56000C01h], cl

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x11c34	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x15000	0x3e54	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x238	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x118	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x110d0	0x12000	False	0.337483723958	data	5.46471413927	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x13000	0x1598	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x15000	0x3e54	0x4000	False	0.405029296875	data	5.81847534661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x15148	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0x155b0	0x10a8	data
RT_ICON	0x16658	0x25a8	data
RT_GROUP_ICON	0x18c00	0x30	data
RT_VERSION	0x18c30	0x224	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryVar, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaVarTstEq, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaI2Str, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarDup, _CIatan, __vbaStrMove, __vbaAryCopy, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	Bindsaalerne
FileVersion	1.00
CompanyName	Above
ProductName	Pelycosaur8
ProductVersion	1.00
OriginalFilename	Bindsaalerne.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 21, 2021 07:24:14.521344900 CET	49726	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:17.674045086 CET	49726	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:23.785506010 CET	49726	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:24.070239067 CET	2405	49726	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:24.070379972 CET	49726	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:24.071430922 CET	49726	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:27.146111012 CET	49726	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:27.331531048 CET	2405	49726	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:27.331631899 CET	49726	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:27.441579103 CET	2405	49726	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:27.520848989 CET	2405	49726	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:27.604600906 CET	49726	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:27.950588942 CET	2405	49726	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:32.523847103 CET	2405	49726	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:32.525665998 CET	49726	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:33.272695065 CET	49726	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:33.417449951 CET	2405	49726	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:33.541630030 CET	2405	49726	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:37.528942108 CET	2405	49726	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:37.538995028 CET	49726	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:38.286729097 CET	49726	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:38.621501923 CET	2405	49726	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:38.966265917 CET	2405	49726	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:42.518316031 CET	2405	49726	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:42.520317078 CET	49726	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:42.970196009 CET	2405	49726	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:43.176753044 CET	49735	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:43.177746058 CET	49726	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:43.669768095 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:43.669859886 CET	49735	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:43.672858953 CET	49735	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:44.196091890 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:44.196216106 CET	49735	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:44.197123051 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:44.197138071 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:44.197218895 CET	49735	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:44.477375984 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:44.477416039 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:44.477473974 CET	49735	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:44.477519035 CET	49735	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:44.481142998 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:44.481252909 CET	49735	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:44.489509106 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:44.489603996 CET	49735	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:44.490221977 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:44.490330935 CET	49735	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:44.496974945 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:44.497056007 CET	49735	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:44.498100996 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:44.498131037 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:44.498182058 CET	49735	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:44.498223066 CET	49735	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:44.772279978 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:44.772394896 CET	49735	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:44.776206017 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:44.777057886 CET	49735	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:44.777105093 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:44.777169943 CET	49735	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:44.780019999 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:44.782233953 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:44.783164978 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:44.784903049 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:44.789169073 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:44.792277098 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:44.797346115 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:44.798115969 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:44.799463034 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:44.802153111 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:44.805254936 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:44.818996906 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:44.819020033 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:45.337050915 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:45.337080956 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:45.350132942 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:45.355755091 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:45.399606943 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:45.451910973 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:45.648607016 CET	49735	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:45.656327963 CET	49735	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:45.656466007 CET	49735	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:46.255831957 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:46.256135941 CET	49735	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:46.259340048 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:46.259440899 CET	49735	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:46.262399912 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:46.262494087 CET	49735	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:46.274549007 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:46.274590015 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:46.274607897 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:46.274641037 CET	49735	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:46.274684906 CET	49735	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:46.274861097 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:46.685617924 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:46.685642004 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:46.686506987 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:46.686530113 CET	2405	49735	91.193.75.243	192.168.2.7
Jan 21, 2021 07:24:46.686661005 CET	49735	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:46.686722994 CET	49735	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:46.686799049 CET	49735	2405	192.168.2.7	91.193.75.243
Jan 21, 2021 07:24:46.686827898 CET	49735	2405	192.168.2.7	91.193.75.243

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 21, 2021 07:24:12.932408094 CET	192.168.2.7	8.8.8.8	0xd46a	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)
Jan 21, 2021 07:24:13.960990906 CET	192.168.2.7	8.8.8.8	0xd76e	Standard query (0)	fkteua.db.files.1drv.com	A (IP address)	IN (0x0001)
Jan 21, 2021 07:24:14.459875107 CET	192.168.2.7	8.8.8.8	0xca13	Standard query (0)	oluchi.ddns.net	A (IP address)	IN (0x0001)
Jan 21, 2021 07:24:33.119712114 CET	192.168.2.7	8.8.8.8	0x914c	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)
Jan 21, 2021 07:24:34.629179001 CET	192.168.2.7	8.8.8.8	0xa76a	Standard query (0)	fkteua.db.files.1drv.com	A (IP address)	IN (0x0001)
Jan 21, 2021 07:24:39.444567919 CET	192.168.2.7	8.8.8.8	0xd188	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)
Jan 21, 2021 07:24:40.098330975 CET	192.168.2.7	8.8.8.8	0xb18	Standard query (0)	fkteua.db.files.1drv.com	A (IP address)	IN (0x0001)
Jan 21, 2021 07:25:44.243402004 CET	192.168.2.7	8.8.8.8	0x52f2	Standard query (0)	g.msn.com	A (IP address)	IN (0x0001)
Jan 21, 2021 07:26:29.045977116 CET	192.168.2.7	8.8.8.8	0xec3f	Standard query (0)	oluchi.ddns.net	A (IP address)	IN (0x0001)
Jan 21, 2021 07:26:40.572093964 CET	192.168.2.7	8.8.8.8	0xf343	Standard query (0)	oluchi.ddns.net	A (IP address)	IN (0x0001)
Jan 21, 2021 07:26:43.713131905 CET	192.168.2.7	8.8.8.8	0x2d01	Standard query (0)	oluchi.ddns.net	A (IP address)	IN (0x0001)
Jan 21, 2021 07:26:46.916858912 CET	192.168.2.7	8.8.8.8	0x4b6d	Standard query (0)	oluchi.ddns.net	A (IP address)	IN (0x0001)
Jan 21, 2021 07:26:49.918509007 CET	192.168.2.7	8.8.8.8	0xee6	Standard query (0)	oluchi.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 21, 2021 07:24:12.983098984 CET	8.8.8.8	192.168.2.7	0xd46a	No error (0)	onedrive.live.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Jan 21, 2021 07:24:14.069500923 CET	8.8.8.8	192.168.2.7	0xd76e	No error (0)	fkteua.db.files.1drv.com	db-files.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)
Jan 21, 2021 07:24:14.069500923 CET	8.8.8.8	192.168.2.7	0xd76e	No error (0)	db-files.fe.1drv.com	odc-db-files-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Jan 21, 2021 07:24:14.520232916 CET	8.8.8.8	192.168.2.7	0xca13	No error (0)	oluchi.ddns.net		91.193.75.243	A (IP address)	IN (0x0001)
Jan 21, 2021 07:24:33.176738024 CET	8.8.8.8	192.168.2.7	0x914c	No error (0)	onedrive.live.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Jan 21, 2021 07:24:34.709955931 CET	8.8.8.8	192.168.2.7	0xa76a	No error (0)	fkteua.db.files.1drv.com	db-files.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)
Jan 21, 2021 07:24:34.709955931 CET	8.8.8.8	192.168.2.7	0xa76a	No error (0)	db-files.fe.1drv.com	odc-db-files-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Jan 21, 2021 07:24:39.492403984 CET	8.8.8.8	192.168.2.7	0xd188	No error (0)	onedrive.live.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Jan 21, 2021 07:24:40.157777071 CET	8.8.8.8	192.168.2.7	0xb18	No error (0)	fkteua.db.files.1drv.com	db-files.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)
Jan 21, 2021 07:24:40.157777071 CET	8.8.8.8	192.168.2.7	0xb18	No error (0)	db-files.fe.1drv.com	odc-db-files-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Jan 21, 2021 07:25:44.310305119 CET	8.8.8.8	192.168.2.7	0x52f2	No error (0)	g.msn.com	g-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)
Jan 21, 2021 07:26:29.106426001 CET	8.8.8.8	192.168.2.7	0xec3f	No error (0)	oluchi.ddns.net		91.193.75.243	A (IP address)	IN (0x0001)
Jan 21, 2021 07:26:40.628381968 CET	8.8.8.8	192.168.2.7	0xf343	No error (0)	oluchi.ddns.net		91.193.75.243	A (IP address)	IN (0x0001)
Jan 21, 2021 07:26:43.771128893 CET	8.8.8.8	192.168.2.7	0x2d01	No error (0)	oluchi.ddns.net		91.193.75.243	A (IP address)	IN (0x0001)
Jan 21, 2021 07:26:46.972825050 CET	8.8.8.8	192.168.2.7	0x4b6d	No error (0)	oluchi.ddns.net		91.193.75.243	A (IP address)	IN (0x0001)
Jan 21, 2021 07:26:49.975899935 CET	8.8.8.8	192.168.2.7	0xee6	No error (0)	oluchi.ddns.net		91.193.75.243	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: New Doc 20211401#_our new price.exe PID: 6344 Parent PID: 5712

General

Start time:	07:23:54
Start date:	21/01/2021
Path:	C:\Users\user\Desktop\New Doc 20211401#_our new price.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\New Doc 20211401#_our new price.exe'
Imagebase:	0x400000
File size:	98304 bytes
MD5 hash:	14A7AC7E8A7CC68EE2040EA5F3BB145E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Analysis Process: New Doc 20211401#_our new price.exe PID: 6556 Parent PID: 6344

General

Start time:	07:24:02
Start date:	21/01/2021
Path:	C:\Users\user\Desktop\New Doc 20211401#_our new price.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\New Doc 20211401#_our new price.exe'
Imagebase:	0x400000
File size:	98304 bytes
MD5 hash:	14A7AC7E8A7CC68EE2040EA5F3BB145E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: wscript.exe PID: 7092 Parent PID: 3292

General

Start time:	07:24:13
Start date:	21/01/2021
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.vbs'
Imagebase:	0x7ff7d50e0000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: Indtastningsfacilitet.exe PID: 5412 Parent PID: 7092

General

Start time:	07:24:15
Start date:	21/01/2021
Path:	C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe
Imagebase:	0x400000
File size:	98304 bytes
MD5 hash:	14A7AC7E8A7CC68EE2040EA5F3BB145E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Antivirus matches:	Detection: 13%, ReversingLabs
Reputation:	low

Analysis Process: wscript.exe PID: 6284 Parent PID: 3292

General

Start time:	07:24:21
Start date:	21/01/2021
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.vbs'
Imagebase:	0x7ff7d50e0000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: Indtastningsfacilitet.exe PID: 1340 Parent PID: 5412

General

Start time:	07:24:22
Start date:	21/01/2021
Path:	C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe
Imagebase:	0x400000
File size:	98304 bytes
MD5 hash:	14A7AC7E8A7CC68EE2040EA5F3BB145E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 0000000E.00000002.344016500.0000000000560000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: Indtastningsfacilitet.exe PID: 3808 Parent PID: 6284

General

Start time:	07:24:23
Start date:	21/01/2021
Path:	C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe
Imagebase:	0x400000
File size:	98304 bytes
MD5 hash:	14A7AC7E8A7CC68EE2040EA5F3BB145E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Analysis Process: Indtastningsfacilitet.exe PID: 6564 Parent PID: 3808

General

Start time:	07:24:32
Start date:	21/01/2021
Path:	C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\Strikkebgernes\Indtastningsfacilitet.exe
Imagebase:	0x400000
File size:	98304 bytes
MD5 hash:	14A7AC7E8A7CC68EE2040EA5F3BB145E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000010.00000002.352919337.0000000000560000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report New Doc 20211401#_our new price.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

DNS Queries

DNS Answers

Code Manipulations

Statistics

Behavior

System Behavior