Analysis Report QuotationInvoices.exe

Overview

General Information

Sample Name:	QuotationInvoices.exe
Analysis ID:	356046
MD5:	9c51e2991c6c9708d783aab030dcc0da
SHA1:	64accc9e3f84e7365d8236c580b9644427e3f9e3
SHA256:	572a6a6fa5277c2b4cc040710694d33b2def62ab74e2801893d33e92e7b105af
Tags:	exeRATRemcosRAT
Most interesting Screenshot:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Remcos RAT

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: Remcos

Yara detected Remcos RAT

C2 URLs / IPs found in malware configuration

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to download and execute PE files

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: 1.2.QuotationInvoices.exe.400000.0.unpack

Malware Configuration Extractor: Remcos {"Host:Port:Password": "greatglass.servebeer.com:1961:0", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Remcos-I9UILL", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "wikipedia;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara detected Remcos RAT

Source: Yara match	File source: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.919352966.0000000000487000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QuotationInvoices.exe PID: 7072, type: MEMORY
Source: Yara match	File source: Process Memory Space: QuotationInvoices.exe PID: 7036, type: MEMORY
Source: Yara match	File source: 1.2.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QuotationInvoices.exe.2a70000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QuotationInvoices.exe.2a70000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Source: QuotationInvoices.exe

Joe Sandbox ML: detected

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_0042DC88 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

1_2_0042DC88

Source: QuotationInvoices.exe, 00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Compliance:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Unpacked PE file: 1.2.QuotationInvoices.exe.400000.0.unpack

Uses 32bit PE files

Source: QuotationInvoices.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: QuotationInvoices.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: wntdll.pdbUGP source: QuotationInvoices.exe, 00000000.00000003.663166783.0000000002B70000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: QuotationInvoices.exe, 00000000.00000003.663166783.0000000002B70000.00000004.00000001.sdmp

Spreading:

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405A15
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_004065C1 FindFirstFileA,FindClose,	0_2_004065C1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_004027A1 FindFirstFileA,	0_2_004027A1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_004170D3 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	1_2_004170D3
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_004451D9 FindFirstFileExA,	1_2_004451D9
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0040A1E5 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	1_2_0040A1E5
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_004073C8 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	1_2_004073C8
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0040782F __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	1_2_0040782F
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00405CDC FindFirstFileW,FindNextFileW,	1_2_00405CDC
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00414E6E FindFirstFileW,FindNextFileW,FindNextFileW,	1_2_00414E6E
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00409FCA FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	1_2_00409FCA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_004170D3 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	1_1_004170D3
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_004451D9 FindFirstFileExA,	1_1_004451D9
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0040A1E5 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	1_1_0040A1E5
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_004073C8 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	1_1_004073C8

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_00406496 SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW,

1_2_00406496

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: greatglass.servebeer.com

Contains functionality to download and execute PE files

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_00411EA6 URLDownloadToFileW,ShellExecuteW,

1_2_00411EA6

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 194.5.97.248:1961

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 194.5.97.248 194.5.97.248

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: DANILENKODE DANILENKODE

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_0042190F recv,

1_2_0042190F

Source: unknown

DNS traffic detected: queries for: greatglass.servebeer.com

Source: QuotationInvoices.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: QuotationInvoices.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to capture and log keystrokes

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [Esc]	1_2_00408ED1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [Enter]	1_2_00408ED1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [Tab]	1_2_00408ED1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [Down]	1_2_00408ED1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [Right]	1_2_00408ED1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [Up]	1_2_00408ED1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [Left]	1_2_00408ED1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [End]	1_2_00408ED1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [F2]	1_2_00408ED1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [F1]	1_2_00408ED1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [Del]	1_2_00408ED1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [Del]	1_2_00408ED1

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 0_2_004054B2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004054B2

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_00409900 OpenClipboard,GetClipboardData,CloseClipboard,

1_2_00409900

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_004083AE GetKeyState,GetKeyState,GetKeyState,CallNextHookEx,		1_2_004083AE
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_004083AE GetKeyState,GetKeyState,GetKeyState,CallNextHookEx,		1_1_004083AE

E-Banking Fraud:

Yara detected Remcos RAT

Source: Yara match	File source: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.919352966.0000000000487000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QuotationInvoices.exe PID: 7072, type: MEMORY
Source: Yara match	File source: Process Memory Space: QuotationInvoices.exe PID: 7036, type: MEMORY
Source: Yara match	File source: 1.2.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QuotationInvoices.exe.2a70000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QuotationInvoices.exe.2a70000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.2.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.1.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.2.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.QuotationInvoices.exe.2a70000.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.QuotationInvoices.exe.2a70000.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.1.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: QuotationInvoices.exe

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_00403486
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00411C7C SetEvent,GetTickCount,Sleep,URLDownloadToFileW,OpenClipboard,CloseClipboard,Sleep,MessageBoxW,ExitWindowsEx,LoadLibraryA,GetProcAddress,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,EmptyClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,StrToIntA,SetWindowTextW,CreateThread,ShowWindow,SetForegroundWindow,		1_2_00411C7C

Detected potential crypto function

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_00407272	0_2_00407272
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_00406A9B	0_2_00406A9B
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_6FC51A98	0_2_6FC51A98
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0044C05A	1_2_0044C05A
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0041A15E	1_2_0041A15E
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0043027D	1_2_0043027D
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0043E200	1_2_0043E200
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0044A217	1_2_0044A217
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0043336D	1_2_0043336D
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00422613	1_2_00422613
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0043768C	1_2_0043768C
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00422756	1_2_00422756
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00433785	1_2_00433785
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_004378BB	1_2_004378BB
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0044A929	1_2_0044A929
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00421A7E	1_2_00421A7E
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00410AC5	1_2_00410AC5
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00437AEA	1_2_00437AEA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00450A80	1_2_00450A80
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00418BDF	1_2_00418BDF
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00433BBA	1_2_00433BBA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00430D20	1_2_00430D20
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0042DD93	1_2_0042DD93
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00432E71	1_2_00432E71
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00421F75	1_2_00421F75
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00433FEF	1_2_00433FEF
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0044C05A	1_1_0044C05A
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0041A15E	1_1_0041A15E
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0043027D	1_1_0043027D
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0043E200	1_1_0043E200
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0044A217	1_1_0044A217
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0043336D	1_1_0043336D

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: String function: 0042F200 appears 71 times
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: String function: 0042EB5C appears 68 times
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: String function: 00404712 appears 31 times
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: String function: 0040412C appears 35 times
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: String function: 00401FCE appears 119 times
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: String function: 00416673 appears 50 times
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: String function: 0040201F appears 35 times
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: String function: 0043D8D6 appears 33 times

Sample file is different than original file name gathered from version info

Source: QuotationInvoices.exe, 00000000.00000003.659240087.0000000002C06000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs QuotationInvoices.exe
Source: QuotationInvoices.exe, 00000000.00000002.666304572.0000000002210000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameAVICAP32.DLL.MUIj% vs QuotationInvoices.exe
Source: QuotationInvoices.exe, 00000000.00000002.666292575.0000000002200000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemsvfw32.dll.muij% vs QuotationInvoices.exe
Source: QuotationInvoices.exe, 00000000.00000002.666244171.00000000021C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs QuotationInvoices.exe

Uses 32bit PE files

Source: QuotationInvoices.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Yara signature match

Source: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.1.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.QuotationInvoices.exe.2a70000.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.QuotationInvoices.exe.2a70000.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.1.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/5@53/2

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,	0_2_00403486
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00413417 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	1_2_00413417
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_00413417 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	1_1_00413417

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 0_2_00404763 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404763

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 0_2_10004243 CreateToolhelp32Snapshot,Process32FirstW,

0_2_10004243

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,

0_2_0040216B

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_0040D246 FindResourceA,LoadResource,LockResource,SizeofResource,

1_2_0040D246

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_00416026 OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

1_2_00416026

Source: C:\Users\user\Desktop\QuotationInvoices.exe

File created: C:\Users\user\AppData\Roaming\remcos

Jump to behavior

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Mutant created: \Sessions\1\BaseNamedObjects\Remcos-I9UILL

Source: C:\Users\user\Desktop\QuotationInvoices.exe

File created: C:\Users\user\AppData\Local\Temp\nsh872B.tmp

Jump to behavior

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Software\	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Inj	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Inj	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Inj	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Remcos-I9UILL	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: ProductName	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: origmsc	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Remcos	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: exepath	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: licence	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: exepath	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Administrator	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: User	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: [Info]	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Software\	1_1_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Inj	1_1_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Inj	1_1_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Inj	1_1_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Remcos-I9UILL	1_1_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: ProductName	1_1_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: origmsc	1_1_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Remcos	1_1_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: exepath	1_1_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: licence	1_1_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: exepath	1_1_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Administrator	1_1_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: User	1_1_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: [Info]	1_1_0040C2AA

Source: QuotationInvoices.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\QuotationInvoices.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\QuotationInvoices.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\QuotationInvoices.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\QuotationInvoices.exe

File read: C:\Users\user\Desktop\QuotationInvoices.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\QuotationInvoices.exe 'C:\Users\user\Desktop\QuotationInvoices.exe'
Source: unknown	Process created: C:\Users\user\Desktop\QuotationInvoices.exe 'C:\Users\user\Desktop\QuotationInvoices.exe'
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Process created: C:\Users\user\Desktop\QuotationInvoices.exe 'C:\Users\user\Desktop\QuotationInvoices.exe'	Jump to behavior

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: QuotationInvoices.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: QuotationInvoices.exe, 00000000.00000003.663166783.0000000002B70000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: QuotationInvoices.exe, 00000000.00000003.663166783.0000000002B70000.00000004.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Unpacked PE file: 1.2.QuotationInvoices.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Unpacked PE file: 1.2.QuotationInvoices.exe.400000.0.unpack

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 0_2_6FC51A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_6FC51A98

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_6FC52F60 push eax; ret	0_2_6FC52F8E
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0042F246 push ecx; ret	1_2_0042F259
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_004573ED push esi; ret	1_2_004573F6
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00450448 push eax; ret	1_2_00450466
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0044FB26 push ecx; ret	1_2_0044FB39
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0042F246 push ecx; ret	1_1_0042F259
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_004573ED push esi; ret	1_1_004573F6
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_00450448 push eax; ret	1_1_00450466

Source: initial sample

Static PE information: section name: .data entropy: 7.91289569988

Persistence and Installation Behavior:

Contains functionality to download and launch executables

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_00411EA6 URLDownloadToFileW,ShellExecuteW,

1_2_00411EA6

Drops PE files

Source: C:\Users\user\Desktop\QuotationInvoices.exe	File created: C:\Users\user\AppData\Local\Temp\nsc875C.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\QuotationInvoices.exe	File created: C:\Users\user\AppData\Local\Temp\xmtfn.dll			Jump to dropped file

Boot Survival:

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_00415DF3 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

1_2_00415DF3

Hooking and other Techniques for Hiding and Protection:

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_0040CEAE LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,

1_2_0040CEAE

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Delayed program exit found

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0040D27D Sleep,ExitProcess,		1_2_0040D27D
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0040D27D Sleep,ExitProcess,		1_1_0040D27D

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\QuotationInvoices.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains functionality to enumerate running services

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

1_2_00415B21

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Window / User API: threadDelayed 679

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\QuotationInvoices.exe TID: 6340	Thread sleep count: 679 > 30			Jump to behavior
Source: C:\Users\user\Desktop\QuotationInvoices.exe TID: 6340	Thread sleep time: -6790000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Last function: Thread delayed

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_004081EF GetKeyboardLayout followed by cmp: cmp ax, dx and CTI: je 00408210h		1_2_004081EF
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_004081EF GetKeyboardLayout followed by cmp: cmp ax, dx and CTI: je 00408210h		1_1_004081EF

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405A15
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_004065C1 FindFirstFileA,FindClose,	0_2_004065C1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_004027A1 FindFirstFileA,	0_2_004027A1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_004170D3 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	1_2_004170D3
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_004451D9 FindFirstFileExA,	1_2_004451D9
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0040A1E5 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	1_2_0040A1E5
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_004073C8 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	1_2_004073C8
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0040782F __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	1_2_0040782F
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00405CDC FindFirstFileW,FindNextFileW,	1_2_00405CDC
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00414E6E FindFirstFileW,FindNextFileW,FindNextFileW,	1_2_00414E6E
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00409FCA FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	1_2_00409FCA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_004170D3 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	1_1_004170D3
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_004451D9 FindFirstFileExA,	1_1_004451D9
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0040A1E5 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	1_1_0040A1E5
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_004073C8 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	1_1_004073C8

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_00406496 SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW,

1_2_00406496

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_0042EDE5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_0042EDE5

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 0_2_6FC51A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_6FC51A98

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_1000775D mov eax, dword ptr fs:[00000030h]	0_2_1000775D
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_100074AD mov eax, dword ptr fs:[00000030h]	0_2_100074AD
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0043B529 mov eax, dword ptr fs:[00000030h]	1_2_0043B529

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_004464AD GetProcessHeap,

1_2_004464AD

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0042F3CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0042F3CC
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0042EDE5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0042EDE5
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00435E43 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00435E43
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0042EF77 SetUnhandledExceptionFilter,	1_2_0042EF77
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0042F3CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_1_0042F3CC

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_00413BEA __EH_prolog,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,

1_2_00413BEA

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Section loaded: unknown target: C:\Users\user\Desktop\QuotationInvoices.exe protection: execute and read and write

Jump to behavior

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,Sleep,CloseHandle,OpenProcess, \svchost.exe		1_2_0040F31A
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,Sleep,CloseHandle,OpenProcess, \svchost.exe		1_1_0040F31A

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_004149FD StrToIntA,mouse_event,

1_2_004149FD

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Process created: C:\Users\user\Desktop\QuotationInvoices.exe 'C:\Users\user\Desktop\QuotationInvoices.exe'

Jump to behavior

Source: QuotationInvoices.exe, 00000001.00000002.919576145.0000000000C90000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: QuotationInvoices.exe, 00000001.00000002.919576145.0000000000C90000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: QuotationInvoices.exe, 00000001.00000002.919576145.0000000000C90000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: logs.dat.1.dr	Binary or memory string: [ Program Manager ]
Source: QuotationInvoices.exe, 00000001.00000002.919576145.0000000000C90000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_0042F055 cpuid

1_2_0042F055

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: GetLocaleInfoA,	1_2_0040D3AD
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	1_2_00448638
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: EnumSystemLocalesW,	1_2_00440681
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: EnumSystemLocalesW,	1_2_004488FB
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: EnumSystemLocalesW,	1_2_004488B0
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: EnumSystemLocalesW,	1_2_00448996
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	1_2_00448A23
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: GetLocaleInfoW,	1_2_00440B6A
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: GetLocaleInfoW,	1_2_00448C73
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_00448D9C
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: GetLocaleInfoW,	1_2_00448EA3
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_00448F70
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: GetLocaleInfoA,	1_1_0040D3AD

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_0042F25B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_0042F25B

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_00416790 GetComputerNameExW,GetUserNameW,

1_2_00416790

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_0044143E _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

1_2_0044143E

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 0_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403486

Stealing of Sensitive Information:

Yara detected Remcos RAT

Source: Yara match	File source: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.919352966.0000000000487000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QuotationInvoices.exe PID: 7072, type: MEMORY
Source: Yara match	File source: Process Memory Space: QuotationInvoices.exe PID: 7036, type: MEMORY
Source: Yara match	File source: 1.2.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QuotationInvoices.exe.2a70000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QuotationInvoices.exe.2a70000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

1_2_00409EAC

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		1_2_00409FCA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: \key3.db		1_2_00409FCA

Remote Access Functionality:

Detected Remcos RAT

Source: QuotationInvoices.exe, 00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: QuotationInvoices.exe, 00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp	String found in binary or memory: \|licence_code.txtSoftware\WDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceUserAccess level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\SETTINGSoverridepth_unenc3.1.0 Prov
Source: QuotationInvoices.exe	String found in binary or memory: Remcos_Mutex_Inj
Source: QuotationInvoices.exe, 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: \|licence_code.txtSoftware\WDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceUserAccess level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\SETTINGSoverridepth_unenc3.1.0 Prov

Yara detected Remcos RAT

Source: Yara match	File source: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.919352966.0000000000487000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QuotationInvoices.exe PID: 7072, type: MEMORY
Source: Yara match	File source: Process Memory Space: QuotationInvoices.exe PID: 7036, type: MEMORY
Source: Yara match	File source: 1.2.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QuotationInvoices.exe.2a70000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QuotationInvoices.exe.2a70000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE

Contains functionality to launch a control a shell (cmd.exe)

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: cmd.exe		1_2_004054A8
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: cmd.exe		1_1_004054A8

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.5.97.248	unknown	Netherlands		208476	DANILENKODE	true

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
greatglass.servebeer.com	194.5.97.248	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
greatglass.servebeer.com	true	5%, Virustotal, Browse Avira URL Cloud: safe	unknown

AV Detection:

Found malware configuration

Source: 1.2.QuotationInvoices.exe.400000.0.unpack

Yara detected Remcos RAT

Source: Yara match	File source: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.919352966.0000000000487000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QuotationInvoices.exe PID: 7072, type: MEMORY
Source: Yara match	File source: Process Memory Space: QuotationInvoices.exe PID: 7036, type: MEMORY
Source: Yara match	File source: 1.2.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QuotationInvoices.exe.2a70000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QuotationInvoices.exe.2a70000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Source: QuotationInvoices.exe

Joe Sandbox ML: detected

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_0042DC88 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

1_2_0042DC88

Source: QuotationInvoices.exe, 00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Compliance:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Unpacked PE file: 1.2.QuotationInvoices.exe.400000.0.unpack

Uses 32bit PE files

Source: QuotationInvoices.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: QuotationInvoices.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: wntdll.pdbUGP source: QuotationInvoices.exe, 00000000.00000003.663166783.0000000002B70000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: QuotationInvoices.exe, 00000000.00000003.663166783.0000000002B70000.00000004.00000001.sdmp

Spreading:

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405A15
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_004065C1 FindFirstFileA,FindClose,	0_2_004065C1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_004027A1 FindFirstFileA,	0_2_004027A1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_004170D3 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	1_2_004170D3
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_004451D9 FindFirstFileExA,	1_2_004451D9
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0040A1E5 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	1_2_0040A1E5
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_004073C8 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	1_2_004073C8
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0040782F __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	1_2_0040782F
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00405CDC FindFirstFileW,FindNextFileW,	1_2_00405CDC
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00414E6E FindFirstFileW,FindNextFileW,FindNextFileW,	1_2_00414E6E
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00409FCA FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	1_2_00409FCA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_004170D3 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	1_1_004170D3
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_004451D9 FindFirstFileExA,	1_1_004451D9
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0040A1E5 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	1_1_0040A1E5
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_004073C8 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	1_1_004073C8

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_00406496 SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW,

1_2_00406496

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: greatglass.servebeer.com

Contains functionality to download and execute PE files

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_00411EA6 URLDownloadToFileW,ShellExecuteW,

1_2_00411EA6

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 194.5.97.248:1961

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 194.5.97.248 194.5.97.248

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: DANILENKODE DANILENKODE

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_0042190F recv,

1_2_0042190F

Source: unknown

DNS traffic detected: queries for: greatglass.servebeer.com

Source: QuotationInvoices.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: QuotationInvoices.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to capture and log keystrokes

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [Esc]	1_2_00408ED1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [Enter]	1_2_00408ED1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [Tab]	1_2_00408ED1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [Down]	1_2_00408ED1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [Right]	1_2_00408ED1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [Up]	1_2_00408ED1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [Left]	1_2_00408ED1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [End]	1_2_00408ED1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [F2]	1_2_00408ED1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [F1]	1_2_00408ED1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [Del]	1_2_00408ED1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [Del]	1_2_00408ED1

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\QuotationInvoices.exe

0_2_004054B2

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_00409900 OpenClipboard,GetClipboardData,CloseClipboard,

1_2_00409900

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_004083AE GetKeyState,GetKeyState,GetKeyState,CallNextHookEx,		1_2_004083AE
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_004083AE GetKeyState,GetKeyState,GetKeyState,CallNextHookEx,		1_1_004083AE

E-Banking Fraud:

Yara detected Remcos RAT

Source: Yara match	File source: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.919352966.0000000000487000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QuotationInvoices.exe PID: 7072, type: MEMORY
Source: Yara match	File source: Process Memory Space: QuotationInvoices.exe PID: 7036, type: MEMORY
Source: Yara match	File source: 1.2.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QuotationInvoices.exe.2a70000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QuotationInvoices.exe.2a70000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.2.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.1.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.2.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.QuotationInvoices.exe.2a70000.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.QuotationInvoices.exe.2a70000.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.1.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: QuotationInvoices.exe

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_00403486
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00411C7C SetEvent,GetTickCount,Sleep,URLDownloadToFileW,OpenClipboard,CloseClipboard,Sleep,MessageBoxW,ExitWindowsEx,LoadLibraryA,GetProcAddress,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,EmptyClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,StrToIntA,SetWindowTextW,CreateThread,ShowWindow,SetForegroundWindow,		1_2_00411C7C

Detected potential crypto function

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_00407272	0_2_00407272
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_00406A9B	0_2_00406A9B
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_6FC51A98	0_2_6FC51A98
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0044C05A	1_2_0044C05A
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0041A15E	1_2_0041A15E
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0043027D	1_2_0043027D
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0043E200	1_2_0043E200
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0044A217	1_2_0044A217
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0043336D	1_2_0043336D
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00422613	1_2_00422613
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0043768C	1_2_0043768C
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00422756	1_2_00422756
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00433785	1_2_00433785
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_004378BB	1_2_004378BB
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0044A929	1_2_0044A929
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00421A7E	1_2_00421A7E
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00410AC5	1_2_00410AC5
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00437AEA	1_2_00437AEA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00450A80	1_2_00450A80
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00418BDF	1_2_00418BDF
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00433BBA	1_2_00433BBA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00430D20	1_2_00430D20
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0042DD93	1_2_0042DD93
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00432E71	1_2_00432E71
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00421F75	1_2_00421F75
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00433FEF	1_2_00433FEF
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0044C05A	1_1_0044C05A
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0041A15E	1_1_0041A15E
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0043027D	1_1_0043027D
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0043E200	1_1_0043E200
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0044A217	1_1_0044A217
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0043336D	1_1_0043336D

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: String function: 0042F200 appears 71 times
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: String function: 0042EB5C appears 68 times
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: String function: 00404712 appears 31 times
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: String function: 0040412C appears 35 times
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: String function: 00401FCE appears 119 times
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: String function: 00416673 appears 50 times
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: String function: 0040201F appears 35 times
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: String function: 0043D8D6 appears 33 times

Sample file is different than original file name gathered from version info

Source: QuotationInvoices.exe, 00000000.00000003.659240087.0000000002C06000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs QuotationInvoices.exe
Source: QuotationInvoices.exe, 00000000.00000002.666304572.0000000002210000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameAVICAP32.DLL.MUIj% vs QuotationInvoices.exe
Source: QuotationInvoices.exe, 00000000.00000002.666292575.0000000002200000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemsvfw32.dll.muij% vs QuotationInvoices.exe
Source: QuotationInvoices.exe, 00000000.00000002.666244171.00000000021C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs QuotationInvoices.exe

Uses 32bit PE files

Source: QuotationInvoices.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Yara signature match

Source: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.1.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.QuotationInvoices.exe.2a70000.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.QuotationInvoices.exe.2a70000.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.1.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/5@53/2

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,	0_2_00403486
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00413417 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	1_2_00413417
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_00413417 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	1_1_00413417

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 0_2_00404763 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404763

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 0_2_10004243 CreateToolhelp32Snapshot,Process32FirstW,

0_2_10004243

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,

0_2_0040216B

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_0040D246 FindResourceA,LoadResource,LockResource,SizeofResource,

1_2_0040D246

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_00416026 OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

1_2_00416026

Source: C:\Users\user\Desktop\QuotationInvoices.exe

File created: C:\Users\user\AppData\Roaming\remcos

Jump to behavior

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Mutant created: \Sessions\1\BaseNamedObjects\Remcos-I9UILL

Source: C:\Users\user\Desktop\QuotationInvoices.exe

File created: C:\Users\user\AppData\Local\Temp\nsh872B.tmp

Jump to behavior

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Software\	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Inj	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Inj	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Inj	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Remcos-I9UILL	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: ProductName	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: origmsc	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Remcos	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: exepath	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: licence	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: exepath	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Administrator	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: User	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: [Info]	1_2_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Software\	1_1_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Inj	1_1_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Inj	1_1_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Inj	1_1_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Remcos-I9UILL	1_1_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: ProductName	1_1_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: origmsc	1_1_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Remcos	1_1_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: exepath	1_1_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: licence	1_1_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: exepath	1_1_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Administrator	1_1_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: User	1_1_0040C2AA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: [Info]	1_1_0040C2AA

Source: QuotationInvoices.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\QuotationInvoices.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\QuotationInvoices.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\QuotationInvoices.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\QuotationInvoices.exe

File read: C:\Users\user\Desktop\QuotationInvoices.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\QuotationInvoices.exe 'C:\Users\user\Desktop\QuotationInvoices.exe'
Source: unknown	Process created: C:\Users\user\Desktop\QuotationInvoices.exe 'C:\Users\user\Desktop\QuotationInvoices.exe'
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Process created: C:\Users\user\Desktop\QuotationInvoices.exe 'C:\Users\user\Desktop\QuotationInvoices.exe'	Jump to behavior

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: QuotationInvoices.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: QuotationInvoices.exe, 00000000.00000003.663166783.0000000002B70000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: QuotationInvoices.exe, 00000000.00000003.663166783.0000000002B70000.00000004.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Unpacked PE file: 1.2.QuotationInvoices.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Unpacked PE file: 1.2.QuotationInvoices.exe.400000.0.unpack

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 0_2_6FC51A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_6FC51A98

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_6FC52F60 push eax; ret	0_2_6FC52F8E
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0042F246 push ecx; ret	1_2_0042F259
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_004573ED push esi; ret	1_2_004573F6
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00450448 push eax; ret	1_2_00450466
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0044FB26 push ecx; ret	1_2_0044FB39
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0042F246 push ecx; ret	1_1_0042F259
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_004573ED push esi; ret	1_1_004573F6
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_00450448 push eax; ret	1_1_00450466

Source: initial sample

Static PE information: section name: .data entropy: 7.91289569988

Persistence and Installation Behavior:

Contains functionality to download and launch executables

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_00411EA6 URLDownloadToFileW,ShellExecuteW,

1_2_00411EA6

Drops PE files

Source: C:\Users\user\Desktop\QuotationInvoices.exe	File created: C:\Users\user\AppData\Local\Temp\nsc875C.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\QuotationInvoices.exe	File created: C:\Users\user\AppData\Local\Temp\xmtfn.dll			Jump to dropped file

Boot Survival:

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_00415DF3 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

1_2_00415DF3

Hooking and other Techniques for Hiding and Protection:

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\QuotationInvoices.exe

1_2_0040CEAE

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Delayed program exit found

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0040D27D Sleep,ExitProcess,		1_2_0040D27D
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0040D27D Sleep,ExitProcess,		1_1_0040D27D

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\QuotationInvoices.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains functionality to enumerate running services

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

1_2_00415B21

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Window / User API: threadDelayed 679

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\QuotationInvoices.exe TID: 6340	Thread sleep count: 679 > 30			Jump to behavior
Source: C:\Users\user\Desktop\QuotationInvoices.exe TID: 6340	Thread sleep time: -6790000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Last function: Thread delayed

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_004081EF GetKeyboardLayout followed by cmp: cmp ax, dx and CTI: je 00408210h		1_2_004081EF
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_004081EF GetKeyboardLayout followed by cmp: cmp ax, dx and CTI: je 00408210h		1_1_004081EF

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405A15
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_004065C1 FindFirstFileA,FindClose,	0_2_004065C1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_004027A1 FindFirstFileA,	0_2_004027A1
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_004170D3 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	1_2_004170D3
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_004451D9 FindFirstFileExA,	1_2_004451D9
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0040A1E5 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	1_2_0040A1E5
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_004073C8 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	1_2_004073C8
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0040782F __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	1_2_0040782F
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00405CDC FindFirstFileW,FindNextFileW,	1_2_00405CDC
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00414E6E FindFirstFileW,FindNextFileW,FindNextFileW,	1_2_00414E6E
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00409FCA FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	1_2_00409FCA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_004170D3 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	1_1_004170D3
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_004451D9 FindFirstFileExA,	1_1_004451D9
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0040A1E5 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	1_1_0040A1E5
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_004073C8 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	1_1_004073C8

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_00406496 SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW,

1_2_00406496

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_0042EDE5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_0042EDE5

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 0_2_6FC51A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_6FC51A98

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_1000775D mov eax, dword ptr fs:[00000030h]	0_2_1000775D
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_100074AD mov eax, dword ptr fs:[00000030h]	0_2_100074AD
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0043B529 mov eax, dword ptr fs:[00000030h]	1_2_0043B529

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_004464AD GetProcessHeap,

1_2_004464AD

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0042F3CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0042F3CC
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0042EDE5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0042EDE5
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00435E43 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00435E43
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0042EF77 SetUnhandledExceptionFilter,	1_2_0042EF77
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0042F3CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_1_0042F3CC

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\QuotationInvoices.exe

1_2_00413BEA

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Section loaded: unknown target: C:\Users\user\Desktop\QuotationInvoices.exe protection: execute and read and write

Jump to behavior

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,Sleep,CloseHandle,OpenProcess, \svchost.exe		1_2_0040F31A
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,Sleep,CloseHandle,OpenProcess, \svchost.exe		1_1_0040F31A

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_004149FD StrToIntA,mouse_event,

1_2_004149FD

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Process created: C:\Users\user\Desktop\QuotationInvoices.exe 'C:\Users\user\Desktop\QuotationInvoices.exe'

Jump to behavior

Source: QuotationInvoices.exe, 00000001.00000002.919576145.0000000000C90000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: QuotationInvoices.exe, 00000001.00000002.919576145.0000000000C90000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: QuotationInvoices.exe, 00000001.00000002.919576145.0000000000C90000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: logs.dat.1.dr	Binary or memory string: [ Program Manager ]
Source: QuotationInvoices.exe, 00000001.00000002.919576145.0000000000C90000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_0042F055 cpuid

1_2_0042F055

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: GetLocaleInfoA,	1_2_0040D3AD
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	1_2_00448638
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: EnumSystemLocalesW,	1_2_00440681
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: EnumSystemLocalesW,	1_2_004488FB
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: EnumSystemLocalesW,	1_2_004488B0
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: EnumSystemLocalesW,	1_2_00448996
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	1_2_00448A23
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: GetLocaleInfoW,	1_2_00440B6A
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: GetLocaleInfoW,	1_2_00448C73
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_00448D9C
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: GetLocaleInfoW,	1_2_00448EA3
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_00448F70
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: GetLocaleInfoA,	1_1_0040D3AD

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_0042F25B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_0042F25B

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_00416790 GetComputerNameExW,GetUserNameW,

1_2_00416790

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_0044143E _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

1_2_0044143E

Source: C:\Users\user\Desktop\QuotationInvoices.exe

0_2_00403486

Stealing of Sensitive Information:

Yara detected Remcos RAT

Source: Yara match	File source: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.919352966.0000000000487000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QuotationInvoices.exe PID: 7072, type: MEMORY
Source: Yara match	File source: Process Memory Space: QuotationInvoices.exe PID: 7036, type: MEMORY
Source: Yara match	File source: 1.2.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QuotationInvoices.exe.2a70000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QuotationInvoices.exe.2a70000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

1_2_00409EAC

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		1_2_00409FCA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: \key3.db		1_2_00409FCA

Remote Access Functionality:

Detected Remcos RAT

Source: QuotationInvoices.exe, 00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: QuotationInvoices.exe, 00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp	String found in binary or memory: \|licence_code.txtSoftware\WDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceUserAccess level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\SETTINGSoverridepth_unenc3.1.0 Prov
Source: QuotationInvoices.exe	String found in binary or memory: Remcos_Mutex_Inj
Source: QuotationInvoices.exe, 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: \|licence_code.txtSoftware\WDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceUserAccess level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\SETTINGSoverridepth_unenc3.1.0 Prov

Yara detected Remcos RAT

Source: Yara match	File source: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.919352966.0000000000487000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QuotationInvoices.exe PID: 7072, type: MEMORY
Source: Yara match	File source: Process Memory Space: QuotationInvoices.exe PID: 7036, type: MEMORY
Source: Yara match	File source: 1.2.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QuotationInvoices.exe.2a70000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QuotationInvoices.exe.2a70000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE

Contains functionality to launch a control a shell (cmd.exe)

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: cmd.exe		1_2_004054A8
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: cmd.exe		1_1_004054A8

ID:	356046
Product:	CloudBasic
Start time:	13:56:47
Start date:	22.02.2021
Sample:	QuotationInvoices.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	9c51e2991c6c9708d783aab030dcc0da
SHA1:	64accc9e3f84e7365d8236c580b9644427e3f9e3
SHA256:	572a6a6fa5277c2b4cc040710694d33b2def62ab74e2801893d33e92e7b105af
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\nsc875C.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	FCCFF8CB7A1067E23FD2E2B63971A8E1	30E2A9E137C1223A78A0F7B0BF96A1C361976D91	6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
C:\Users\user\AppData\Local\Temp\nsh872C.tmp	data	1A5019ACCB8B2C592D98DDCA4D53EA6E	64EB9F091F2A25E64FE5DC52F614499BBBA755AA	C4F464C4A1CEFF309A6388157AB9FBF26A795C6F5E770D4929892C1A92FFB68E
C:\Users\user\AppData\Local\Temp\okqry.a	data	96876AE06A1E7B087CA4B25713691E25	EB0C572D4DBD1303BCC20D5E13CA1B5DA6851980	5144E9DBA5EE3C3CB46706B8095D6EAA2C1AA0D48B4016ECB03CABB844D8EA36
C:\Users\user\AppData\Local\Temp\xmtfn.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	7B57E6D08CC3767914CA51A604BC6D13	AFE12DBF77D6FBCF8960D5761699D821AFCCB2B2	29E898A600F9A16D828D355709391981396735139E3A8FDB6ADDA75F0AFC670B
C:\Users\user\AppData\Roaming\remcos\logs.dat	ASCII text, with CRLF line terminators	BD035BD4CCB00A887A17BA7CDE17D115	FCD6C75314E60CC8B7329184C4E866C783D66664	9AFCF5D6F8CF2857C5DCD6C3B7C991F1BF3E41FFEFDA08F1DFC6E4BD75CD34E7

Analysis Report QuotationInvoices.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs