Analysis Report V8IB839cvz.exe

Overview

General Information

Sample Name: V8IB839cvz.exe
Analysis ID: 429553
MD5: 10d42f55d89b6fd42404e470e68f1996
SHA1: 3b9787bbfaae456fe082db8e2e61c70c5fb45328
SHA256: b84a345efddfa5a852c3e3c5c2c97dab1a6f4643906d80c0c8cafa1e25247326
Tags: exeRATRemcosRAT
Infos:

Most interesting Screenshot:

Detection

Remcos
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Execution from Suspicious Folder
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 17.2.Xypgtv.exe.400000.0.unpack Malware Configuration Extractor: Remcos {"Host:Port:Password": "nothinglike.ac.ug:6969:0brudfascaqezd.ac.ug:6969:0", "Assigned name": "vvvvvvvvvv", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "daxvxdsaxzcas-LAPFBZ", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "wikipedia;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "10000"}
Multi AV Scanner detection for dropped file
Source: C:\Users\Public\Xypgtv\Xypgtv.exe ReversingLabs: Detection: 41%
Multi AV Scanner detection for submitted file
Source: V8IB839cvz.exe ReversingLabs: Detection: 41%
Yara detected Remcos RAT
Source: Yara match File source: 0000000F.00000002.778791601.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.688515879.0000000000449000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.688799265.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.795919569.0000000000449000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.777883581.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.777134487.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.797923003.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.776696975.0000000000449000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.689160997.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.912239074.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.796293762.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.798843830.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Xypgtv.exe PID: 6324, type: MEMORY
Source: Yara match File source: Process Memory Space: Xypgtv.exe PID: 6480, type: MEMORY
Source: Yara match File source: Process Memory Space: V8IB839cvz.exe PID: 6584, type: MEMORY
Source: Yara match File source: 2.2.V8IB839cvz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Xypgtv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Xypgtv.exe.400000.0.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Users\Public\Xypgtv\Xypgtv.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: V8IB839cvz.exe Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_00427D99 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 2_2_00427D99
Source: V8IB839cvz.exe, 00000002.00000000.688515879.0000000000449000.00000004.00000001.sdmp Binary or memory string: -----BEGIN PUBLIC KEY-----

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\V8IB839cvz.exe Unpacked PE file: 2.2.V8IB839cvz.exe.400000.0.unpack
Source: C:\Users\Public\Xypgtv\Xypgtv.exe Unpacked PE file: 15.2.Xypgtv.exe.400000.0.unpack
Source: C:\Users\Public\Xypgtv\Xypgtv.exe Unpacked PE file: 17.2.Xypgtv.exe.400000.0.unpack
Uses 32bit PE files
Source: V8IB839cvz.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
Source: unknown HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.4:49729 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_004041E6 FindFirstFileW,FindNextFileW, 2_2_004041E6
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_0043C2E9 FindFirstFileExA, 2_2_0043C2E9
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_00406317 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 2_2_00406317
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_0041146E FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose, 2_2_0041146E
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_004074C9 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 2_2_004074C9
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_004076E4 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 2_2_004076E4
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_00406776 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 2_2_00406776
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_004049A0 SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW, 2_2_004049A0

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: nothinglike.ac.ug
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49745 -> 79.134.225.25:6969
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 79.134.225.25 79.134.225.25
Source: Joe Sandbox View IP Address: 162.159.130.233 162.159.130.233
Source: Joe Sandbox View IP Address: 162.159.130.233 162.159.130.233
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_0040D14F SetEvent,GetTickCount,DeleteFileW,ExitProcess,Sleep,Sleep,URLDownloadToFileW,Sleep,MessageBoxW,ExitWindowsEx,LoadLibraryA,GetProcAddress,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SetWindowTextW,StrToIntA,CreateThread,ShowWindow,SetForegroundWindow, 2_2_0040D14F
Source: unknown DNS traffic detected: queries for: cdn.discordapp.com
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.4:49729 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.4:49759 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_0040D14F SetEvent,GetTickCount,DeleteFileW,ExitProcess,Sleep,Sleep,URLDownloadToFileW,Sleep,MessageBoxW,ExitWindowsEx,LoadLibraryA,GetProcAddress,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SetWindowTextW,StrToIntA,CreateThread,ShowWindow,SetForegroundWindow, 2_2_0040D14F
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_0040D14F SetEvent,GetTickCount,DeleteFileW,ExitProcess,Sleep,Sleep,URLDownloadToFileW,Sleep,MessageBoxW,ExitWindowsEx,LoadLibraryA,GetProcAddress,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SetWindowTextW,StrToIntA,CreateThread,ShowWindow,SetForegroundWindow, 2_2_0040D14F

E-Banking Fraud:

barindex
Yara detected Remcos RAT
Source: Yara match File source: 0000000F.00000002.778791601.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.688515879.0000000000449000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.688799265.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.795919569.0000000000449000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.777883581.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.777134487.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.797923003.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.776696975.0000000000449000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.689160997.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.912239074.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.796293762.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.798843830.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Xypgtv.exe PID: 6324, type: MEMORY
Source: Yara match File source: Process Memory Space: Xypgtv.exe PID: 6480, type: MEMORY
Source: Yara match File source: Process Memory Space: V8IB839cvz.exe PID: 6584, type: MEMORY
Source: Yara match File source: 2.2.V8IB839cvz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Xypgtv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Xypgtv.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.V8IB839cvz.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.Xypgtv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.Xypgtv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_0040D14F SetEvent,GetTickCount,DeleteFileW,ExitProcess,Sleep,Sleep,URLDownloadToFileW,Sleep,MessageBoxW,ExitWindowsEx,LoadLibraryA,GetProcAddress,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SetWindowTextW,StrToIntA,CreateThread,ShowWindow,SetForegroundWindow, 2_2_0040D14F
Detected potential crypto function
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_0040C00C 2_2_0040C00C
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_0041C086 2_2_0041C086
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_0042E10C 2_2_0042E10C
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_00443116 2_2_00443116
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_0041426F 2_2_0041426F
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_0042A35E 2_2_0042A35E
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_00441327 2_2_00441327
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_0042D48A 2_2_0042D48A
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_0041C724 2_2_0041C724
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_0041C867 2_2_0041C867
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_0042D8A2 2_2_0042D8A2
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_00441A39 2_2_00441A39
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_00447B40 2_2_00447B40
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_0041BB8F 2_2_0041BB8F
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_0042DCD7 2_2_0042DCD7
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_0042FCE9 2_2_0042FCE9
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_00412CF0 2_2_00412CF0
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_0042AE10 2_2_0042AE10
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_00427EA4 2_2_00427EA4
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_0042FF18 2_2_0042FF18
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_00436FF0 2_2_00436FF0
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_0042CF8E 2_2_0042CF8E
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: String function: 00429310 appears 50 times
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: String function: 0040207E appears 51 times
PE file contains strange resources
Source: V8IB839cvz.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Xypgtv.exe.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Uses 32bit PE files
Source: V8IB839cvz.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
Yara signature match
Source: 00000009.00000003.729900326.0000000002410000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000009.00000003.731801392.0000000002444000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000B.00000003.749959961.0000000002820000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000009.00000003.730552799.0000000002444000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000009.00000003.731106098.0000000002444000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000009.00000003.731257935.0000000002444000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000B.00000003.749327450.000000000284C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000B.00000003.750252073.0000000002854000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000009.00000003.729493553.0000000002428000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000009.00000003.728627251.000000000243C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000B.00000003.751417519.0000000002854000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000B.00000003.750787460.0000000002854000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000B.00000003.749703567.0000000002838000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000B.00000003.751016095.0000000002854000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000009.00000003.731519002.0000000002444000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000B.00000003.750523839.0000000002854000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: C:\Users\Public\vtgpyX.url, type: DROPPED Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 2.2.V8IB839cvz.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.Xypgtv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.Xypgtv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@16/9@96/5
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_0040E39F GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 2_2_0040E39F
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_00409973 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 2_2_00409973
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_004097FD FindResourceA,LoadResource,LockResource,SizeofResource, 2_2_004097FD
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_0041031F OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 2_2_0041031F
Source: C:\Users\user\Desktop\V8IB839cvz.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6200:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6416:120:WilError_01
Source: C:\Users\user\Desktop\V8IB839cvz.exe Mutant created: \Sessions\1\BaseNamedObjects\daxvxdsaxzcas-LAPFBZ
Source: C:\Users\user\Desktop\V8IB839cvz.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
Source: C:\Users\user\Desktop\V8IB839cvz.exe Command line argument: Software\ 2_2_0040928D
Source: C:\Users\user\Desktop\V8IB839cvz.exe Command line argument: ProductName 2_2_0040928D
Source: C:\Users\user\Desktop\V8IB839cvz.exe Command line argument: Remcos 2_2_0040928D
Source: C:\Users\user\Desktop\V8IB839cvz.exe Command line argument: licence 2_2_0040928D
Source: C:\Users\user\Desktop\V8IB839cvz.exe Command line argument: Administrator 2_2_0040928D
Source: C:\Users\user\Desktop\V8IB839cvz.exe Command line argument: User 2_2_0040928D
Source: C:\Users\user\Desktop\V8IB839cvz.exe Command line argument: [Info] 2_2_0040928D
Source: C:\Users\user\Desktop\V8IB839cvz.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\V8IB839cvz.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\V8IB839cvz.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Xypgtv\Xypgtv.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Xypgtv\Xypgtv.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Xypgtv\Xypgtv.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Xypgtv\Xypgtv.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Xypgtv\Xypgtv.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Xypgtv\Xypgtv.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\V8IB839cvz.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\V8IB839cvz.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\V8IB839cvz.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\V8IB839cvz.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\V8IB839cvz.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Xypgtv\Xypgtv.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Xypgtv\Xypgtv.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Xypgtv\Xypgtv.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Xypgtv\Xypgtv.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: V8IB839cvz.exe ReversingLabs: Detection: 41%
Source: C:\Users\user\Desktop\V8IB839cvz.exe File read: C:\Users\user\Desktop\V8IB839cvz.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\V8IB839cvz.exe 'C:\Users\user\Desktop\V8IB839cvz.exe'
Source: C:\Users\user\Desktop\V8IB839cvz.exe Process created: C:\Users\user\Desktop\V8IB839cvz.exe C:\Users\user\Desktop\V8IB839cvz.exe
Source: C:\Users\user\Desktop\V8IB839cvz.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\Public\Xypgtv\Xypgtv.exe 'C:\Users\Public\Xypgtv\Xypgtv.exe'
Source: unknown Process created: C:\Users\Public\Xypgtv\Xypgtv.exe 'C:\Users\Public\Xypgtv\Xypgtv.exe'
Source: C:\Users\Public\Xypgtv\Xypgtv.exe Process created: C:\Users\Public\Xypgtv\Xypgtv.exe C:\Users\Public\Xypgtv\Xypgtv.exe
Source: C:\Users\Public\Xypgtv\Xypgtv.exe Process created: C:\Users\Public\Xypgtv\Xypgtv.exe C:\Users\Public\Xypgtv\Xypgtv.exe
Source: C:\Users\user\Desktop\V8IB839cvz.exe Process created: C:\Users\user\Desktop\V8IB839cvz.exe C:\Users\user\Desktop\V8IB839cvz.exe Jump to behavior
Source: C:\Users\user\Desktop\V8IB839cvz.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' ' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat Jump to behavior
Source: C:\Users\Public\Xypgtv\Xypgtv.exe Process created: C:\Users\Public\Xypgtv\Xypgtv.exe C:\Users\Public\Xypgtv\Xypgtv.exe Jump to behavior
Source: C:\Users\Public\Xypgtv\Xypgtv.exe Process created: C:\Users\Public\Xypgtv\Xypgtv.exe C:\Users\Public\Xypgtv\Xypgtv.exe Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected

Data Obfuscation:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\V8IB839cvz.exe Unpacked PE file: 2.2.V8IB839cvz.exe.400000.0.unpack
Source: C:\Users\Public\Xypgtv\Xypgtv.exe Unpacked PE file: 15.2.Xypgtv.exe.400000.0.unpack
Source: C:\Users\Public\Xypgtv\Xypgtv.exe Unpacked PE file: 17.2.Xypgtv.exe.400000.0.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_004096D6 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress, 2_2_004096D6
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 0_3_0221825A push 00405E5Ch; ret 0_3_02218280
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 0_3_0221825A push 00405E5Ch; ret 0_3_02218280
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 0_3_0221825C push 00405E5Ch; ret 0_3_02218280
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 0_3_0221825C push 00405E5Ch; ret 0_3_02218280
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 0_3_02218294 push 00405E94h; ret 0_3_022182B8
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 0_3_02218294 push 00405E94h; ret 0_3_022182B8
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 0_3_02219BAC push ecx; mov dword ptr [esp], eax 0_3_02219BAD
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 0_3_02219BAC push ecx; mov dword ptr [esp], eax 0_3_02219BAD
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 0_3_02217F7C push 00405BA1h; ret 0_3_02217FC5
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 0_3_02217F7C push 00405BA1h; ret 0_3_02217FC5
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 0_3_02218754 push 00406354h; ret 0_3_02218778
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 0_3_02218754 push 00406354h; ret 0_3_02218778
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 0_3_02215420 push eax; ret 0_3_0221545C
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 0_3_02215420 push eax; ret 0_3_0221545C
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 0_3_02218442 push 00406044h; ret 0_3_02218468
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 0_3_02218442 push 00406044h; ret 0_3_02218468
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 0_3_02218444 push 00406044h; ret 0_3_02218468
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 0_3_02218444 push 00406044h; ret 0_3_02218468
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 0_3_0221825A push 00405E5Ch; ret 0_3_02218280
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 0_3_0221825A push 00405E5Ch; ret 0_3_02218280
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 0_3_0221825C push 00405E5Ch; ret 0_3_02218280
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 0_3_0221825C push 00405E5Ch; ret 0_3_02218280
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 0_3_02218294 push 00405E94h; ret 0_3_022182B8
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 0_3_02218294 push 00405E94h; ret 0_3_022182B8
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 0_3_02219BAC push ecx; mov dword ptr [esp], eax 0_3_02219BAD
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 0_3_02219BAC push ecx; mov dword ptr [esp], eax 0_3_02219BAD
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 0_3_02217F7C push 00405BA1h; ret 0_3_02217FC5
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 0_3_02217F7C push 00405BA1h; ret 0_3_02217FC5
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 0_3_02218754 push 00406354h; ret 0_3_02218778
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 0_3_02218754 push 00406354h; ret 0_3_02218778
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 0_3_02215420 push eax; ret 0_3_0221545C

Persistence and Installation Behavior:

barindex
Contains functionality to download and launch executables
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_00403E7D ShellExecuteW,URLDownloadToFileW, 2_2_00403E7D
Drops PE files
Source: C:\Users\user\Desktop\V8IB839cvz.exe File created: C:\Users\Public\Xypgtv\Xypgtv.exe Jump to dropped file
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_0041031F OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 2_2_0041031F
Source: C:\Users\user\Desktop\V8IB839cvz.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Xypgtv Jump to behavior
Source: C:\Users\user\Desktop\V8IB839cvz.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Xypgtv Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_004096D6 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress, 2_2_004096D6
Source: C:\Users\user\Desktop\V8IB839cvz.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Xypgtv\Xypgtv.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Xypgtv\Xypgtv.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Delayed program exit found
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_00409834 Sleep,ExitProcess, 2_2_00409834
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 2_2_0041004D
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_004041E6 FindFirstFileW,FindNextFileW, 2_2_004041E6
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_0043C2E9 FindFirstFileExA, 2_2_0043C2E9
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_00406317 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 2_2_00406317
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_0041146E FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose, 2_2_0041146E
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_004074C9 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 2_2_004074C9
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_004076E4 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 2_2_004076E4
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_00406776 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 2_2_00406776
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_004049A0 SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW, 2_2_004049A0

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_0042911F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0042911F
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_004096D6 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress, 2_2_004096D6
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_00434340 mov eax, dword ptr fs:[00000030h] 2_2_00434340
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_0043D5BD GetProcessHeap, 2_2_0043D5BD
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_0042911F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0042911F
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_004292B1 SetUnhandledExceptionFilter, 2_2_004292B1
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_004294DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_004294DC
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_00430AB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00430AB0

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\V8IB839cvz.exe Memory written: C:\Users\user\Desktop\V8IB839cvz.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\Public\Xypgtv\Xypgtv.exe Memory written: C:\Users\Public\Xypgtv\Xypgtv.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\Public\Xypgtv\Xypgtv.exe Memory written: C:\Users\Public\Xypgtv\Xypgtv.exe base: 400000 value starts with: 4D5A Jump to behavior
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_0040F733 StrToIntA,mouse_event, 2_2_0040F733
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\V8IB839cvz.exe Process created: C:\Users\user\Desktop\V8IB839cvz.exe C:\Users\user\Desktop\V8IB839cvz.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat Jump to behavior
Source: C:\Users\Public\Xypgtv\Xypgtv.exe Process created: C:\Users\Public\Xypgtv\Xypgtv.exe C:\Users\Public\Xypgtv\Xypgtv.exe Jump to behavior
Source: C:\Users\Public\Xypgtv\Xypgtv.exe Process created: C:\Users\Public\Xypgtv\Xypgtv.exe C:\Users\Public\Xypgtv\Xypgtv.exe Jump to behavior
Source: V8IB839cvz.exe, 00000002.00000002.912525207.0000000000DB0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: V8IB839cvz.exe, 00000002.00000002.912525207.0000000000DB0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: V8IB839cvz.exe, 00000002.00000002.912525207.0000000000DB0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: V8IB839cvz.exe, 00000002.00000002.912525207.0000000000DB0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_00410E32 cpuid 2_2_00410E32
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 2_2_00440080
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: GetLocaleInfoW, 2_2_004380A8
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 2_2_0043F748
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: GetLocaleInfoA, 2_2_00409947
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: EnumSystemLocalesW, 2_2_0043F9C0
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: EnumSystemLocalesW, 2_2_0043FA0B
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: EnumSystemLocalesW, 2_2_0043FAA6
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 2_2_0043FB33
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: EnumSystemLocalesW, 2_2_00437C22
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: GetLocaleInfoW, 2_2_0043FD83
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_0043FEAC
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: GetLocaleInfoW, 2_2_0043FFB3
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_00438112 GetSystemTimeAsFileTime, 2_2_00438112
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: 2_2_00410C6E CreateThread,GetComputerNameExW,GetUserNameW, 2_2_00410C6E
Source: C:\Users\Public\Xypgtv\Xypgtv.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Remcos RAT
Source: Yara match File source: 0000000F.00000002.778791601.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.688515879.0000000000449000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.688799265.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.795919569.0000000000449000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.777883581.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.777134487.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.797923003.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.776696975.0000000000449000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.689160997.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.912239074.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.796293762.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.798843830.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Xypgtv.exe PID: 6324, type: MEMORY
Source: Yara match File source: Process Memory Space: Xypgtv.exe PID: 6480, type: MEMORY
Source: Yara match File source: Process Memory Space: V8IB839cvz.exe PID: 6584, type: MEMORY
Source: Yara match File source: 2.2.V8IB839cvz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Xypgtv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Xypgtv.exe.400000.0.unpack, type: UNPACKEDPE
Contains functionality to steal Chrome passwords or cookies
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 2_2_004073AB
Contains functionality to steal Firefox passwords or cookies
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 2_2_004074C9
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: \key3.db 2_2_004074C9

Remote Access Functionality:

barindex
Yara detected Remcos RAT
Source: Yara match File source: 0000000F.00000002.778791601.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.688515879.0000000000449000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.688799265.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.795919569.0000000000449000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.777883581.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.777134487.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.797923003.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.776696975.0000000000449000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.689160997.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.912239074.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.796293762.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.798843830.0000000000449000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Xypgtv.exe PID: 6324, type: MEMORY
Source: Yara match File source: Process Memory Space: Xypgtv.exe PID: 6480, type: MEMORY
Source: Yara match File source: Process Memory Space: V8IB839cvz.exe PID: 6584, type: MEMORY
Source: Yara match File source: 2.2.V8IB839cvz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Xypgtv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Xypgtv.exe.400000.0.unpack, type: UNPACKEDPE
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Users\user\Desktop\V8IB839cvz.exe Code function: cmd.exe 2_2_004037DD
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 429553 Sample: V8IB839cvz.exe Startdate: 04/06/2021 Architecture: WINDOWS Score: 100 35 nothinglike.ac.ug 2->35 37 brudfascaqezd.ac.ug 2->37 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 4 other signatures 2->57 9 V8IB839cvz.exe 1 23 2->9         started        14 Xypgtv.exe 13 2->14         started        16 Xypgtv.exe 13 2->16         started        signatures3 process4 dnsIp5 43 cdn.discordapp.com 162.159.130.233, 443, 49729, 49730 CLOUDFLARENETUS United States 9->43 33 C:\Users\Public\Xypgtv\Xypgtv.exe, PE32 9->33 dropped 59 Detected unpacking (overwrites its own PE header) 9->59 61 Contains functionality to steal Chrome passwords or cookies 9->61 63 Contains functionality to steal Firefox passwords or cookies 9->63 65 Delayed program exit found 9->65 18 V8IB839cvz.exe 1 9->18         started        21 cmd.exe 1 9->21         started        45 162.159.134.233, 443, 49755 CLOUDFLARENETUS United States 14->45 47 192.168.2.1 unknown unknown 14->47 67 Multi AV Scanner detection for dropped file 14->67 69 Machine Learning detection for dropped file 14->69 71 Injects a PE file into a foreign processes 14->71 23 Xypgtv.exe 14->23         started        49 162.159.133.233, 443, 49759 CLOUDFLARENETUS United States 16->49 25 Xypgtv.exe 16->25         started        file6 signatures7 process8 dnsIp9 39 nothinglike.ac.ug 79.134.225.25, 49745, 49748, 49751 FINK-TELECOM-SERVICESCH Switzerland 18->39 41 brudfascaqezd.ac.ug 18->41 27 cmd.exe 1 21->27         started        29 conhost.exe 21->29         started        process10 process11 31 conhost.exe 27->31         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
79.134.225.25
 nothinglike.ac.ug Switzerland
6775 FINK-TELECOM-SERVICESCH true
162.159.130.233
 cdn.discordapp.com United States
13335 CLOUDFLARENETUS false
162.159.133.233
 unknown United States
13335 CLOUDFLARENETUS false
162.159.134.233
 unknown United States
13335 CLOUDFLARENETUS false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
cdn.discordapp.com 162.159.130.233 true
nothinglike.ac.ug 79.134.225.25 true
brudfascaqezd.ac.ug unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
nothinglike.ac.ug true
  • Avira URL Cloud: safe
 unknown