Play interactive tour

Edit tour

Analysis Report QuotationInvoices.exe

Overview

General Information

Sample Name:	QuotationInvoices.exe
Analysis ID:	356046
MD5:	9c51e2991c6c9708d783aab030dcc0da
SHA1:	64accc9e3f84e7365d8236c580b9644427e3f9e3
SHA256:	572a6a6fa5277c2b4cc040710694d33b2def62ab74e2801893d33e92e7b105af
Tags:	exeRATRemcosRAT
Most interesting Screenshot:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Remcos RAT

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: Remcos

Yara detected Remcos RAT

C2 URLs / IPs found in malware configuration

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to download and execute PE files

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Yara signature match

Classification

Startup

System is w10x64

QuotationInvoices.exe (PID: 7036 cmdline: 'C:\Users\user\Desktop\QuotationInvoices.exe' MD5: 9C51E2991C6C9708D783AAB030DCC0DA)

QuotationInvoices.exe (PID: 7072 cmdline: 'C:\Users\user\Desktop\QuotationInvoices.exe' MD5: 9C51E2991C6C9708D783AAB030DCC0DA)

cleanup

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "greatglass.servebeer.com:1961:0", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Remcos-I9UILL", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "wikipedia;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x5f6cc:$str_a1: C:\Windows\System32\cmd.exe 0x5f648:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5f648:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5ec68:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5f2c0:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5e800:$str_b2: Executing file: 0x5f810:$str_b3: GetDirectListeningPort 0x5f080:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5f40c:$str_b5: licence_code.txt 0x5f2a8:$str_b7: \update.vbs 0x5e870:$str_b9: Downloaded file: 0x5e83c:$str_b10: Downloading file: 0x5e824:$str_b12: Failed to upload file: 0x5f7d8:$str_b13: StartForward 0x5f7f8:$str_b14: StopForward 0x5f250:$str_b15: fso.DeleteFile " 0x5f1e4:$str_b16: On Error Resume Next 0x5f280:$str_b17: fso.DeleteFolder " 0x5e814:$str_b18: Uploaded file: 0x5e8b0:$str_b19: Unable to delete: 0x5f218:$str_b20: while fso.FileExists("
00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp	REMCOS_RAT_variants	unknown	unknown	0x5e8cc:$str_a1: C:\Windows\System32\cmd.exe 0x5e848:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5e848:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5de68:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5e4c0:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5da00:$str_b2: Executing file: 0x5ea10:$str_b3: GetDirectListeningPort 0x5e280:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5e60c:$str_b5: licence_code.txt 0x5e4a8:$str_b7: \update.vbs 0x5da70:$str_b9: Downloaded file: 0x5da3c:$str_b10: Downloading file: 0x5da24:$str_b12: Failed to upload file: 0x5e9d8:$str_b13: StartForward 0x5e9f8:$str_b14: StopForward 0x5e450:$str_b15: fso.DeleteFile " 0x5e3e4:$str_b16: On Error Resume Next 0x5e480:$str_b17: fso.DeleteFolder " 0x5da14:$str_b18: Uploaded file: 0x5dab0:$str_b19: Unable to delete: 0x5e418:$str_b20: while fso.FileExists("
00000001.00000002.919352966.0000000000487000.00000004.00000020.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp	REMCOS_RAT_variants	unknown	unknown	0x5f6cc:$str_a1: C:\Windows\System32\cmd.exe 0x5f648:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5f648:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5ec68:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5f2c0:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5e800:$str_b2: Executing file: 0x5f810:$str_b3: GetDirectListeningPort 0x5f080:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5f40c:$str_b5: licence_code.txt 0x5f2a8:$str_b7: \update.vbs 0x5e870:$str_b9: Downloaded file: 0x5e83c:$str_b10: Downloading file: 0x5e824:$str_b12: Failed to upload file: 0x5f7d8:$str_b13: StartForward 0x5f7f8:$str_b14: StopForward 0x5f250:$str_b15: fso.DeleteFile " 0x5f1e4:$str_b16: On Error Resume Next 0x5f280:$str_b17: fso.DeleteFolder " 0x5e814:$str_b18: Uploaded file: 0x5e8b0:$str_b19: Unable to delete: 0x5f218:$str_b20: while fso.FileExists("
Process Memory Space: QuotationInvoices.exe PID: 7072	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: QuotationInvoices.exe PID: 7036	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.QuotationInvoices.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
1.2.QuotationInvoices.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x5e8cc:$str_a1: C:\Windows\System32\cmd.exe 0x5e848:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5e848:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5de68:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5e4c0:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5da00:$str_b2: Executing file: 0x5ea10:$str_b3: GetDirectListeningPort 0x5e280:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5e60c:$str_b5: licence_code.txt 0x5e4a8:$str_b7: \update.vbs 0x5da70:$str_b9: Downloaded file: 0x5da3c:$str_b10: Downloading file: 0x5da24:$str_b12: Failed to upload file: 0x5e9d8:$str_b13: StartForward 0x5e9f8:$str_b14: StopForward 0x5e450:$str_b15: fso.DeleteFile " 0x5e3e4:$str_b16: On Error Resume Next 0x5e480:$str_b17: fso.DeleteFolder " 0x5da14:$str_b18: Uploaded file: 0x5dab0:$str_b19: Unable to delete: 0x5e418:$str_b20: while fso.FileExists("
1.1.QuotationInvoices.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
1.1.QuotationInvoices.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x5f6cc:$str_a1: C:\Windows\System32\cmd.exe 0x5f648:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5f648:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5ec68:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5f2c0:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5e800:$str_b2: Executing file: 0x5f810:$str_b3: GetDirectListeningPort 0x5f080:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5f40c:$str_b5: licence_code.txt 0x5f2a8:$str_b7: \update.vbs 0x5e870:$str_b9: Downloaded file: 0x5e83c:$str_b10: Downloading file: 0x5e824:$str_b12: Failed to upload file: 0x5f7d8:$str_b13: StartForward 0x5f7f8:$str_b14: StopForward 0x5f250:$str_b15: fso.DeleteFile " 0x5f1e4:$str_b16: On Error Resume Next 0x5f280:$str_b17: fso.DeleteFolder " 0x5e814:$str_b18: Uploaded file: 0x5e8b0:$str_b19: Unable to delete: 0x5f218:$str_b20: while fso.FileExists("
1.2.QuotationInvoices.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
1.2.QuotationInvoices.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x5f6cc:$str_a1: C:\Windows\System32\cmd.exe 0x5f648:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5f648:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5ec68:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5f2c0:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5e800:$str_b2: Executing file: 0x5f810:$str_b3: GetDirectListeningPort 0x5f080:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5f40c:$str_b5: licence_code.txt 0x5f2a8:$str_b7: \update.vbs 0x5e870:$str_b9: Downloaded file: 0x5e83c:$str_b10: Downloading file: 0x5e824:$str_b12: Failed to upload file: 0x5f7d8:$str_b13: StartForward 0x5f7f8:$str_b14: StopForward 0x5f250:$str_b15: fso.DeleteFile " 0x5f1e4:$str_b16: On Error Resume Next 0x5f280:$str_b17: fso.DeleteFolder " 0x5e814:$str_b18: Uploaded file: 0x5e8b0:$str_b19: Unable to delete: 0x5f218:$str_b20: while fso.FileExists("
0.2.QuotationInvoices.exe.2a70000.7.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.QuotationInvoices.exe.2a70000.7.unpack	REMCOS_RAT_variants	unknown	unknown	0x5dacc:$str_a1: C:\Windows\System32\cmd.exe 0x5da48:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5da48:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5d068:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5d6c0:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5cc00:$str_b2: Executing file: 0x5dc10:$str_b3: GetDirectListeningPort 0x5d480:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5d80c:$str_b5: licence_code.txt 0x5d6a8:$str_b7: \update.vbs 0x5cc70:$str_b9: Downloaded file: 0x5cc3c:$str_b10: Downloading file: 0x5cc24:$str_b12: Failed to upload file: 0x5dbd8:$str_b13: StartForward 0x5dbf8:$str_b14: StopForward 0x5d650:$str_b15: fso.DeleteFile " 0x5d5e4:$str_b16: On Error Resume Next 0x5d680:$str_b17: fso.DeleteFolder " 0x5cc14:$str_b18: Uploaded file: 0x5ccb0:$str_b19: Unable to delete: 0x5d618:$str_b20: while fso.FileExists("
0.2.QuotationInvoices.exe.2a70000.7.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.QuotationInvoices.exe.2a70000.7.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x5e8cc:$str_a1: C:\Windows\System32\cmd.exe 0x5e848:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5e848:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5de68:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5e4c0:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5da00:$str_b2: Executing file: 0x5ea10:$str_b3: GetDirectListeningPort 0x5e280:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5e60c:$str_b5: licence_code.txt 0x5e4a8:$str_b7: \update.vbs 0x5da70:$str_b9: Downloaded file: 0x5da3c:$str_b10: Downloading file: 0x5da24:$str_b12: Failed to upload file: 0x5e9d8:$str_b13: StartForward 0x5e9f8:$str_b14: StopForward 0x5e450:$str_b15: fso.DeleteFile " 0x5e3e4:$str_b16: On Error Resume Next 0x5e480:$str_b17: fso.DeleteFolder " 0x5da14:$str_b18: Uploaded file: 0x5dab0:$str_b19: Unable to delete: 0x5e418:$str_b20: while fso.FileExists("
1.1.QuotationInvoices.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
1.1.QuotationInvoices.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x5e8cc:$str_a1: C:\Windows\System32\cmd.exe 0x5e848:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5e848:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5de68:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5e4c0:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5da00:$str_b2: Executing file: 0x5ea10:$str_b3: GetDirectListeningPort 0x5e280:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5e60c:$str_b5: licence_code.txt 0x5e4a8:$str_b7: \update.vbs 0x5da70:$str_b9: Downloaded file: 0x5da3c:$str_b10: Downloading file: 0x5da24:$str_b12: Failed to upload file: 0x5e9d8:$str_b13: StartForward 0x5e9f8:$str_b14: StopForward 0x5e450:$str_b15: fso.DeleteFile " 0x5e3e4:$str_b16: On Error Resume Next 0x5e480:$str_b17: fso.DeleteFolder " 0x5da14:$str_b18: Uploaded file: 0x5dab0:$str_b19: Unable to delete: 0x5e418:$str_b20: while fso.FileExists("
Click to see the 7 entries

Sigma Overview

System Summary:

Sigma detected: Remcos

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\QuotationInvoices.exe, ProcessId: 7072, TargetFilename: C:\Users\user\AppData\Roaming\remcos\logs.dat

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 1.2.QuotationInvoices.exe.400000.0.unpack

Malware Configuration Extractor: Remcos {"Host:Port:Password": "greatglass.servebeer.com:1961:0", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Remcos-I9UILL", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "wikipedia;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.919352966.0000000000487000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QuotationInvoices.exe PID: 7072, type: MEMORY
Source: Yara match	File source: Process Memory Space: QuotationInvoices.exe PID: 7036, type: MEMORY
Source: Yara match	File source: 1.2.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QuotationInvoices.exe.2a70000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QuotationInvoices.exe.2a70000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: QuotationInvoices.exe

Joe Sandbox ML: detected

Cryptography:

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_0042DC88 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

Source: QuotationInvoices.exe, 00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Unpacked PE file: 1.2.QuotationInvoices.exe.400000.0.unpack

Uses 32bit PE files

Show sources

Source: QuotationInvoices.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: QuotationInvoices.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: wntdll.pdbUGP source: QuotationInvoices.exe, 00000000.00000003.663166783.0000000002B70000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: QuotationInvoices.exe, 00000000.00000003.663166783.0000000002B70000.00000004.00000001.sdmp

Spreading:

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_004065C1 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_004027A1 FindFirstFileA,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_004170D3 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_004451D9 FindFirstFileExA,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0040A1E5 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_004073C8 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0040782F __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00405CDC FindFirstFileW,FindNextFileW,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00414E6E FindFirstFileW,FindNextFileW,FindNextFileW,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00409FCA FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_004170D3 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_004451D9 FindFirstFileExA,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0040A1E5 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_004073C8 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_00406496 SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW,

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: greatglass.servebeer.com

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_00411EA6 URLDownloadToFileW,ShellExecuteW,

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 194.5.97.248:1961

Source: Joe Sandbox View

IP Address: 194.5.97.248 194.5.97.248

Source: Joe Sandbox View

ASN Name: DANILENKODE DANILENKODE

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_0042190F recv,

Source: unknown

DNS traffic detected: queries for: greatglass.servebeer.com

Source: QuotationInvoices.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: QuotationInvoices.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to capture and log keystrokes

Show sources

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [Esc]
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [Enter]
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [Tab]
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [Down]
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [Right]
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [Up]
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [Left]
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [End]
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [F2]
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [F1]
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [Del]
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: [Del]

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 0_2_004054B2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_00409900 OpenClipboard,GetClipboardData,CloseClipboard,

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_004083AE GetKeyState,GetKeyState,GetKeyState,CallNextHookEx,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_004083AE GetKeyState,GetKeyState,GetKeyState,CallNextHookEx,

E-Banking Fraud:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.919352966.0000000000487000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QuotationInvoices.exe PID: 7072, type: MEMORY
Source: Yara match	File source: Process Memory Space: QuotationInvoices.exe PID: 7036, type: MEMORY
Source: Yara match	File source: 1.2.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QuotationInvoices.exe.2a70000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QuotationInvoices.exe.2a70000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.2.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.1.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.2.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.QuotationInvoices.exe.2a70000.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.QuotationInvoices.exe.2a70000.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.1.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: QuotationInvoices.exe

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00411C7C SetEvent,GetTickCount,Sleep,URLDownloadToFileW,OpenClipboard,CloseClipboard,Sleep,MessageBoxW,ExitWindowsEx,LoadLibraryA,GetProcAddress,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,EmptyClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,StrToIntA,SetWindowTextW,CreateThread,ShowWindow,SetForegroundWindow,

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_00407272
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_00406A9B
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_6FC51A98
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0044C05A
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0041A15E
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0043027D
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0043E200
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0044A217
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0043336D
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00422613
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0043768C
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00422756
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00433785
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_004378BB
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0044A929
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00421A7E
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00410AC5
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00437AEA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00450A80
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00418BDF
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00433BBA
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00430D20
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0042DD93
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00432E71
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00421F75
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00433FEF
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0044C05A
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0041A15E
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0043027D
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0043E200
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0044A217
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0043336D

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: String function: 0042F200 appears 71 times
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: String function: 0042EB5C appears 68 times
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: String function: 00404712 appears 31 times
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: String function: 0040412C appears 35 times
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: String function: 00401FCE appears 119 times
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: String function: 00416673 appears 50 times
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: String function: 0040201F appears 35 times
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: String function: 0043D8D6 appears 33 times

Source: QuotationInvoices.exe, 00000000.00000003.659240087.0000000002C06000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs QuotationInvoices.exe
Source: QuotationInvoices.exe, 00000000.00000002.666304572.0000000002210000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameAVICAP32.DLL.MUIj% vs QuotationInvoices.exe
Source: QuotationInvoices.exe, 00000000.00000002.666292575.0000000002200000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemsvfw32.dll.muij% vs QuotationInvoices.exe
Source: QuotationInvoices.exe, 00000000.00000002.666244171.00000000021C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs QuotationInvoices.exe

Source: QuotationInvoices.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.1.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.QuotationInvoices.exe.2a70000.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.QuotationInvoices.exe.2a70000.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.1.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/5@53/2

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00413417 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_00413417 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 0_2_00404763 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 0_2_10004243 CreateToolhelp32Snapshot,Process32FirstW,

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_0040D246 FindResourceA,LoadResource,LockResource,SizeofResource,

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_00416026 OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

Source: C:\Users\user\Desktop\QuotationInvoices.exe

File created: C:\Users\user\AppData\Roaming\remcos

Jump to behavior

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Mutant created: \Sessions\1\BaseNamedObjects\Remcos-I9UILL

Source: C:\Users\user\Desktop\QuotationInvoices.exe

File created: C:\Users\user\AppData\Local\Temp\nsh872B.tmp

Jump to behavior

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Software\
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Inj
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Inj
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Inj
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Remcos-I9UILL
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: ProductName
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: origmsc
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Remcos
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: exepath
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: licence
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: exepath
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Administrator
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: User
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: [Info]
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Software\
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Inj
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Inj
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Inj
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Remcos-I9UILL
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: ProductName
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: origmsc
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Remcos
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: exepath
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: licence
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: exepath
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: Administrator
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: User
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Command line argument: [Info]

Source: QuotationInvoices.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\QuotationInvoices.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\QuotationInvoices.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\QuotationInvoices.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\QuotationInvoices.exe

File read: C:\Users\user\Desktop\QuotationInvoices.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\QuotationInvoices.exe 'C:\Users\user\Desktop\QuotationInvoices.exe'
Source: unknown	Process created: C:\Users\user\Desktop\QuotationInvoices.exe 'C:\Users\user\Desktop\QuotationInvoices.exe'
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Process created: C:\Users\user\Desktop\QuotationInvoices.exe 'C:\Users\user\Desktop\QuotationInvoices.exe'

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: QuotationInvoices.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: QuotationInvoices.exe, 00000000.00000003.663166783.0000000002B70000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: QuotationInvoices.exe, 00000000.00000003.663166783.0000000002B70000.00000004.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Unpacked PE file: 1.2.QuotationInvoices.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Unpacked PE file: 1.2.QuotationInvoices.exe.400000.0.unpack

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 0_2_6FC51A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_6FC52F60 push eax; ret
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0042F246 push ecx; ret
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_004573ED push esi; ret
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00450448 push eax; ret
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0044FB26 push ecx; ret
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0042F246 push ecx; ret
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_004573ED push esi; ret
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_00450448 push eax; ret

Source: initial sample

Static PE information: section name: .data entropy: 7.91289569988

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_00411EA6 URLDownloadToFileW,ShellExecuteW,

Source: C:\Users\user\Desktop\QuotationInvoices.exe	File created: C:\Users\user\AppData\Local\Temp\nsc875C.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\QuotationInvoices.exe	File created: C:\Users\user\AppData\Local\Temp\xmtfn.dll			Jump to dropped file

Boot Survival:

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_00415DF3 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_0040CEAE LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Delayed program exit found

Show sources

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0040D27D Sleep,ExitProcess,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0040D27D Sleep,ExitProcess,

Source: C:\Users\user\Desktop\QuotationInvoices.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Window / User API: threadDelayed 679

Source: C:\Users\user\Desktop\QuotationInvoices.exe TID: 6340	Thread sleep count: 679 > 30
Source: C:\Users\user\Desktop\QuotationInvoices.exe TID: 6340	Thread sleep time: -6790000s >= -30000s

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_004081EF GetKeyboardLayout followed by cmp: cmp ax, dx and CTI: je 00408210h
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_004081EF GetKeyboardLayout followed by cmp: cmp ax, dx and CTI: je 00408210h

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_004065C1 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_004027A1 FindFirstFileA,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_004170D3 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_004451D9 FindFirstFileExA,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0040A1E5 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_004073C8 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0040782F __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00405CDC FindFirstFileW,FindNextFileW,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00414E6E FindFirstFileW,FindNextFileW,FindNextFileW,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00409FCA FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_004170D3 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_004451D9 FindFirstFileExA,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0040A1E5 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_004073C8 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_00406496 SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW,

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Process information queried: ProcessInformation

Anti Debugging:

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_0042EDE5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 0_2_6FC51A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_1000775D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 0_2_100074AD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0043B529 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_004464AD GetProcessHeap,

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0042F3CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0042EDE5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_00435E43 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_2_0042EF77 SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: 1_1_0042F3CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to inject code into remote processes

Show sources

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_00413BEA __EH_prolog,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Section loaded: unknown target: C:\Users\user\Desktop\QuotationInvoices.exe protection: execute and read and write

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,Sleep,CloseHandle,OpenProcess, \svchost.exe
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,Sleep,CloseHandle,OpenProcess, \svchost.exe

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_004149FD StrToIntA,mouse_event,

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Process created: C:\Users\user\Desktop\QuotationInvoices.exe 'C:\Users\user\Desktop\QuotationInvoices.exe'

Source: QuotationInvoices.exe, 00000001.00000002.919576145.0000000000C90000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: QuotationInvoices.exe, 00000001.00000002.919576145.0000000000C90000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: QuotationInvoices.exe, 00000001.00000002.919576145.0000000000C90000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: logs.dat.1.dr	Binary or memory string: [ Program Manager ]
Source: QuotationInvoices.exe, 00000001.00000002.919576145.0000000000C90000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_0042F055 cpuid

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: GetLocaleInfoA,

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_0042F25B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_00416790 GetComputerNameExW,GetUserNameW,

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 1_2_0044143E _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: 0_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

Stealing of Sensitive Information:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.919352966.0000000000487000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QuotationInvoices.exe PID: 7072, type: MEMORY
Source: Yara match	File source: Process Memory Space: QuotationInvoices.exe PID: 7036, type: MEMORY
Source: Yara match	File source: 1.2.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QuotationInvoices.exe.2a70000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QuotationInvoices.exe.2a70000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE

Contains functionality to steal Chrome passwords or cookies

Show sources

Source: C:\Users\user\Desktop\QuotationInvoices.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

Contains functionality to steal Firefox passwords or cookies

Show sources

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: \key3.db

Remote Access Functionality:

Detected Remcos RAT

Show sources

Source: QuotationInvoices.exe, 00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: QuotationInvoices.exe, 00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp	String found in binary or memory: \|licence_code.txtSoftware\WDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceUserAccess level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\SETTINGSoverridepth_unenc3.1.0 Prov
Source: QuotationInvoices.exe	String found in binary or memory: Remcos_Mutex_Inj
Source: QuotationInvoices.exe, 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: \|licence_code.txtSoftware\WDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceUserAccess level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\SETTINGSoverridepth_unenc3.1.0 Prov

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.919352966.0000000000487000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QuotationInvoices.exe PID: 7072, type: MEMORY
Source: Yara match	File source: Process Memory Space: QuotationInvoices.exe PID: 7036, type: MEMORY
Source: Yara match	File source: 1.2.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QuotationInvoices.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QuotationInvoices.exe.2a70000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QuotationInvoices.exe.2a70000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QuotationInvoices.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: cmd.exe
Source: C:\Users\user\Desktop\QuotationInvoices.exe	Code function: cmd.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Application Shimming1	Application Shimming1	Deobfuscate/Decode Files or Information1	OS Credential Dumping1	System Time Discovery2	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer21	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Command and Scripting Interpreter12	Windows Service1	Access Token Manipulation1	Obfuscated Files or Information3	Input Capture111	Account Discovery1	Remote Desktop Protocol	Input Capture111	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Service Execution2	Logon Script (Windows)	Windows Service1	Software Packing21	Credentials In Files2	System Service Discovery1	SMB/Windows Admin Shares	Clipboard Data2	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Process Injection222	Masquerading1	NTDS	File and Directory Discovery3	Distributed Component Object Model	Input Capture	Scheduled Transfer	Remote Access Software1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Virtualization/Sandbox Evasion2	LSA Secrets	System Information Discovery34	SSH	Keylogging	Data Transfer Size Limits	Non-Application Layer Protocol1	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Access Token Manipulation1	Cached Domain Credentials	Security Software Discovery3	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol11	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection222	DCSync	Virtualization/Sandbox Evasion2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Process Discovery3	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Application Window Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	System Owner/User Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	Remote System Discovery1	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
QuotationInvoices.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\nsc875C.tmp\System.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nsc875C.tmp\System.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\nsc875C.tmp\System.dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.QuotationInvoices.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
1.0.QuotationInvoices.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
0.0.QuotationInvoices.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File

Domains

Source	Detection	Scanner	Label	Link
greatglass.servebeer.com	5%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
greatglass.servebeer.com	5%	Virustotal		Browse
greatglass.servebeer.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
greatglass.servebeer.com	194.5.97.248	true	true	5%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
greatglass.servebeer.com	true	5%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_Error	QuotationInvoices.exe	false		high
http://nsis.sf.net/NSIS_ErrorError	QuotationInvoices.exe	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.5.97.248	unknown	Netherlands		208476	DANILENKODE	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356046
Start date:	22.02.2021
Start time:	13:56:47
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 25s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	QuotationInvoices.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/5@53/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 16% (good quality ratio 15.4%) Quality average: 83.5% Quality standard deviation: 24.9%
HCA Information:	Successful, ratio: 72% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 104.42.151.234, 104.43.193.48, 51.104.144.132, 204.79.197.200, 13.107.21.200, 168.61.161.212, 23.211.6.115, 8.248.137.254, 8.248.135.254, 8.248.117.254, 8.248.115.254, 8.253.204.249, 52.155.217.156, 20.54.26.129, 92.122.213.194, 92.122.213.247, 51.104.139.180 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtDeviceIoControlFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:57:43	API Interceptor	1041x Sleep call for process: QuotationInvoices.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
194.5.97.248	PurchaseOrdersCSTtyres004786587.exe	Get hash	malicious	Browse
	QuotationCVXpo00029392.exe	Get hash	malicious	Browse
	51MRQ TECH DATA -RFQ - SPECIFICATIONS -CHECK LIST.exe	Get hash	malicious	Browse
	42MRQ TECH DATA -RFQ - SPECIFICATIONS -CHECK LIST.exe	Get hash	malicious	Browse
	41BURULLUS - EPC WORKS FOR ROSETTA SHARING FACILITIES - PROJECT.exe	Get hash	malicious	Browse
	45MRQ TECH DATA -RFQ - SPECIFICATIONS -CHECK LIST.exe	Get hash	malicious	Browse
	44BURULLUS - EPC WORKS FOR ROSETTA SHARING FACILITIES - PROJECT.exe	Get hash	malicious	Browse
	14MRQ TECH DATA -RFQ - SPECIFICATIONS -CHECK LIST.exe	Get hash	malicious	Browse
	13BURULLUS - EPC WORKS FOR ROSETTA SHARING FACILITIES - PROJECT.exe	Get hash	malicious	Browse
	33BURULLUS - EPC WORKS FOR ROSETTA SHARING FACILITIES - PROJECT.exe	Get hash	malicious	Browse
	8MRQ TECH DATA -RFQ - SPECIFICATIONS -CHECK LIST.exe	Get hash	malicious	Browse
	7BURULLUS - EPC WORKS FOR ROSETTA SHARING FACILITIES - PROJECT.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
greatglass.servebeer.com	PurchaseOrdersCSTtyres004786587.exe	Get hash	malicious	Browse	194.5.97.248
greatglass.servebeer.com	QuotationCVXpo00029392.exe	Get hash	malicious	Browse	194.5.97.248

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DANILENKODE	PAYMENT_.EXE	Get hash	malicious	Browse	194.5.98.211
	payment.exe	Get hash	malicious	Browse	194.5.98.66
	RFQ_1101983736366355 1101938377388.exe	Get hash	malicious	Browse	194.5.98.21
	Slip copy .xls.exe	Get hash	malicious	Browse	194.5.97.116
	Scan0059.pdf.exe	Get hash	malicious	Browse	194.5.97.34
	DHL AWB # 6008824216.png.exe	Get hash	malicious	Browse	194.5.97.48
	Scan0019.exe	Get hash	malicious	Browse	194.5.97.34
	PurchaseOrdersCSTtyres004786587.exe	Get hash	malicious	Browse	194.5.97.248
	Invoice467972.jar	Get hash	malicious	Browse	194.5.97.18
	Invoice467972.jar	Get hash	malicious	Browse	194.5.97.18
	Hk6Im7DPON.exe	Get hash	malicious	Browse	194.5.98.107
	Zfpmspqv.exe	Get hash	malicious	Browse	194.5.97.21
	Notification of payment.exe	Get hash	malicious	Browse	194.5.97.92
	Zv3r4M6NeJOSoDQ.exe	Get hash	malicious	Browse	194.5.98.26
	MT0128.jar	Get hash	malicious	Browse	194.5.97.18
	MT0128.jar	Get hash	malicious	Browse	194.5.97.18
	Orden.exe	Get hash	malicious	Browse	194.5.97.8
	DHL_6368638172 receipt document,pdf.exe	Get hash	malicious	Browse	194.5.97.21
	tax-irs.exe	Get hash	malicious	Browse	194.5.97.232
	a34b93ef-dea2-45f8-a5bf-4f6b0b5291c7.exe	Get hash	malicious	Browse	194.5.97.207

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\nsc875C.tmp\System.dll	PO.exe	Get hash	malicious	Browse
	SecuriteInfo.com.TrojanSpy.MSIL.Agent.22886.exe	Get hash	malicious	Browse
	SecuriteInfo.com.FileRepMalware.24882.exe	Get hash	malicious	Browse
	PDF_doc.exe	Get hash	malicious	Browse
	09000000000000.jar	Get hash	malicious	Browse
	quotation10204168.dox.xlsx	Get hash	malicious	Browse
	notice of arrivalpdf.exe	Get hash	malicious	Browse
	R5BNZ68i0f.exe	Get hash	malicious	Browse
	payment.exe	Get hash	malicious	Browse
	notice of arrival.xlsx	Get hash	malicious	Browse
	Invoice Overdue.exe	Get hash	malicious	Browse
	Invoice Overdue.exe	Get hash	malicious	Browse
	CHEQUE COPY RECEIPT.exe	Get hash	malicious	Browse
	Remittance copy.xlsx	Get hash	malicious	Browse
	CI + PL.xlsx	Get hash	malicious	Browse
	RFQ_Enquiry_0002379_.xlsx	Get hash	malicious	Browse
	QUOTATION.exe	Get hash	malicious	Browse
	AgroAG008021921doc_pdf.exe	Get hash	malicious	Browse
	CHEQUE COPY.exe	Get hash	malicious	Browse
	Bank Details.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsc875C.tmp\System.dll Download File
Process:	C:\Users\user\Desktop\QuotationInvoices.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.855045165595541
Encrypted:	false
SSDEEP:	192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
MD5:	FCCFF8CB7A1067E23FD2E2B63971A8E1
SHA1:	30E2A9E137C1223A78A0F7B0BF96A1C361976D91
SHA-256:	6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
SHA-512:	F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: PO.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.TrojanSpy.MSIL.Agent.22886.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.FileRepMalware.24882.exe, Detection: malicious, Browse Filename: PDF_doc.exe, Detection: malicious, Browse Filename: 09000000000000.jar, Detection: malicious, Browse Filename: quotation10204168.dox.xlsx, Detection: malicious, Browse Filename: notice of arrivalpdf.exe, Detection: malicious, Browse Filename: R5BNZ68i0f.exe, Detection: malicious, Browse Filename: payment.exe, Detection: malicious, Browse Filename: notice of arrival.xlsx, Detection: malicious, Browse Filename: Invoice Overdue.exe, Detection: malicious, Browse Filename: Invoice Overdue.exe, Detection: malicious, Browse Filename: CHEQUE COPY RECEIPT.exe, Detection: malicious, Browse Filename: Remittance copy.xlsx, Detection: malicious, Browse Filename: CI + PL.xlsx, Detection: malicious, Browse Filename: RFQ_Enquiry_0002379_.xlsx, Detection: malicious, Browse Filename: QUOTATION.exe, Detection: malicious, Browse Filename: AgroAG008021921doc_pdf.exe, Detection: malicious, Browse Filename: CHEQUE COPY.exe, Detection: malicious, Browse Filename: Bank Details.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir.-.D.-.D.-.D...J..D.-.E.>.D......D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..\|....P.....................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsh872C.tmp Download File
Process:	C:\Users\user\Desktop\QuotationInvoices.exe
File Type:	data
Category:	dropped
Size (bytes):	504230
Entropy (8bit):	7.974803391738096
Encrypted:	false
SSDEEP:	6144:laXlqi0/y4lwKzPHdRAFexzsJ/PvzFjBTkBVg90SS6+qLHmFAgOSqxn+8fp2zwIL:yWySRbHdRAF8zQNVk80QSF3qVLUMXO
MD5:	1A5019ACCB8B2C592D98DDCA4D53EA6E
SHA1:	64EB9F091F2A25E64FE5DC52F614499BBBA755AA
SHA-256:	C4F464C4A1CEFF309A6388157AB9FBF26A795C6F5E770D4929892C1A92FFB68E
SHA-512:	9A8EDE65C20C9B24ECC3F72FFB4AB1003A7514596175A067BC006D0BF9BB66BBEAF02EFD82ADA1C1C460F114561972F8F98A94738E84B9FA5E82A0A564A9C00E
Malicious:	false
Reputation:	low
Preview:	........,...................$...............................................................................................................................................................................................................................................................J...................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\okqry.a Download File
Process:	C:\Users\user\Desktop\QuotationInvoices.exe
File Type:	data
Category:	dropped
Size (bytes):	465408
Entropy (8bit):	7.999601945479521
Encrypted:	true
SSDEEP:	6144:Q/y4lwKzPHdRAFexzsJ/PvzFjBTkBVg90SS6+qLHmFAgOSqxn+8fp2zwI2P8LQ5:cySRbHdRAF8zQNVk80QSF3qVLUMX/
MD5:	96876AE06A1E7B087CA4B25713691E25
SHA1:	EB0C572D4DBD1303BCC20D5E13CA1B5DA6851980
SHA-256:	5144E9DBA5EE3C3CB46706B8095D6EAA2C1AA0D48B4016ECB03CABB844D8EA36
SHA-512:	B6F409C132903A752BC10FE083FF5D53366FC22C81DBAF1D7C737DD2F03D1E1A24F8DCA380BFD784232F79EDAB40E803E0AAB6386C4F4DF291E9AE4CC6793FC9
Malicious:	false
Reputation:	low
Preview:	..I..[..k.m..F....jq..#.f.........0.......U6./h.NL...!........f.n.+.`~..Y.;f.U.{..p,..g...U..C...V...$..F.d......Z...'....=.:T.M...!..W..]. ..C.lt..#.s...X.....k"<.k.)a.....H..O..F..:.nx..r...D.u"..c...o..g....T...d.W...J..im.....@W<v...15....JH.......w......7jYJ.X..>..]}...5...Z.k..6.9<..OZ.\|...............=...T.}............y...5...L.?....R..S=..\....Z..>..E.......a..Fp.....7..Lu.wW.$.>....~.)..S.np.:..S....?.F...-........v{.k(iB.c. ...LYKE..-......s.pq..~{....g.....@.N@.<.....N...$/7)v..n.Q..'..F.h.d\|.El...Hy..G...yu.z...... :e..m.2.?......P.z h.j=. h...s..{...h.W.._).FT.w..-4Z{]Z...D.ZT.F..^w7..5b.6\...dC2'..1....c.R~<rL.U7..R~.h.......5.....4......\|.../p...<#.O...3..W..n.".e..7V.y.....K..\7AD`....IhZ"~6...B2........B........p...7.0...F.J.:..?.j...c.u.B.F:Ka.n.y.].`.s,.......G\:q.d.1.p..\.....B.e...\|.$d.....a$_b.T....X)..D.zxp.Q7.3..T.U.U5$.Y..8a2...8..k.......(2q2I.4.....G7[f....J.e..$...-z?..G..G/..(H.Wb.....tX}O.W.

C:\Users\user\AppData\Local\Temp\xmtfn.dll Download File
Process:	C:\Users\user\Desktop\QuotationInvoices.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	7.589805073051753
Encrypted:	false
SSDEEP:	384:qlpTPQpU2T5eiynNSnAouNfxkSa598ZHWZoujzWxy9sp/x:6hPv29XiSnApNftS9aWZoujzWxX/x
MD5:	7B57E6D08CC3767914CA51A604BC6D13
SHA1:	AFE12DBF77D6FBCF8960D5761699D821AFCCB2B2
SHA-256:	29E898A600F9A16D828D355709391981396735139E3A8FDB6ADDA75F0AFC670B
SHA-512:	106CEEE1485DE5ABC7E977BE4CB17E388D1ECB54FCCD1B3ADD75AFC2A5625A81416998E8E9822DF8485CA8265FDA804826D308C2CF27DE2667EA80A359D823C0
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............e.J.e.J.e.J.e.J.e.JI..J.e.J..{J.e.J...J.e.J..\|J.e.J..yJ.e.JRich.e.J........PE..L.....3`...........!.........T............... .......................................................................$..I.... ....................................................................................... ...............................text...F........................... ..`.rdata....... ......................@..@.data....J...0...L..................@....rsrc................Z..............@..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\remcos\logs.dat Download File
Process:	C:\Users\user\Desktop\QuotationInvoices.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	74
Entropy (8bit):	4.716474907822009
Encrypted:	false
SSDEEP:	3:ttUHrCqDDIrA4RXMRPHv31aeo:tmcXqdHv3IP
MD5:	BD035BD4CCB00A887A17BA7CDE17D115
SHA1:	FCD6C75314E60CC8B7329184C4E866C783D66664
SHA-256:	9AFCF5D6F8CF2857C5DCD6C3B7C991F1BF3E41FFEFDA08F1DFC6E4BD75CD34E7
SHA-512:	22F353D48726C12134A9D1911FE299DB6D852D7D13110AA62AB5849B82386D058E452250D99849F3B93CADFEEBB9F04F41B611A5FCD67E643E13F0E81E49F924
Malicious:	true
Reputation:	low
Preview:	..[2021/02/22 13:57:43 Offline Keylogger Started]....[ Program Manager ]..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.974691206115224
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	QuotationInvoices.exe
File size:	528567
MD5:	9c51e2991c6c9708d783aab030dcc0da
SHA1:	64accc9e3f84e7365d8236c580b9644427e3f9e3
SHA256:	572a6a6fa5277c2b4cc040710694d33b2def62ab74e2801893d33e92e7b105af
SHA512:	c8725d2abba8f2ae1c483d948f2909ff73736e4efa415d6a26f91cf2226431720b13f15868b4177d8b581287a1d41c4c051913a0faf8f95f599f14b5133ab5b0
SSDEEP:	12288:Nro6kYoqOR5HdRAFmzKNVky0QynxqHLUmb8uAT:NrEYyBRAFm2/ky0RxqHLLAT
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG..sw..PG..VA..PG.Rich.PG.........PE..L..._.$_.................f...x.......4............@

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x403486
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5F24D75F [Sat Aug 1 02:45:51 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ea4e67a31ace1a72683a99b80cf37830

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A130h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080B0h]
call dword ptr [004080C0h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042F44Ch], eax
je 00007FE020EC52D3h
push ebx
call 00007FE020EC844Eh
cmp eax, ebx
je 00007FE020EC52C9h
push 00000C00h
call eax
mov esi, 004082A0h
push esi
call 00007FE020EC83CAh
push esi
call dword ptr [004080B8h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007FE020EC52ADh
push 0000000Bh
call 00007FE020EC8422h
push 00000009h
call 00007FE020EC841Bh
push 00000007h
mov dword ptr [0042F444h], eax
call 00007FE020EC840Fh
cmp eax, ebx
je 00007FE020EC52D1h
push 0000001Eh
call eax
test eax, eax
je 00007FE020EC52C9h
or byte ptr [0042F44Fh], 00000040h
push ebp
call dword ptr [00408038h]
push ebx
call dword ptr [00408288h]
mov dword ptr [0042F518h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 00429878h
call dword ptr [0040816Ch]
push 0040A1ECh

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8544	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x38000	0x9c0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x29c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x65ad	0x6600	False	0.675628063725	data	6.48593060343	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1380	0x1400	False	0.4634765625	data	5.26110074066	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x25558	0x600	False	0.470052083333	data	4.21916068772	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x30000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x38000	0x9c0	0xa00	False	0.466015625	data	4.37730261639	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_DIALOG	0x38148	0x100	data	English	United States
RT_DIALOG	0x38248	0x11c	data	English	United States
RT_DIALOG	0x38364	0x60	data	English	United States
RT_VERSION	0x383c4	0x2bc	data	English	United States
RT_MANIFEST	0x38680	0x340	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
SHELL32.dll	SHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
ole32.dll	IIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	SetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, GetTempFileNameA, RemoveDirectoryA, WriteFile, CreateDirectoryA, GetLastError, CreateProcessA, GlobalLock, GlobalUnlock, CreateThread, lstrcpynA, SetErrorMode, GetDiskFreeSpaceA, lstrlenA, GetCommandLineA, GetVersion, GetWindowsDirectoryA, SetEnvironmentVariableA, GetTempPathA, CopyFileA, GetCurrentProcess, ExitProcess, GetModuleFileNameA, GetFileSize, ReadFile, GetTickCount, Sleep, CreateFileA, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

Version Infos

Description	Data
LegalCopyright	Copyright fire escape
FileVersion	95.84.67.13
CompanyName	Angas Proper Group 2 Cluster
LegalTrademarks	American dollar
Comments	Benin
ProductName	arability
FileDescription	Indonesian Sign Language
Translation	0x0409 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 22, 2021 13:57:43.352075100 CET	49731	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:43.401926994 CET	1961	49731	194.5.97.248	192.168.2.4
Feb 22, 2021 13:57:44.073777914 CET	49731	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:44.123581886 CET	1961	49731	194.5.97.248	192.168.2.4
Feb 22, 2021 13:57:44.683206081 CET	49731	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:44.733222008 CET	1961	49731	194.5.97.248	192.168.2.4
Feb 22, 2021 13:57:45.844968081 CET	49734	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:45.895118952 CET	1961	49734	194.5.97.248	192.168.2.4
Feb 22, 2021 13:57:46.574366093 CET	49734	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:46.624531984 CET	1961	49734	194.5.97.248	192.168.2.4
Feb 22, 2021 13:57:47.183406115 CET	49734	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:47.236166000 CET	1961	49734	194.5.97.248	192.168.2.4
Feb 22, 2021 13:57:48.359405041 CET	49737	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:48.409497976 CET	1961	49737	194.5.97.248	192.168.2.4
Feb 22, 2021 13:57:49.074224949 CET	49737	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:49.124393940 CET	1961	49737	194.5.97.248	192.168.2.4
Feb 22, 2021 13:57:49.636784077 CET	49737	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:49.688222885 CET	1961	49737	194.5.97.248	192.168.2.4
Feb 22, 2021 13:57:50.799252033 CET	49740	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:50.849482059 CET	1961	49740	194.5.97.248	192.168.2.4
Feb 22, 2021 13:57:51.355676889 CET	49740	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:51.406126022 CET	1961	49740	194.5.97.248	192.168.2.4
Feb 22, 2021 13:57:51.918296099 CET	49740	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:51.968597889 CET	1961	49740	194.5.97.248	192.168.2.4
Feb 22, 2021 13:57:53.068404913 CET	49742	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:53.120964050 CET	1961	49742	194.5.97.248	192.168.2.4
Feb 22, 2021 13:57:53.621481895 CET	49742	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:53.671588898 CET	1961	49742	194.5.97.248	192.168.2.4
Feb 22, 2021 13:57:54.183969975 CET	49742	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:54.234508038 CET	1961	49742	194.5.97.248	192.168.2.4
Feb 22, 2021 13:57:55.346158981 CET	49745	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:55.398158073 CET	1961	49745	194.5.97.248	192.168.2.4
Feb 22, 2021 13:57:55.902920961 CET	49745	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:55.953052998 CET	1961	49745	194.5.97.248	192.168.2.4
Feb 22, 2021 13:57:56.465475082 CET	49745	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:56.515491009 CET	1961	49745	194.5.97.248	192.168.2.4
Feb 22, 2021 13:57:57.913294077 CET	49746	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:57.963583946 CET	1961	49746	194.5.97.248	192.168.2.4
Feb 22, 2021 13:57:58.465712070 CET	49746	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:58.515902996 CET	1961	49746	194.5.97.248	192.168.2.4
Feb 22, 2021 13:57:59.028270006 CET	49746	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:57:59.078471899 CET	1961	49746	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:00.185934067 CET	49747	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:00.235944986 CET	1961	49747	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:00.747117996 CET	49747	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:00.797133923 CET	1961	49747	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:01.309602976 CET	49747	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:01.359744072 CET	1961	49747	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:02.470401049 CET	49748	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:02.520298958 CET	1961	49748	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:03.028613091 CET	49748	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:03.080817938 CET	1961	49748	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:03.591046095 CET	49748	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:03.642575979 CET	1961	49748	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:04.743042946 CET	49749	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:04.795856953 CET	1961	49749	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:05.309971094 CET	49749	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:05.360222101 CET	1961	49749	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:05.872490883 CET	49749	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:05.922924995 CET	1961	49749	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:07.025953054 CET	49752	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:07.076220036 CET	1961	49752	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:07.591339111 CET	49752	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:07.643918037 CET	1961	49752	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:08.153973103 CET	49752	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:08.204159975 CET	1961	49752	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:09.296627045 CET	49753	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:09.346679926 CET	1961	49753	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:09.857320070 CET	49753	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:09.909199953 CET	1961	49753	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:10.419747114 CET	49753	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:10.469902992 CET	1961	49753	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:11.568994999 CET	49754	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:11.620316982 CET	1961	49754	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:12.123130083 CET	49754	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:12.173362970 CET	1961	49754	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:12.685606003 CET	49754	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:12.735862970 CET	1961	49754	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:14.202236891 CET	49755	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:14.254498005 CET	1961	49755	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:14.779519081 CET	49755	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:14.830630064 CET	1961	49755	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:15.342042923 CET	49755	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:15.394045115 CET	1961	49755	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:16.731570005 CET	49756	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:16.784250975 CET	1961	49756	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:17.373569965 CET	49756	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:17.423772097 CET	1961	49756	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:18.061012030 CET	49756	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:18.111196041 CET	1961	49756	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:19.202740908 CET	49757	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:19.254518032 CET	1961	49757	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:19.764285088 CET	49757	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:19.814393997 CET	1961	49757	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:20.329847097 CET	49757	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:20.379925013 CET	1961	49757	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:21.470912933 CET	49758	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:21.524544954 CET	1961	49758	194.5.97.248	192.168.2.4
Feb 22, 2021 13:58:22.030051947 CET	49758	1961	192.168.2.4	194.5.97.248
Feb 22, 2021 13:58:22.080391884 CET	1961	49758	194.5.97.248	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 22, 2021 13:57:30.884157896 CET	65248	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:30.932887077 CET	53	65248	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:31.995923996 CET	53723	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:32.044653893 CET	53	53723	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:32.189984083 CET	64646	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:32.241077900 CET	53	64646	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:32.368320942 CET	65298	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:32.416887999 CET	53	65298	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:32.958420038 CET	59123	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:33.007092953 CET	53	59123	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:33.925764084 CET	54531	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:33.977324009 CET	53	54531	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:34.594816923 CET	49714	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:34.653037071 CET	53	49714	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:35.155740023 CET	58028	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:35.207124949 CET	53	58028	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:36.390825987 CET	53097	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:36.448599100 CET	53	53097	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:37.644206047 CET	49257	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:37.694472075 CET	53	49257	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:38.995876074 CET	62389	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:39.047319889 CET	53	62389	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:40.487632036 CET	49910	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:40.536463976 CET	53	49910	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:41.704668045 CET	55854	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:41.756934881 CET	53	55854	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:43.046756029 CET	64549	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:43.100265026 CET	53	64549	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:43.281383991 CET	63153	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:43.340078115 CET	53	63153	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:44.232898951 CET	52991	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:44.281585932 CET	53	52991	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:45.437531948 CET	53700	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:45.490942001 CET	53	53700	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:45.782011986 CET	51726	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:45.843770027 CET	53	51726	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:46.696166992 CET	56794	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:46.744786024 CET	53	56794	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:47.899638891 CET	56534	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:47.954885960 CET	53	56534	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:48.295202017 CET	56627	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:48.358426094 CET	53	56627	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:48.874819040 CET	56621	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:48.925355911 CET	53	56621	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:50.140919924 CET	63116	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:50.189668894 CET	53	63116	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:50.736525059 CET	64078	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:50.798317909 CET	53	64078	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:51.098829985 CET	64801	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:51.147923946 CET	53	64801	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:53.005208015 CET	61721	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:53.067468882 CET	53	61721	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:53.163702011 CET	51255	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:53.215184927 CET	53	51255	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:54.339315891 CET	61522	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:54.391067982 CET	53	61522	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:55.282325029 CET	52337	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:55.343982935 CET	53	52337	8.8.8.8	192.168.2.4
Feb 22, 2021 13:57:57.862533092 CET	55046	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:57:57.912153006 CET	53	55046	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:00.124687910 CET	49612	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:00.184590101 CET	53	49612	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:02.406542063 CET	49285	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:02.469014883 CET	53	49285	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:04.680299044 CET	50601	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:04.741290092 CET	53	50601	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:06.359139919 CET	60875	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:06.407919884 CET	53	60875	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:06.964596033 CET	56448	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:07.023207903 CET	53	56448	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:09.238373041 CET	59172	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:09.295730114 CET	53	59172	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:11.507550955 CET	62420	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:11.565102100 CET	53	62420	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:14.141773939 CET	60579	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:14.198827982 CET	53	60579	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:16.668684959 CET	50183	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:16.730441093 CET	53	50183	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:19.152645111 CET	61531	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:19.201297045 CET	53	61531	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:21.412386894 CET	49228	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:21.469583988 CET	53	49228	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:23.686291933 CET	59794	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:23.743386030 CET	53	59794	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:25.964018106 CET	55916	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:26.021049976 CET	53	55916	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:26.651815891 CET	52752	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:26.705871105 CET	53	52752	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:26.998788118 CET	60542	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:27.074356079 CET	53	60542	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:28.138034105 CET	60689	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:28.246357918 CET	53	60689	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:28.293483019 CET	64206	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:28.345366955 CET	53	64206	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:28.834017992 CET	50904	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:28.893484116 CET	53	50904	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:29.362914085 CET	57525	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:29.420852900 CET	53	57525	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:30.026035070 CET	53814	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:30.029351950 CET	53418	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:30.101344109 CET	53	53418	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:30.105496883 CET	53	53814	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:30.669245958 CET	62833	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:30.729173899 CET	53	62833	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:30.732491970 CET	59260	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:30.781126022 CET	53	59260	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:31.304718971 CET	49944	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:31.385407925 CET	53	49944	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:32.175874949 CET	63300	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:32.235533953 CET	53	63300	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:33.089649916 CET	61449	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:33.137404919 CET	51275	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:33.146944046 CET	53	61449	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:33.194329977 CET	53	51275	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:33.689402103 CET	63492	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:33.752295971 CET	53	63492	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:35.352124929 CET	58945	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:35.408977985 CET	53	58945	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:37.617449045 CET	60779	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:37.674660921 CET	53	60779	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:39.893341064 CET	64014	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:39.944017887 CET	53	64014	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:42.163970947 CET	57091	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:42.197487116 CET	55904	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:42.212634087 CET	53	57091	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:42.246172905 CET	53	55904	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:42.406217098 CET	52109	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:42.466309071 CET	53	52109	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:44.456279039 CET	54450	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:44.507868052 CET	53	54450	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:45.970840931 CET	49374	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:46.030608892 CET	53	49374	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:46.754059076 CET	50436	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:46.812547922 CET	53	50436	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:49.044269085 CET	62605	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:49.105220079 CET	53	62605	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:51.340818882 CET	54256	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:51.406141996 CET	53	54256	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:53.647906065 CET	52189	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:53.708487034 CET	53	52189	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:55.943375111 CET	56131	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:56.003597975 CET	53	56131	8.8.8.8	192.168.2.4
Feb 22, 2021 13:58:58.224080086 CET	62992	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:58:58.276984930 CET	53	62992	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:00.499053955 CET	54432	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:00.550509930 CET	53	54432	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:02.975363016 CET	57227	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:03.037074089 CET	53	57227	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:05.908447981 CET	58383	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:05.966707945 CET	53	58383	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:08.214849949 CET	63136	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:08.274915934 CET	53	63136	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:10.491177082 CET	50911	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:10.552557945 CET	53	50911	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:12.773044109 CET	63409	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:12.830398083 CET	53	63409	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:15.077661991 CET	59185	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:15.137773037 CET	53	59185	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:17.362710953 CET	64236	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:17.419770002 CET	53	64236	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:19.654303074 CET	56157	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:19.711353064 CET	53	56157	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:20.151802063 CET	55601	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:20.200400114 CET	53	55601	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:21.991266966 CET	52984	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:22.049139977 CET	53	52984	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:22.722409964 CET	51141	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:22.779922009 CET	53	51141	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:24.288728952 CET	53610	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:24.345722914 CET	53	53610	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:26.587452888 CET	61247	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:26.639040947 CET	53	61247	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:28.864841938 CET	65165	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:28.916455030 CET	53	65165	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:31.158606052 CET	52076	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:31.207633972 CET	53	52076	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:33.446224928 CET	54903	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:33.507658005 CET	53	54903	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:35.753556967 CET	55045	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:35.802786112 CET	53	55045	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:38.046181917 CET	54464	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:38.108414888 CET	53	54464	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:40.350781918 CET	50970	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:40.401925087 CET	53	50970	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:42.585230112 CET	55261	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:42.634088993 CET	53	55261	8.8.8.8	192.168.2.4
Feb 22, 2021 13:59:44.822701931 CET	59809	53	192.168.2.4	8.8.8.8
Feb 22, 2021 13:59:44.885376930 CET	53	59809	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 22, 2021 13:57:43.281383991 CET	192.168.2.4	8.8.8.8	0xde5a	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:57:45.782011986 CET	192.168.2.4	8.8.8.8	0x4f79	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:57:48.295202017 CET	192.168.2.4	8.8.8.8	0x76a7	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:57:50.736525059 CET	192.168.2.4	8.8.8.8	0x4057	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:57:53.005208015 CET	192.168.2.4	8.8.8.8	0xfcc3	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:57:55.282325029 CET	192.168.2.4	8.8.8.8	0x8df4	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:57:57.862533092 CET	192.168.2.4	8.8.8.8	0xfc4a	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:00.124687910 CET	192.168.2.4	8.8.8.8	0x18e3	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:02.406542063 CET	192.168.2.4	8.8.8.8	0x2294	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:04.680299044 CET	192.168.2.4	8.8.8.8	0x81e4	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:06.964596033 CET	192.168.2.4	8.8.8.8	0x4364	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:09.238373041 CET	192.168.2.4	8.8.8.8	0xcbb9	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:11.507550955 CET	192.168.2.4	8.8.8.8	0x3f87	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:14.141773939 CET	192.168.2.4	8.8.8.8	0x7c01	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:16.668684959 CET	192.168.2.4	8.8.8.8	0x4ec5	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:19.152645111 CET	192.168.2.4	8.8.8.8	0x4332	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:21.412386894 CET	192.168.2.4	8.8.8.8	0xf26c	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:23.686291933 CET	192.168.2.4	8.8.8.8	0xef30	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:25.964018106 CET	192.168.2.4	8.8.8.8	0xeef9	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:28.293483019 CET	192.168.2.4	8.8.8.8	0xa17b	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:30.732491970 CET	192.168.2.4	8.8.8.8	0xb344	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:33.089649916 CET	192.168.2.4	8.8.8.8	0x1aa5	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:35.352124929 CET	192.168.2.4	8.8.8.8	0x326b	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:37.617449045 CET	192.168.2.4	8.8.8.8	0xf5f2	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:39.893341064 CET	192.168.2.4	8.8.8.8	0x3eb2	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:42.163970947 CET	192.168.2.4	8.8.8.8	0x71df	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:44.456279039 CET	192.168.2.4	8.8.8.8	0xd87	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:46.754059076 CET	192.168.2.4	8.8.8.8	0xb6f8	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:49.044269085 CET	192.168.2.4	8.8.8.8	0xbe80	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:51.340818882 CET	192.168.2.4	8.8.8.8	0x7899	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:53.647906065 CET	192.168.2.4	8.8.8.8	0xf149	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:55.943375111 CET	192.168.2.4	8.8.8.8	0x2070	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:58.224080086 CET	192.168.2.4	8.8.8.8	0x43dc	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:00.499053955 CET	192.168.2.4	8.8.8.8	0x4f83	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:02.975363016 CET	192.168.2.4	8.8.8.8	0x27e1	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:05.908447981 CET	192.168.2.4	8.8.8.8	0x6128	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:08.214849949 CET	192.168.2.4	8.8.8.8	0x174f	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:10.491177082 CET	192.168.2.4	8.8.8.8	0x8d7	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:12.773044109 CET	192.168.2.4	8.8.8.8	0x3f68	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:15.077661991 CET	192.168.2.4	8.8.8.8	0xcfc	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:17.362710953 CET	192.168.2.4	8.8.8.8	0xd2d2	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:19.654303074 CET	192.168.2.4	8.8.8.8	0xf13f	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:21.991266966 CET	192.168.2.4	8.8.8.8	0x55fb	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:24.288728952 CET	192.168.2.4	8.8.8.8	0xa732	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:26.587452888 CET	192.168.2.4	8.8.8.8	0xb854	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:28.864841938 CET	192.168.2.4	8.8.8.8	0x698f	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:31.158606052 CET	192.168.2.4	8.8.8.8	0xe4e9	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:33.446224928 CET	192.168.2.4	8.8.8.8	0xc7e	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:35.753556967 CET	192.168.2.4	8.8.8.8	0x9f8f	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:38.046181917 CET	192.168.2.4	8.8.8.8	0x2a19	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:40.350781918 CET	192.168.2.4	8.8.8.8	0xc7dc	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:42.585230112 CET	192.168.2.4	8.8.8.8	0xcae	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:44.822701931 CET	192.168.2.4	8.8.8.8	0xbe0e	Standard query (0)	greatglass.servebeer.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Feb 22, 2021 13:57:43.340078115 CET	8.8.8.8	192.168.2.4	0xde5a	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:57:45.843770027 CET	8.8.8.8	192.168.2.4	0x4f79	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:57:48.358426094 CET	8.8.8.8	192.168.2.4	0x76a7	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:57:50.798317909 CET	8.8.8.8	192.168.2.4	0x4057	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:57:53.067468882 CET	8.8.8.8	192.168.2.4	0xfcc3	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:57:55.343982935 CET	8.8.8.8	192.168.2.4	0x8df4	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:57:57.912153006 CET	8.8.8.8	192.168.2.4	0xfc4a	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:00.184590101 CET	8.8.8.8	192.168.2.4	0x18e3	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:02.469014883 CET	8.8.8.8	192.168.2.4	0x2294	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:04.741290092 CET	8.8.8.8	192.168.2.4	0x81e4	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:07.023207903 CET	8.8.8.8	192.168.2.4	0x4364	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:09.295730114 CET	8.8.8.8	192.168.2.4	0xcbb9	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:11.565102100 CET	8.8.8.8	192.168.2.4	0x3f87	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:14.198827982 CET	8.8.8.8	192.168.2.4	0x7c01	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:16.730441093 CET	8.8.8.8	192.168.2.4	0x4ec5	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:19.201297045 CET	8.8.8.8	192.168.2.4	0x4332	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:21.469583988 CET	8.8.8.8	192.168.2.4	0xf26c	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:23.743386030 CET	8.8.8.8	192.168.2.4	0xef30	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:26.021049976 CET	8.8.8.8	192.168.2.4	0xeef9	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:28.345366955 CET	8.8.8.8	192.168.2.4	0xa17b	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:30.781126022 CET	8.8.8.8	192.168.2.4	0xb344	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:33.146944046 CET	8.8.8.8	192.168.2.4	0x1aa5	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:35.408977985 CET	8.8.8.8	192.168.2.4	0x326b	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:37.674660921 CET	8.8.8.8	192.168.2.4	0xf5f2	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:39.944017887 CET	8.8.8.8	192.168.2.4	0x3eb2	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:42.212634087 CET	8.8.8.8	192.168.2.4	0x71df	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:44.507868052 CET	8.8.8.8	192.168.2.4	0xd87	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:46.812547922 CET	8.8.8.8	192.168.2.4	0xb6f8	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:49.105220079 CET	8.8.8.8	192.168.2.4	0xbe80	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:51.406141996 CET	8.8.8.8	192.168.2.4	0x7899	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:53.708487034 CET	8.8.8.8	192.168.2.4	0xf149	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:56.003597975 CET	8.8.8.8	192.168.2.4	0x2070	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:58:58.276984930 CET	8.8.8.8	192.168.2.4	0x43dc	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:00.550509930 CET	8.8.8.8	192.168.2.4	0x4f83	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:03.037074089 CET	8.8.8.8	192.168.2.4	0x27e1	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:05.966707945 CET	8.8.8.8	192.168.2.4	0x6128	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:08.274915934 CET	8.8.8.8	192.168.2.4	0x174f	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:10.552557945 CET	8.8.8.8	192.168.2.4	0x8d7	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:12.830398083 CET	8.8.8.8	192.168.2.4	0x3f68	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:15.137773037 CET	8.8.8.8	192.168.2.4	0xcfc	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:17.419770002 CET	8.8.8.8	192.168.2.4	0xd2d2	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:19.711353064 CET	8.8.8.8	192.168.2.4	0xf13f	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:22.049139977 CET	8.8.8.8	192.168.2.4	0x55fb	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:24.345722914 CET	8.8.8.8	192.168.2.4	0xa732	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:26.639040947 CET	8.8.8.8	192.168.2.4	0xb854	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:28.916455030 CET	8.8.8.8	192.168.2.4	0x698f	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:31.207633972 CET	8.8.8.8	192.168.2.4	0xe4e9	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:33.507658005 CET	8.8.8.8	192.168.2.4	0xc7e	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:35.802786112 CET	8.8.8.8	192.168.2.4	0x9f8f	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:38.108414888 CET	8.8.8.8	192.168.2.4	0x2a19	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:40.401925087 CET	8.8.8.8	192.168.2.4	0xc7dc	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:42.634088993 CET	8.8.8.8	192.168.2.4	0xcae	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)
Feb 22, 2021 13:59:44.885376930 CET	8.8.8.8	192.168.2.4	0xbe0e	No error (0)	greatglass.servebeer.com	194.5.97.248	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: QuotationInvoices.exe PID: 7036 Parent PID: 5924

General

Start time:	13:57:38
Start date:	22/02/2021
Path:	C:\Users\user\Desktop\QuotationInvoices.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\QuotationInvoices.exe'
Imagebase:	0x400000
File size:	528567 bytes
MD5 hash:	9C51E2991C6C9708D783AAB030DCC0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp, Author: Joe Security Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000000.00000002.667197281.0000000002A70000.00000004.00000001.sdmp, Author: unknown
Reputation:	low

Analysis Process: QuotationInvoices.exe PID: 7072 Parent PID: 7036

General

Start time:	13:57:39
Start date:	22/02/2021
Path:	C:\Users\user\Desktop\QuotationInvoices.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\QuotationInvoices.exe'
Imagebase:	0x400000
File size:	528567 bytes
MD5 hash:	9C51E2991C6C9708D783AAB030DCC0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000001.00000001.663167910.0000000000400000.00000040.00020000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.919352966.0000000000487000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000001.00000002.919290826.0000000000400000.00000040.00000001.sdmp, Author: unknown
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist , and "net start" using Net , but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report QuotationInvoices.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Remcos

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre