flash

bXgrbzqGSj.exe

Status: finished
Submission Time: 08.05.2020 00:56:26
Malicious
Trojan
Evader
Remcos

Comments

Tags

Details

  • Analysis ID:
    228480
  • API (Web) ID:
    353401
  • Analysis Started:
    08.05.2020 00:56:27
  • Analysis Finished:
    08.05.2020 01:07:45
  • MD5:
    f713b15ddec50f384069281b1e1a14df
  • SHA1:
    29501bbf92378ccdf2e005dbd5912e28b9919f7d
  • SHA256:
    c3161f76d1238a5de74d11de36cb1818f0141bea65ba2a9d7e2d074cea74d708
  • Technologies:
Full Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113

malicious
96/100

malicious
17/72

malicious
18/31

IPs

IP Country Detection
181.52.103.140
Colombia

Domains

Name IP Detection
remcquince.duckdns.org
181.52.103.140

URLs

Name Detection
http://gimp-print.sourceforge.net/xsd/gp.xsd-1.0
http://nsis.sf.net/NSIS_Error
http://nsis.sf.net/NSIS_ErrorError
Click to see the 3 hidden entries
http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd
http://www.freedesktop.org/standards/shared-mime-info
http://www.businessobjects.com0

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Roaming\remcos\logs.dat
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\Semiramis.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\polls\edit\x-yaml.xml
XML 1.0 document, UTF-8 Unicode text
#
Click to see the 41 hidden entries
C:\Windows\Tasks\shutdown.job
data
#
C:\Users\user\AppData\Local\Temp\Dozen
data
#
C:\Users\user\AppData\Local\Temp\Enceinte.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\U\well\hosts\model1.xml
XML 1.0 document, ASCII text
#
C:\Users\user\AppData\Local\Temp\U\well\hosts\x-applix-word.xml
XML 1.0 document, UTF-8 Unicode text
#
C:\Users\user\AppData\Local\Temp\b61cfbb2.lnk
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu May 23 20:47:28 2019, mtime=Fri May 8 06:57:07 2020, atime=Fri May 8 06:56:49 2020, length=913574, window=hide
#
C:\Users\user\AppData\Local\Temp\boutique\welcome\none\33.opends60.dll
data
#
C:\Users\user\AppData\Local\Temp\boutique\welcome\none\72.opends60.dll
data
#
C:\Users\user\AppData\Local\Temp\boutique\welcome\none\77.opends60.dll
data
#
C:\Users\user\AppData\Local\Temp\boutique\welcome\none\DesktopDMA.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\boutique\welcome\none\IEExecRemote.xml
XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\boutique\welcome\none\JScriptLangFilter80.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\boutique\welcome\none\SystemEnterpriseServicesThunk.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\boutique\welcome\none\css10.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\boutique\welcome\none\mfcmifc80.dll
PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\boutique\welcome\none\model106.xml
XML 1.0 document, ASCII text
#
C:\Users\user\AppData\Local\Temp\boutique\welcome\none\org.gnome.Disks.gschema.xml
XML 1.0 document, ASCII text
#
C:\Users\user\AppData\Local\Temp\boutique\welcome\none\ppc64-linux.xml
XML 1.0 document, ASCII text
#
C:\Users\user\AppData\Local\Temp\boutique\welcome\none\team.xml
XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\boutique\welcome\none\u2lsamp1.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\boutique\welcome\none\vcompd.dll
current ar archive
#
C:\Users\user\AppData\Local\Temp\boutique\welcome\none\x-java-keystore.xml
XML 1.0 document, UTF-8 Unicode text
#
C:\Users\user\AppData\Local\Temp\replication\treasury\sbsVsaVb7rt.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\consulting\boxes\diffs\MCppCodeDomProvider.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Roaming\erros\album\sysadmin2\vcencbld.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\erros\album\sysadmin2\x-vorbis+ogg.xml
XML 1.0 document, UTF-8 Unicode text
#
C:\Users\user\AppData\Roaming\folders\tl\helloworld\spreadsheet.xml
XML 1.0 document, UTF-8 Unicode text
#
C:\Users\user\AppData\Roaming\folders\tl\helloworld\vsmsvr.exe
XML document, ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\is-bin\cfcache\sources\sgen.exe
PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Roaming\messaging\styles\63.opends60.dll
data
#
C:\Users\user\AppData\Roaming\messaging\styles\81.opends60.dll
data
#
C:\Users\user\AppData\Roaming\messaging\styles\CMAccept.exe
PE32 executable (Windows CE) ARM, for MS Windows
#
C:\Users\user\AppData\Roaming\messaging\styles\PEVerify.exe
XML document, ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\messaging\styles\x-canon-cr2.xml
XML 1.0 document, UTF-8 Unicode text
#
C:\Users\user\AppData\Roaming\messaging\styles\x-lzma-compressed-tar.xml
XML 1.0 document, UTF-8 Unicode text
#
C:\Users\user\AppData\Roaming\opml\computers\fsck\28.opends60.dll
data
#
C:\Users\user\AppData\Roaming\opml\computers\fsck\kingsaudience.xml
XML 1.0 document, UTF-8 Unicode text
#
C:\Users\user\AppData\Roaming\pad\2000\_common\75.opends60.dll
data
#
C:\Users\user\AppData\Roaming\pad\2000\_common\mscorie.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\polls\edit\37.opends60.dll
data
#
C:\Users\user\AppData\Roaming\polls\edit\fixedmonthlyfiscalcalendar.xml
XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
#