Windows Analysis Report RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe

Overview

General Information

Sample Name: RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe
Analysis ID: 479213
MD5: 06534c059b111776b838f793c6444622
SHA1: 7ebda7124a60de107a00960d9fe0563fd3cd2760
SHA256: 933a4d2abfdf0f91550a102808d00adace6eb9df89ea9e254e2df7601b02dd8f
Infos:

Most interesting Screenshot:

Detection

Remcos
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Malicious sample detected (through community Yara rule)
Yara detected Remcos RAT
Detected Remcos RAT
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to inject code into remote processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to enumerate running services
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Contains functionality to download and launch executables
Contains functionality to retrieve information about pressed keystrokes
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to simulate mouse events
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000008.00000002.492585881.00000000030E7000.00000004.00000020.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": "204.44.86.179:49151:0123qwegus.duckdns.org:49151:0", "Assigned name": "septttt", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Remcos-ZXIQGD", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "20000"}
Yara detected Remcos RAT
Source: Yara match File source: 8.2.mobsync.exe.10590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dialer.exe.10590000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.mobsync.exe.10590000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.mobsync.exe.10591897.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.secinit.exe.10590000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.secinit.exe.500000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.secinit.exe.10591897.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.secinit.exe.10591897.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.secinit.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dialer.exe.10590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dialer.exe.10591897.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dialer.exe.10591897.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dialer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dialer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.secinit.exe.10590000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.mobsync.exe.10591897.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.492585881.00000000030E7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.331608026.0000000002F98000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.356743910.0000000000500000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.356991304.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.356879289.00000000006E8000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.492970715.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.331771013.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: mobsync.exe PID: 4692, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dialer.exe PID: 6544, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: secinit.exe PID: 6672, type: MEMORYSTR
Antivirus or Machine Learning detection for unpacked file
Source: 8.0.mobsync.exe.10590000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 18.2.dialer.exe.10590000.2.unpack Avira: Label: TR/Dropper.Gen
Source: 8.0.mobsync.exe.10590000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.2.mobsync.exe.10590000.2.unpack Avira: Label: TR/Dropper.Gen
Source: 18.0.dialer.exe.10590000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 19.0.secinit.exe.10590000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 19.0.secinit.exe.10590000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 19.0.secinit.exe.10590000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 18.0.dialer.exe.10590000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.mobsync.exe.10590000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 18.0.dialer.exe.10590000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.mobsync.exe.10590000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 18.0.dialer.exe.10590000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 19.2.secinit.exe.10590000.1.unpack Avira: Label: TR/Dropper.Gen
Source: 19.0.secinit.exe.10590000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: mobsync.exe Binary or memory string: -----BEGIN PUBLIC KEY-----

Compliance:

barindex
Uses 32bit PE files
Source: RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
Source: unknown HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.5:49699 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_004170AC FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose, 8_2_004170AC
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_00406176 FindFirstFileW,FindNextFileW, 8_2_00406176
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_0040A3AF FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 8_2_0040A3AF
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_0040A5CA FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 8_2_0040A5CA
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_004456A9 FindFirstFileExA, 8_2_004456A9
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_004077EE __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 8_2_004077EE
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_004170AC FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose, 18_2_004170AC
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_00406176 FindFirstFileW,FindNextFileW, 18_2_00406176
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_0040A3AF FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 18_2_0040A3AF
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_0040A5CA FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 18_2_0040A5CA
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_004456A9 FindFirstFileExA, 18_2_004456A9
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_004077EE __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 18_2_004077EE
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_00407C57 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 18_2_00407C57
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_00406930 SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW, 8_2_00406930

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2032776 ET TROJAN Remocs 3.x Unencrypted Checkin 192.168.2.5:49707 -> 204.44.86.179:49151
Source: Traffic Snort IDS: 2032777 ET TROJAN Remocs 3.x Unencrypted Server Response 204.44.86.179:49151 -> 192.168.2.5:49707
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 204.44.86.179
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 162.159.135.233 162.159.135.233
Source: Joe Sandbox View IP Address: 162.159.135.233 162.159.135.233
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49707 -> 204.44.86.179:49151
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown TCP traffic detected without corresponding DNS query: 204.44.86.179
Source: unknown TCP traffic detected without corresponding DNS query: 204.44.86.179
Source: unknown TCP traffic detected without corresponding DNS query: 204.44.86.179
Source: unknown TCP traffic detected without corresponding DNS query: 204.44.86.179
Source: unknown TCP traffic detected without corresponding DNS query: 204.44.86.179
Source: unknown TCP traffic detected without corresponding DNS query: 204.44.86.179
Source: unknown TCP traffic detected without corresponding DNS query: 204.44.86.179
Source: unknown DNS traffic detected: queries for: cdn.discordapp.com
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_0041242F Sleep,URLDownloadToFileW, 8_2_0041242F
Source: unknown HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.5:49699 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.5:49708 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to read the clipboard data
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_004126A5 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 8_2_004126A5
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_004089BC GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx, 8_2_004089BC
Contains functionality for read data from the clipboard
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_004126A5 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 8_2_004126A5

E-Banking Fraud:

barindex
Yara detected Remcos RAT
Source: Yara match File source: 8.2.mobsync.exe.10590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dialer.exe.10590000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.mobsync.exe.10590000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.mobsync.exe.10591897.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.secinit.exe.10590000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.secinit.exe.500000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.secinit.exe.10591897.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.secinit.exe.10591897.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.secinit.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dialer.exe.10590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dialer.exe.10591897.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dialer.exe.10591897.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dialer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dialer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.secinit.exe.10590000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.mobsync.exe.10591897.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.492585881.00000000030E7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.331608026.0000000002F98000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.356743910.0000000000500000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.356991304.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.356879289.00000000006E8000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.492970715.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.331771013.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: mobsync.exe PID: 4692, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dialer.exe PID: 6544, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: secinit.exe PID: 6672, type: MEMORYSTR

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 8.2.mobsync.exe.10590000.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.2.dialer.exe.10590000.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.mobsync.exe.10590000.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.mobsync.exe.10591897.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.secinit.exe.10590000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.secinit.exe.500000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.secinit.exe.10591897.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.secinit.exe.10591897.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.secinit.exe.500000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.2.dialer.exe.10590000.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.2.dialer.exe.10591897.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.2.dialer.exe.10591897.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.2.dialer.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.2.dialer.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.secinit.exe.10590000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.mobsync.exe.10591897.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000013.00000002.356743910.0000000000500000.00000040.00000001.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000013.00000002.356991304.0000000010590000.00000040.00000001.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000008.00000002.492970715.0000000010590000.00000040.00000001.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000012.00000002.331771013.0000000010590000.00000040.00000001.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe
Uses 32bit PE files
Source: RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
Yara signature match
Source: 8.2.mobsync.exe.10590000.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.2.dialer.exe.10590000.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.mobsync.exe.10590000.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.mobsync.exe.10591897.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.secinit.exe.10590000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.secinit.exe.500000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.secinit.exe.10591897.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.secinit.exe.10591897.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.secinit.exe.500000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.2.dialer.exe.10590000.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.2.dialer.exe.10591897.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.2.dialer.exe.10591897.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.2.dialer.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.2.dialer.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.secinit.exe.10590000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.mobsync.exe.10591897.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000013.00000002.356743910.0000000000500000.00000040.00000001.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000013.00000002.356991304.0000000010590000.00000040.00000001.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000008.00000002.492970715.0000000010590000.00000040.00000001.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000012.00000002.331771013.0000000010590000.00000040.00000001.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\Public\Libraries\xzvghsC.url, type: DROPPED Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Contains functionality to shutdown / reboot the system
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_00412598 ExitWindowsEx,LoadLibraryA,GetProcAddress, 8_2_00412598
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_00412598 ExitWindowsEx,LoadLibraryA,GetProcAddress, 18_2_00412598
Detected potential crypto function
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_0042E02D 8_2_0042E02D
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_004330D1 8_2_004330D1
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_0043424F 8_2_0043424F
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_0042220F 8_2_0042220F
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_0045F930 8_2_0045F930
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_0041A3F8 8_2_0041A3F8
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_004304DB 8_2_004304DB
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_0044C56A 8_2_0044C56A
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_004335CD 8_2_004335CD
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_0043E6E0 8_2_0043E6E0
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_0044A725 8_2_0044A725
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_004378EC 8_2_004378EC
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_004228AD 8_2_004228AD
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_0045F930 8_2_0045F930
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_004339E5 8_2_004339E5
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_004229F0 8_2_004229F0
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_0042E02D 18_2_0042E02D
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_004330D1 18_2_004330D1
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_0043424F 18_2_0043424F
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_0042220F 18_2_0042220F
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_0041A3F8 18_2_0041A3F8
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_004304DB 18_2_004304DB
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_0044C56A 18_2_0044C56A
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_004335CD 18_2_004335CD
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_0043E6E0 18_2_0043E6E0
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_0044A725 18_2_0044A725
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_004378EC 18_2_004378EC
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_004228AD 18_2_004228AD
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_004339E5 18_2_004339E5
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_004229F0 18_2_004229F0
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_00437B1B 18_2_00437B1B
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_00410BF5 18_2_00410BF5
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_00437D4A 18_2_00437D4A
Found potential string decryption / allocating functions
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Code function: String function: 0243CEC4 appears 45 times
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Code function: String function: 0243DEAC appears 88 times
Source: C:\Windows\SysWOW64\dialer.exe Code function: String function: 0042EDF6 appears 36 times
Source: C:\Windows\SysWOW64\dialer.exe Code function: String function: 0042F460 appears 43 times
Source: C:\Windows\SysWOW64\dialer.exe Code function: String function: 00402064 appears 75 times
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Code function: String function: 021BFDFB appears 63 times
Source: C:\Windows\SysWOW64\mobsync.exe Code function: String function: 0042EDF6 appears 36 times
Source: C:\Windows\SysWOW64\mobsync.exe Code function: String function: 0042F460 appears 33 times
Source: C:\Windows\SysWOW64\mobsync.exe Code function: String function: 00402064 appears 73 times
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_00413ACA CreateProcessW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,TerminateProcess,SetThreadContext,ResumeThread,TerminateProcess,CloseHandle,CloseHandle,CloseHandle, 8_2_00413ACA
PE file contains strange resources
Source: RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Cshgvzx.exe.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Cshgvzx.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe File read: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Jump to behavior
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe 'C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe'
Source: unknown Process created: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe 'C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe'
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe
Source: unknown Process created: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe 'C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe'
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Process created: C:\Windows\SysWOW64\dialer.exe C:\Windows\System32\dialer.exe
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Process created: C:\Windows\SysWOW64\dialer.exe C:\Windows\System32\dialer.exe Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe Jump to behavior
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_004132F7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 8_2_004132F7
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_004132F7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 18_2_004132F7
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\Cshgvzxpdvyucjurgvmywubhtofxefb[1] Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@9/5@3/3
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_00415D4C OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 18_2_00415D4C
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_0040D1AD GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CreateMutexA,CloseHandle, 8_2_0040D1AD
Source: C:\Windows\SysWOW64\mobsync.exe Mutant created: \Sessions\1\BaseNamedObjects\Remcos-ZXIQGD
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_0040D41E FindResourceA,LoadResource,LockResource,SizeofResource, 8_2_0040D41E
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Code function: 0_3_021BF8D8 push ecx; mov dword ptr [esp], eax 0_3_021BF8D9
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Code function: 0_3_021BF8D8 push ecx; mov dword ptr [esp], eax 0_3_021BF8D9
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Code function: 0_3_021BF8D8 push ecx; mov dword ptr [esp], eax 0_3_021BF8D9
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Code function: 0_3_021BE17A push 004065BCh; ret 0_3_021BE1A0
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Code function: 0_3_021BE17A push 004065BCh; ret 0_3_021BE1A0
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Code function: 0_3_021BE17A push 004065BCh; ret 0_3_021BE1A0
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Code function: 0_3_021BE17C push 004065BCh; ret 0_3_021BE1A0
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Code function: 0_3_021BE17C push 004065BCh; ret 0_3_021BE1A0
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Code function: 0_3_021BE17C push 004065BCh; ret 0_3_021BE1A0
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Code function: 0_3_021BDF9A push 004063DCh; ret 0_3_021BDFC0
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Code function: 0_3_021BDF9A push 004063DCh; ret 0_3_021BDFC0
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Code function: 0_3_021BDF9A push 004063DCh; ret 0_3_021BDFC0
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Code function: 0_3_021BDF9C push 004063DCh; ret 0_3_021BDFC0
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Code function: 0_3_021BDF9C push 004063DCh; ret 0_3_021BDFC0
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Code function: 0_3_021BDF9C push 004063DCh; ret 0_3_021BDFC0
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Code function: 0_3_021BDFD4 push 00406414h; ret 0_3_021BDFF8
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Code function: 0_3_021BDFD4 push 00406414h; ret 0_3_021BDFF8
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Code function: 0_3_021BDFD4 push 00406414h; ret 0_3_021BDFF8
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Code function: 0_3_021BE48C push 004068CCh; ret 0_3_021BE4B0
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Code function: 0_3_021BE48C push 004068CCh; ret 0_3_021BE4B0
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Code function: 0_3_021BE48C push 004068CCh; ret 0_3_021BE4B0
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Code function: 0_3_021BDCBC push 00406121h; ret 0_3_021BDD05
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Code function: 0_3_021BDCBC push 00406121h; ret 0_3_021BDD05
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Code function: 0_3_021BDCBC push 00406121h; ret 0_3_021BDD05
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Code function: 0_3_021BF8D8 push ecx; mov dword ptr [esp], eax 0_3_021BF8D9
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Code function: 0_3_021BF8D8 push ecx; mov dword ptr [esp], eax 0_3_021BF8D9
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Code function: 0_3_021BF8D8 push ecx; mov dword ptr [esp], eax 0_3_021BF8D9
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Code function: 0_3_021BE17A push 004065BCh; ret 0_3_021BE1A0
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Code function: 0_3_021BE17A push 004065BCh; ret 0_3_021BE1A0
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Code function: 0_3_021BE17A push 004065BCh; ret 0_3_021BE1A0
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Code function: 0_3_021BE17C push 004065BCh; ret 0_3_021BE1A0
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_0040D072 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress, 8_2_0040D072

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe File created: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Jump to dropped file
Contains functionality to download and launch executables
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_00405C3E ShellExecuteW,URLDownloadToFileW, 18_2_00405C3E
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_00415D4C OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 18_2_00415D4C
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Cshgvzx Jump to behavior
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Cshgvzx Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_0040D072 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress, 8_2_0040D072
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Delayed program exit found
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_0040D455 Sleep,ExitProcess, 8_2_0040D455
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_0040D455 Sleep,ExitProcess, 18_2_0040D455
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\mobsync.exe TID: 6280 Thread sleep time: -75000s >= -30000s Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe TID: 1412 Thread sleep count: 48 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\mobsync.exe Last function: Thread delayed
Contains functionality to enumerate running services
Source: C:\Windows\SysWOW64\mobsync.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 8_2_00415A7A
Source: C:\Windows\SysWOW64\dialer.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 18_2_00415A7A
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\mobsync.exe API coverage: 7.6 %
Source: C:\Windows\SysWOW64\dialer.exe API coverage: 2.0 %
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_004170AC FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose, 8_2_004170AC
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_00406176 FindFirstFileW,FindNextFileW, 8_2_00406176
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_0040A3AF FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 8_2_0040A3AF
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_0040A5CA FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 8_2_0040A5CA
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_004456A9 FindFirstFileExA, 8_2_004456A9
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_004077EE __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 8_2_004077EE
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_004170AC FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose, 18_2_004170AC
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_00406176 FindFirstFileW,FindNextFileW, 18_2_00406176
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_0040A3AF FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 18_2_0040A3AF
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_0040A5CA FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 18_2_0040A5CA
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_004456A9 FindFirstFileExA, 18_2_004456A9
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_004077EE __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 18_2_004077EE
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_00407C57 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 18_2_00407C57
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_00406930 SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW, 8_2_00406930

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_0042F07F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_0042F07F
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_0040D072 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress, 8_2_0040D072
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_0044697D GetProcessHeap, 8_2_0044697D
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_0043B789 mov eax, dword ptr fs:[00000030h] 8_2_0043B789
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_0043B789 mov eax, dword ptr fs:[00000030h] 18_2_0043B789
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Code function: 0_3_021BD330 LdrInitializeThunk, 0_3_021BD330
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_0042F1CD SetUnhandledExceptionFilter, 8_2_0042F1CD
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_0042F07F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_0042F07F
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_004360A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_004360A3
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_0042F62C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_0042F62C
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_0042F1CD SetUnhandledExceptionFilter, 18_2_0042F1CD
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_0042F07F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 18_2_0042F07F
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_004360A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 18_2_004360A3
Source: C:\Windows\SysWOW64\dialer.exe Code function: 18_2_0042F62C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 18_2_0042F62C

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: EC0000 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: F50000 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: F60000 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: F70000 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: F80000 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: ED0000 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: EE0000 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: EF0000 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: F00000 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: 10590000 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: F10000 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: F20000 Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Memory written: C:\Windows\SysWOW64\dialer.exe base: C60000 Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Memory written: C:\Windows\SysWOW64\dialer.exe base: CF0000 Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Memory written: C:\Windows\SysWOW64\dialer.exe base: D00000 Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Memory written: C:\Windows\SysWOW64\dialer.exe base: D10000 Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Memory written: C:\Windows\SysWOW64\dialer.exe base: D20000 Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Memory written: C:\Windows\SysWOW64\dialer.exe base: C70000 Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Memory written: C:\Windows\SysWOW64\dialer.exe base: C80000 Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Memory written: C:\Windows\SysWOW64\dialer.exe base: C90000 Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Memory written: C:\Windows\SysWOW64\dialer.exe base: CA0000 Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Memory written: C:\Windows\SysWOW64\dialer.exe base: 10590000 Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Memory written: C:\Windows\SysWOW64\dialer.exe base: CB0000 Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Memory written: C:\Windows\SysWOW64\dialer.exe base: CC0000 Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Memory written: C:\Windows\SysWOW64\secinit.exe base: 430000 Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Memory written: C:\Windows\SysWOW64\secinit.exe base: 4C0000 Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Memory written: C:\Windows\SysWOW64\secinit.exe base: 4D0000 Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Memory written: C:\Windows\SysWOW64\secinit.exe base: 4E0000 Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Memory written: C:\Windows\SysWOW64\secinit.exe base: 4F0000 Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Memory written: C:\Windows\SysWOW64\secinit.exe base: 440000 Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Memory written: C:\Windows\SysWOW64\secinit.exe base: 450000 Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Memory written: C:\Windows\SysWOW64\secinit.exe base: 460000 Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Memory written: C:\Windows\SysWOW64\secinit.exe base: 470000 Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Memory written: C:\Windows\SysWOW64\secinit.exe base: 10590000 Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Memory written: C:\Windows\SysWOW64\secinit.exe base: 480000 Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Memory written: C:\Windows\SysWOW64\secinit.exe base: 490000 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 10590000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 430000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 4C0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 4D0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 4E0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 4F0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 440000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 450000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 460000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 470000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 480000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 490000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: 10590000 value starts with: 4D5A Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Memory written: C:\Windows\SysWOW64\dialer.exe base: 10590000 value starts with: 4D5A Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Memory written: C:\Windows\SysWOW64\secinit.exe base: 10590000 value starts with: 4D5A Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_00413ACA CreateProcessW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,TerminateProcess,SetThreadContext,ResumeThread,TerminateProcess,CloseHandle,CloseHandle,CloseHandle, 8_2_00413ACA
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Thread created: C:\Windows\SysWOW64\mobsync.exe EIP: EC0000 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Thread created: C:\Windows\SysWOW64\mobsync.exe EIP: F80000 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Thread created: C:\Windows\SysWOW64\mobsync.exe EIP: F00000 Jump to behavior
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Thread created: C:\Windows\SysWOW64\mobsync.exe EIP: F20000 Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Thread created: C:\Windows\SysWOW64\dialer.exe EIP: C60000 Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Thread created: C:\Windows\SysWOW64\dialer.exe EIP: D20000 Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Thread created: C:\Windows\SysWOW64\dialer.exe EIP: CA0000 Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Thread created: C:\Windows\SysWOW64\dialer.exe EIP: CC0000 Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Thread created: C:\Windows\SysWOW64\secinit.exe EIP: 430000 Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Thread created: C:\Windows\SysWOW64\secinit.exe EIP: 4F0000 Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Thread created: C:\Windows\SysWOW64\secinit.exe EIP: 470000 Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Thread created: C:\Windows\SysWOW64\secinit.exe EIP: 490000 Jump to behavior
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Windows\SysWOW64\mobsync.exe Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,Sleep,CloseHandle,OpenProcess, \svchost.exe 8_2_0040F4B7
Source: C:\Windows\SysWOW64\dialer.exe Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,Sleep,CloseHandle,OpenProcess, \svchost.exe 18_2_0040F4B7
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Process created: C:\Windows\SysWOW64\dialer.exe C:\Windows\System32\dialer.exe Jump to behavior
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe Jump to behavior
Contains functionality to simulate mouse events
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_00414923 StrToIntA,mouse_event, 8_2_00414923

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\mobsync.exe Code function: GetLocaleInfoA, 8_2_0040D585
Source: C:\Windows\SysWOW64\mobsync.exe Code function: GetLocaleInfoW, 8_2_00441069
Source: C:\Windows\SysWOW64\mobsync.exe Code function: GetLocaleInfoW, 8_2_00449143
Source: C:\Windows\SysWOW64\mobsync.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 8_2_0044926C
Source: C:\Windows\SysWOW64\mobsync.exe Code function: GetLocaleInfoW, 8_2_00449373
Source: C:\Windows\SysWOW64\mobsync.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 8_2_00449440
Source: C:\Windows\SysWOW64\dialer.exe Code function: GetLocaleInfoW, 18_2_00441069
Source: C:\Windows\SysWOW64\dialer.exe Code function: GetLocaleInfoW, 18_2_00449143
Source: C:\Windows\SysWOW64\dialer.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 18_2_0044926C
Source: C:\Windows\SysWOW64\dialer.exe Code function: GetLocaleInfoW, 18_2_00449373
Source: C:\Windows\SysWOW64\dialer.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 18_2_00449440
Source: C:\Windows\SysWOW64\dialer.exe Code function: GetLocaleInfoA, 18_2_0040D585
Source: C:\Windows\SysWOW64\dialer.exe Code function: EnumSystemLocalesW, 18_2_00440B61
Source: C:\Windows\SysWOW64\dialer.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 18_2_00448B08
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_0042F2AB cpuid 8_2_0042F2AB
Source: C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_00404E64 GetLocalTime,CreateEventA,CreateThread, 8_2_00404E64
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_0044190C _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 8_2_0044190C
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 8_2_004166F6 GetComputerNameExW,GetUserNameW, 8_2_004166F6

Stealing of Sensitive Information:

barindex
Yara detected Remcos RAT
Source: Yara match File source: 8.2.mobsync.exe.10590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dialer.exe.10590000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.mobsync.exe.10590000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.mobsync.exe.10591897.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.secinit.exe.10590000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.secinit.exe.500000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.secinit.exe.10591897.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.secinit.exe.10591897.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.secinit.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dialer.exe.10590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dialer.exe.10591897.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dialer.exe.10591897.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dialer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dialer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.secinit.exe.10590000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.mobsync.exe.10591897.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.492585881.00000000030E7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.331608026.0000000002F98000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.356743910.0000000000500000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.356991304.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.356879289.00000000006E8000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.492970715.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.331771013.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: mobsync.exe PID: 4692, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dialer.exe PID: 6544, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: secinit.exe PID: 6672, type: MEMORYSTR
Contains functionality to steal Firefox passwords or cookies
Source: C:\Windows\SysWOW64\mobsync.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 8_2_0040A3AF
Source: C:\Windows\SysWOW64\mobsync.exe Code function: \key3.db 8_2_0040A3AF
Source: C:\Windows\SysWOW64\dialer.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 18_2_0040A3AF
Source: C:\Windows\SysWOW64\dialer.exe Code function: \key3.db 18_2_0040A3AF
Contains functionality to steal Chrome passwords or cookies
Source: C:\Windows\SysWOW64\mobsync.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 8_2_0040A291
Source: C:\Windows\SysWOW64\dialer.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 18_2_0040A291

Remote Access Functionality:

barindex
Yara detected Remcos RAT
Source: Yara match File source: 8.2.mobsync.exe.10590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dialer.exe.10590000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.mobsync.exe.10590000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.mobsync.exe.10591897.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.secinit.exe.10590000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.secinit.exe.500000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.secinit.exe.10591897.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.secinit.exe.10591897.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.secinit.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dialer.exe.10590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dialer.exe.10591897.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dialer.exe.10591897.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dialer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.dialer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.secinit.exe.10590000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.mobsync.exe.10591897.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.492585881.00000000030E7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.331608026.0000000002F98000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.356743910.0000000000500000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.356991304.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.356879289.00000000006E8000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.492970715.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.331771013.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: mobsync.exe PID: 4692, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dialer.exe PID: 6544, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: secinit.exe PID: 6672, type: MEMORYSTR
Detected Remcos RAT
Source: mobsync.exe String found in binary or memory: Remcos_Mutex_Inj
Source: mobsync.exe, 00000008.00000002.491601903.0000000000400000.00000040.00000001.sdmp String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicence_code.txtSoftware\WDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceUserAccess level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\SETTINGSoverridepth_unenc3.1.5 Prov|
Source: dialer.exe String found in binary or memory: Remcos_Mutex_Inj
Source: dialer.exe, 00000012.00000002.331374887.0000000000400000.00000040.00000001.sdmp String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicence_code.txtSoftware\WDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceUserAccess level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\SETTINGSoverridepth_unenc3.1.5 Prov|
Source: secinit.exe, 00000013.00000002.356743910.0000000000500000.00000040.00000001.sdmp String found in binary or memory: Remcos_Mutex_Inj
Source: secinit.exe, 00000013.00000002.356743910.0000000000500000.00000040.00000001.sdmp String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicence_code.txtSoftware\WDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceUserAccess level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\SETTINGSoverridepth_unenc3.1.5 Prov|
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Windows\SysWOW64\mobsync.exe Code function: cmd.exe 8_2_0040559D
Source: C:\Windows\SysWOW64\dialer.exe Code function: cmd.exe 18_2_0040559D
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 479213 Sample: RFQ-Order_Sheet#43254363-Se... Startdate: 07/09/2021 Architecture: WINDOWS Score: 100 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 4 other signatures 2->45 6 RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe 1 18 2->6         started        11 Cshgvzx.exe 13 2->11         started        13 Cshgvzx.exe 14 2->13         started        process3 dnsIp4 25 cdn.discordapp.com 162.159.135.233, 443, 49699, 49700 CLOUDFLARENETUS United States 6->25 27 192.168.2.1 unknown unknown 6->27 23 C:\Users\Public\Libraries\...\Cshgvzx.exe, PE32 6->23 dropped 47 Writes to foreign memory regions 6->47 49 Creates a thread in another existing process (thread injection) 6->49 51 Injects a PE file into a foreign processes 6->51 15 mobsync.exe 2 6->15         started        19 dialer.exe 11->19         started        53 Allocates memory in foreign processes 13->53 21 secinit.exe 13->21         started        file5 signatures6 process7 dnsIp8 29 204.44.86.179, 49151, 49707 ASN-QUADRANET-GLOBALUS United States 15->29 31 Contains functionality to steal Chrome passwords or cookies 15->31 33 Contains functionality to inject code into remote processes 15->33 35 Contains functionality to steal Firefox passwords or cookies 15->35 37 Delayed program exit found 19->37 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
204.44.86.179
 unknown United States
8100 ASN-QUADRANET-GLOBALUS true
162.159.135.233
 cdn.discordapp.com United States
13335 CLOUDFLARENETUS false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
cdn.discordapp.com 162.159.135.233 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
204.44.86.179 true
  • Avira URL Cloud: safe
 unknown