Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
AV Detection: |
---|
Found malware configuration |
Source: |
Malware Configuration Extractor: |
Yara detected Remcos RAT |
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
Machine Learning detection for sample |
Source: |
Joe Sandbox ML: |
Cryptography: |
---|
Uses Microsoft's Enhanced Cryptographic Provider |
Source: |
Code function: |
1_2_0042DC88 |
Source: |
Binary or memory string: |
Compliance: |
---|
Detected unpacking (overwrites its own PE header) |
Source: |
Unpacked PE file: |
Uses 32bit PE files |
Source: |
Static PE information: |
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Source: |
Static PE information: |
Binary contains paths to debug symbols |
Source: |
Binary string: |
||
Source: |
Binary string: |
Source: |
Code function: |
0_2_00405A15 | |
Source: |
Code function: |
0_2_004065C1 | |
Source: |
Code function: |
0_2_004027A1 | |
Source: |
Code function: |
1_2_004170D3 | |
Source: |
Code function: |
1_2_004451D9 | |
Source: |
Code function: |
1_2_0040A1E5 | |
Source: |
Code function: |
1_2_004073C8 | |
Source: |
Code function: |
1_2_0040782F | |
Source: |
Code function: |
1_2_00405CDC | |
Source: |
Code function: |
1_2_00414E6E | |
Source: |
Code function: |
1_2_00409FCA | |
Source: |
Code function: |
1_1_004170D3 | |
Source: |
Code function: |
1_1_004451D9 | |
Source: |
Code function: |
1_1_0040A1E5 | |
Source: |
Code function: |
1_1_004073C8 |
Source: |
Code function: |
1_2_00406496 |
Networking: |
---|
C2 URLs / IPs found in malware configuration |
Source: |
URLs: |
Contains functionality to download and execute PE files |
Source: |
Code function: |
1_2_00411EA6 |
Detected TCP or UDP traffic on non-standard ports |
Source: |
TCP traffic: |
IP address seen in connection with other malware |
Source: |
IP Address: |
Internet Provider seen in connection with other malware |
Source: |
ASN Name: |
Source: |
Code function: |
1_2_0042190F |
Source: |
DNS traffic detected: |
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Contains functionality to capture and log keystrokes |
Source: |
Code function: |
1_2_00408ED1 | |
Source: |
Code function: |
1_2_00408ED1 | |
Source: |
Code function: |
1_2_00408ED1 | |
Source: |
Code function: |
1_2_00408ED1 | |
Source: |
Code function: |
1_2_00408ED1 | |
Source: |
Code function: |
1_2_00408ED1 | |
Source: |
Code function: |
1_2_00408ED1 | |
Source: |
Code function: |
1_2_00408ED1 | |
Source: |
Code function: |
1_2_00408ED1 | |
Source: |
Code function: |
1_2_00408ED1 | |
Source: |
Code function: |
1_2_00408ED1 | |
Source: |
Code function: |
1_2_00408ED1 |
Contains functionality for read data from the clipboard |
Source: |
Code function: |
0_2_004054B2 |
Contains functionality to read the clipboard data |
Source: |
Code function: |
1_2_00409900 |
Potential key logger detected (key state polling based) |
Source: |
Code function: |
1_2_004083AE | |
Source: |
Code function: |
1_1_004083AE |
E-Banking Fraud: |
---|
Yara detected Remcos RAT |
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
System Summary: |
---|
Malicious sample detected (through community Yara rule) |
Source: |
Matched rule: |
||
Source: |
Matched rule: |
||
Source: |
Matched rule: |
||
Source: |
Matched rule: |
||
Source: |
Matched rule: |
||
Source: |
Matched rule: |
||
Source: |
Matched rule: |
||
Source: |
Matched rule: |
||
Source: |
Matched rule: |
Initial sample is a PE file and has a suspicious name |
Source: |
Static PE information: |
Contains functionality to shutdown / reboot the system |
Source: |
Code function: |
0_2_00403486 | |
Source: |
Code function: |
1_2_00411C7C |
Detected potential crypto function |
Source: |
Code function: |
0_2_00407272 | |
Source: |
Code function: |
0_2_00406A9B | |
Source: |
Code function: |
0_2_6FC51A98 | |
Source: |
Code function: |
1_2_0044C05A | |
Source: |
Code function: |
1_2_0041A15E | |
Source: |
Code function: |
1_2_0043027D | |
Source: |
Code function: |
1_2_0043E200 | |
Source: |
Code function: |
1_2_0044A217 | |
Source: |
Code function: |
1_2_0043336D | |
Source: |
Code function: |
1_2_00422613 | |
Source: |
Code function: |
1_2_0043768C | |
Source: |
Code function: |
1_2_00422756 | |
Source: |
Code function: |
1_2_00433785 | |
Source: |
Code function: |
1_2_004378BB | |
Source: |
Code function: |
1_2_0044A929 | |
Source: |
Code function: |
1_2_00421A7E | |
Source: |
Code function: |
1_2_00410AC5 | |
Source: |
Code function: |
1_2_00437AEA | |
Source: |
Code function: |
1_2_00450A80 | |
Source: |
Code function: |
1_2_00418BDF | |
Source: |
Code function: |
1_2_00433BBA | |
Source: |
Code function: |
1_2_00430D20 | |
Source: |
Code function: |
1_2_0042DD93 | |
Source: |
Code function: |
1_2_00432E71 | |
Source: |
Code function: |
1_2_00421F75 | |
Source: |
Code function: |
1_2_00433FEF | |
Source: |
Code function: |
1_1_0044C05A | |
Source: |
Code function: |
1_1_0041A15E | |
Source: |
Code function: |
1_1_0043027D | |
Source: |
Code function: |
1_1_0043E200 | |
Source: |
Code function: |
1_1_0044A217 | |
Source: |
Code function: |
1_1_0043336D |
Found potential string decryption / allocating functions |
Sample file is different than original file name gathered from version info |
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
Uses 32bit PE files |
Source: |
Static PE information: |
Yara signature match |
Source: |
Matched rule: |
||
Source: |
Matched rule: |
||
Source: |
Matched rule: |
||
Source: |
Matched rule: |
||
Source: |
Matched rule: |
||
Source: |
Matched rule: |
||
Source: |
Matched rule: |
||
Source: |
Matched rule: |
||
Source: |
Matched rule: |
Source: |
Classification label: |
Source: |
Code function: |
0_2_00403486 | |
Source: |
Code function: |
1_2_00413417 | |
Source: |
Code function: |
1_1_00413417 |
Source: |
Code function: |
0_2_00404763 |
Source: |
Code function: |
0_2_10004243 |
Source: |
Code function: |
0_2_0040216B |
Source: |
Code function: |
1_2_0040D246 |
Source: |
Code function: |
1_2_00416026 |
Source: |
File created: |
Jump to behavior |
Source: |
Mutant created: |
Source: |
File created: |
Jump to behavior |
Source: |
Command line argument: |
1_2_0040C2AA | |
Source: |
Command line argument: |
1_2_0040C2AA | |
Source: |
Command line argument: |
1_2_0040C2AA | |
Source: |
Command line argument: |
1_2_0040C2AA | |
Source: |
Command line argument: |
1_2_0040C2AA | |
Source: |
Command line argument: |
1_2_0040C2AA | |
Source: |
Command line argument: |
1_2_0040C2AA | |
Source: |
Command line argument: |
1_2_0040C2AA | |
Source: |
Command line argument: |
1_2_0040C2AA | |
Source: |
Command line argument: |
1_2_0040C2AA | |
Source: |
Command line argument: |
1_2_0040C2AA | |
Source: |
Command line argument: |
1_2_0040C2AA | |
Source: |
Command line argument: |
1_2_0040C2AA | |
Source: |
Command line argument: |
1_2_0040C2AA | |
Source: |
Command line argument: |
1_1_0040C2AA | |
Source: |
Command line argument: |
1_1_0040C2AA | |
Source: |
Command line argument: |
1_1_0040C2AA | |
Source: |
Command line argument: |
1_1_0040C2AA | |
Source: |
Command line argument: |
1_1_0040C2AA | |
Source: |
Command line argument: |
1_1_0040C2AA | |
Source: |
Command line argument: |
1_1_0040C2AA | |
Source: |
Command line argument: |
1_1_0040C2AA | |
Source: |
Command line argument: |
1_1_0040C2AA | |
Source: |
Command line argument: |
1_1_0040C2AA | |
Source: |
Command line argument: |
1_1_0040C2AA | |
Source: |
Command line argument: |
1_1_0040C2AA | |
Source: |
Command line argument: |
1_1_0040C2AA | |
Source: |
Command line argument: |
1_1_0040C2AA |
Source: |
Static PE information: |
Source: |
File read: |
Jump to behavior |
Source: |
Key opened: |
Jump to behavior |
Source: |
File read: |
Jump to behavior | ||
Source: |
File read: |
Jump to behavior |
Source: |
File read: |
Jump to behavior |
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
Jump to behavior |
Source: |
Key value queried: |
Jump to behavior |
Source: |
Static PE information: |
Source: |
Binary string: |
||
Source: |
Binary string: |
Data Obfuscation: |
---|
Detected unpacking (changes PE section rights) |
Source: |
Unpacked PE file: |
Detected unpacking (overwrites its own PE header) |
Source: |
Unpacked PE file: |
Contains functionality to dynamically determine API calls |
Source: |
Code function: |
0_2_6FC51A98 |
Uses code obfuscation techniques (call, push, ret) |
Source: |
Code function: |
0_2_6FC52F8E | |
Source: |
Code function: |
1_2_0042F259 | |
Source: |
Code function: |
1_2_004573F6 | |
Source: |
Code function: |
1_2_00450466 | |
Source: |
Code function: |
1_2_0044FB39 | |
Source: |
Code function: |
1_1_0042F259 | |
Source: |
Code function: |
1_1_004573F6 | |
Source: |
Code function: |
1_1_00450466 |
Source: |
Static PE information: |
Persistence and Installation Behavior: |
---|
Contains functionality to download and launch executables |
Source: |
Code function: |
1_2_00411EA6 |
Drops PE files |
Source: |
File created: |
Jump to dropped file | ||
Source: |
File created: |
Jump to dropped file |
Source: |
Code function: |
1_2_00415DF3 |
Hooking and other Techniques for Hiding and Protection: |
---|
Extensive use of GetProcAddress (often used to hide API calls) |
Source: |
Code function: |
1_2_0040CEAE |
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior |
Malware Analysis System Evasion: |
---|
Delayed program exit found |
Source: |
Code function: |
1_2_0040D27D | |
Source: |
Code function: |
1_1_0040D27D |
Contains capabilities to detect virtual machines |
Source: |
File opened / queried: |
Jump to behavior |
Contains functionality to enumerate running services |
Source: |
Code function: |
1_2_00415B21 |
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Source: |
Window / User API: |
Jump to behavior |
May sleep (evasive loops) to hinder dynamic analysis |
Source: |
Thread sleep count: |
Jump to behavior | ||
Source: |
Thread sleep time: |
Jump to behavior |
Sample execution stops while process was sleeping (likely an evasion) |
Source: |
Last function: |
||
Source: |
Last function: |
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts) |
Source: |
Code function: |
1_2_004081EF | |
Source: |
Code function: |
1_1_004081EF |
Source: |
Code function: |
0_2_00405A15 | |
Source: |
Code function: |
0_2_004065C1 | |
Source: |
Code function: |
0_2_004027A1 | |
Source: |
Code function: |
1_2_004170D3 | |
Source: |
Code function: |
1_2_004451D9 | |
Source: |
Code function: |
1_2_0040A1E5 | |
Source: |
Code function: |
1_2_004073C8 | |
Source: |
Code function: |
1_2_0040782F | |
Source: |
Code function: |
1_2_00405CDC | |
Source: |
Code function: |
1_2_00414E6E | |
Source: |
Code function: |
1_2_00409FCA | |
Source: |
Code function: |
1_1_004170D3 | |
Source: |
Code function: |
1_1_004451D9 | |
Source: |
Code function: |
1_1_0040A1E5 | |
Source: |
Code function: |
1_1_004073C8 |
Source: |
Code function: |
1_2_00406496 |
Source: |
Process information queried: |
Jump to behavior |
Anti Debugging: |
---|
Contains functionality to check if a debugger is running (IsDebuggerPresent) |
Source: |
Code function: |
1_2_0042EDE5 |
Contains functionality to dynamically determine API calls |
Source: |
Code function: |
0_2_6FC51A98 |
Contains functionality to read the PEB |
Source: |
Code function: |
0_2_1000775D | |
Source: |
Code function: |
0_2_100074AD | |
Source: |
Code function: |
1_2_0043B529 |
Contains functionality which may be used to detect a debugger (GetProcessHeap) |
Source: |
Code function: |
1_2_004464AD |
Source: |
Code function: |
1_2_0042F3CC | |
Source: |
Code function: |
1_2_0042EDE5 | |
Source: |
Code function: |
1_2_00435E43 | |
Source: |
Code function: |
1_2_0042EF77 | |
Source: |
Code function: |
1_1_0042F3CC |
HIPS / PFW / Operating System Protection Evasion: |
---|
Contains functionality to inject code into remote processes |
Source: |
Code function: |
1_2_00413BEA |
Maps a DLL or memory area into another process |
Source: |
Section loaded: |
Jump to behavior |
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection) |
Source: |
Code function: |
1_2_0040F31A | |
Source: |
Code function: |
1_1_0040F31A |
Contains functionality to simulate mouse events |
Source: |
Code function: |
1_2_004149FD |
Creates a process in suspended mode (likely to inject code) |
Source: |
Process created: |
Jump to behavior |
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
Language, Device and Operating System Detection: |
---|
Contains functionality to query CPU information (cpuid) |
Source: |
Code function: |
1_2_0042F055 |
Contains functionality to query locales information (e.g. system language) |
Source: |
Code function: |
1_2_0040D3AD | |
Source: |
Code function: |
1_2_00448638 | |
Source: |
Code function: |
1_2_00440681 | |
Source: |
Code function: |
1_2_004488FB | |
Source: |
Code function: |
1_2_004488B0 | |
Source: |
Code function: |
1_2_00448996 | |
Source: |
Code function: |
1_2_00448A23 | |
Source: |
Code function: |
1_2_00440B6A | |
Source: |
Code function: |
1_2_00448C73 | |
Source: |
Code function: |
1_2_00448D9C | |
Source: |
Code function: |
1_2_00448EA3 | |
Source: |
Code function: |
1_2_00448F70 | |
Source: |
Code function: |
1_1_0040D3AD |
Source: |
Code function: |
1_2_0042F25B |
Source: |
Code function: |
1_2_00416790 |
Source: |
Code function: |
1_2_0044143E |
Source: |
Code function: |
0_2_00403486 |
Stealing of Sensitive Information: |
---|
Yara detected Remcos RAT |
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
Contains functionality to steal Chrome passwords or cookies |
Source: |
Code function: |
1_2_00409EAC |
Contains functionality to steal Firefox passwords or cookies |
Source: |
Code function: |
1_2_00409FCA | |
Source: |
Code function: |
1_2_00409FCA |
Remote Access Functionality: |
---|
Detected Remcos RAT |
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
Yara detected Remcos RAT |
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
Contains functionality to launch a control a shell (cmd.exe) |
Source: |
Code function: |
1_2_004054A8 | |
Source: |
Code function: |
1_1_004054A8 |
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
194.5.97.248 | unknown | Netherlands | 208476 | DANILENKODE | true |
Private |
---|
IP |
---|
192.168.2.1 |
Name | IP | Active |
---|---|---|
greatglass.servebeer.com | 194.5.97.248 | true |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
|
unknown |