31.0.0 Emerald
IR
388089
CloudBasic
21:36:31
15/04/2021
SBG-1100319PurchaseOrder.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
2dd62d78b9f7e9c5529502e085b55756
151d4cd68958df35ae706cc232627a05e923307f
c63a3f86be406a11e8f7760403e407a97441753205f8cef432fd634856ca2992
Win32 Executable (generic) a (10002005/4) 99.15%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe
true
2DD62D78B9F7E9C5529502E085B55756
151D4CD68958DF35AE706CC232627A05E923307F
C63A3F86BE406A11E8F7760403E407A97441753205F8CEF432FD634856CA2992
C:\Users\user\AppData\Local\Temp\subfolder1\filename1.vbs
true
8E21029138080630E1FCF8A6B4DA0159
B0B4C5CB0A53268829CB4FF33FBD906568FCD54B
E692E45BD1482FA4C1932955B196BE0AA212EB792AFB65CDB85EA457EE5258B5
C:\Users\user\AppData\Roaming\remcos\logs.dat
true
0549758588F8B85AAC20868F10523E34
AE76F042B448277EF3CBACC63D7F00A8F6F1948F
AC69EE30064EB845886176352A94214F1E278B7890BE119FDEE7F05AA234F467
79.134.225.124
sheilabeltagy4m.hopto.org
false
79.134.225.124
micheal3m.hopto.org
false
79.134.225.124
onedrive.live.com
false
unknown
vug8la.am.files.1drv.com
false
unknown
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Creates autostart registry keys with suspicious values (likely registry only malware)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Found malware configuration
Potential malicious icon found
Sigma detected: Remcos
Yara detected GuLoader