Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.622449628761002
Filename:	RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe
Filesize:	792576
MD5:	06534c059b111776b838f793c6444622
SHA1:	7ebda7124a60de107a00960d9fe0563fd3cd2760
SHA256:	933a4d2abfdf0f91550a102808d00adace6eb9df89ea9e254e2df7601b02dd8f
SHA512:	9e1498b78d6682f1cde8717a85570df742d4fa2d7c59d554afb938af4db1eeffb13522682068d81efc676ddd4dd80741abcf1b1ae94560b01ad2c4fdf69d9cdd
SSDEEP:	6144:5CZ5dEs7ZrwziKYDZ2/avaYvqfbUacyHeP/hz0Xkb5fjUOCMXjqfZPFVb/4rr7ZW:QZ5l7ZrwzLCMHHi5rUlI64rimoAzyZV
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

Signature Hits	Behavior Group	Mitre Attack
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Access Token Manipulation Process Injection
Creates a thread in another existing process (thread injection)	HIPS / PFW / Operating System Protection Evasion	Access Token Manipulation
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
PE file contains strange resources	System Summary
Drops PE files	Persistence and Installation Behavior	Access Token Manipulation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)	Anti Debugging
Sample reads its own file content	System Summary	Access Token Manipulation
Reads software policies	System Summary	Access Token Manipulation
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
Creates files inside the user directory	System Summary	Masquerading
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder Access Token Manipulation File and Directory Discovery
Parts of this applications are using Borland Delphi (Probably coded in Delphi)	System Summary	Security Software Discovery
Reads the hosts file	System Summary	Remote System Discovery

C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe
Category:	dropped
Dump:	Cshgvzx.exe.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.622449628761002
Encrypted:	false
Ssdeep:	6144:5CZ5dEs7ZrwziKYDZ2/avaYvqfbUacyHeP/hz0Xkb5fjUOCMXjqfZPFVb/4rr7ZW:QZ5l7ZrwzLCMHHi5rUlI64rimoAzyZV
Size:	792576
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a thread in another existing process (thread injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Parts of this applications are using Borland Delphi (Probably coded in Delphi)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads the hosts file	System Summary	Remote System Discovery
Spawns processes	System Summary	Process Injection

C:\Users\Public\Libraries\xzvghsC.url

MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Cshgvzx\\Cshgvzx.exe">), ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\Public\Libraries\xzvghsC.url
Category:	dropped
Dump:	xzvghsC.url.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe
Type:	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Cshgvzx\\Cshgvzx.exe">), ASCII text, with CRLF line terminators
Entropy:	4.866547012067739
Encrypted:	false
Ssdeep:	3:HRAbABGQYmTWAX+rSF55i0XMKf6ABvsGKd7ovn:HRYFVmTWDyz/vsb7yn
Size:	96
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\Cshgvzxpdvyucjurgvmywubhtofxefb[1]

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\Cshgvzxpdvyucjurgvmywubhtofxefb[1]
Category:	dropped
Dump:	Cshgvzxpdvyucjurgvmywubhtofxefb[1].6.dr
ID:	dr_3
Target ID:	6
Process:	C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe
Type:	data
Entropy:	7.997266864646308
Encrypted:	true
Ssdeep:	12288:VIjmqCh/9ePXG9kqy8Yc73pGyho53rgTgbPJ+H7it/rEj/sOf3rr:HqCh8vM3FYZy65cTgbE76z9Of/
Size:	579072
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\Cshgvzxpdvyucjurgvmywubhtofxefb[2]

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\Cshgvzxpdvyucjurgvmywubhtofxefb[2]
Category:	dropped
Dump:	Cshgvzxpdvyucjurgvmywubhtofxefb[2].11.dr
ID:	dr_4
Target ID:	11
Process:	C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe
Type:	data
Entropy:	7.997266864646308
Encrypted:	true
Ssdeep:	12288:VIjmqCh/9ePXG9kqy8Yc73pGyho53rgTgbPJ+H7it/rEj/sOf3rr:HqCh8vM3FYZy65cTgbE76z9Of/
Size:	579072
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe

'C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe'

Details

Is windows:	false
Is dropped:	false
PID:	5256
Target ID:	0
Parent PID:	1456
Name:	RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe
Path:	C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe
Commandline:	'C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe'
Size:	792576
MD5:	06534C059B111776B838F793C6444622
Time:	18:16:33
Date:	07/09/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	1155072
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Initial sample is a PE file and has a suspicious name	System Summary
PE file contains strange resources	System Summary
Uses 32bit PE files	Compliance, System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe

'C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe'

Details

Is windows:	false
Is dropped:	true
PID:	5384
Target ID:	6
Parent PID:	3472
Name:	Cshgvzx.exe
Path:	C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe
Commandline:	'C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe'
Size:	792576
MD5:	06534C059B111776B838F793C6444622
Time:	18:16:52
Date:	07/09/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	1155072
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\mobsync.exe

C:\Windows\System32\mobsync.exe

Details

Is windows:	true
Is dropped:	false
PID:	4692
Target ID:	8
Parent PID:	5256
Name:	mobsync.exe
Path:	C:\Windows\SysWOW64\mobsync.exe
Commandline:	C:\Windows\System32\mobsync.exe
Size:	93184
MD5:	44C19378FA529DD88674BAF647EBDC3C
Time:	18:16:59
Date:	07/09/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff797770000
Modulesize:	65536
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected Remcos RAT	Remote Access Functionality	Remote Access Software
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Creates a thread in another existing process (thread injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Public key (encryption) found	Cryptography	Archive Collected Data
Spawns processes	System Summary	Process Injection

C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe

'C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe'

Details

Is windows:	false
Is dropped:	true
PID:	5296
Target ID:	11
Parent PID:	3472
Name:	Cshgvzx.exe
Path:	C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe
Commandline:	'C:\Users\Public\Libraries\Cshgvzx\Cshgvzx.exe'
Size:	792576
MD5:	06534C059B111776B838F793C6444622
Time:	18:17:00
Date:	07/09/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	1155072
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\dialer.exe

C:\Windows\System32\dialer.exe

Details

Is windows:	true
Is dropped:	false
PID:	6544
Target ID:	18
Parent PID:	5384
Name:	dialer.exe
Path:	C:\Windows\SysWOW64\dialer.exe
Commandline:	C:\Windows\System32\dialer.exe
Size:	32768
MD5:	F176211F7372248224D02AC023573870
Time:	18:17:20
Date:	07/09/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xe10000
Modulesize:	49152
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected Remcos RAT	Remote Access Functionality	Remote Access Software
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Creates a thread in another existing process (thread injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\secinit.exe

C:\Windows\System32\secinit.exe

Details

Is windows:	true
Is dropped:	false
PID:	6672
Target ID:	19
Parent PID:	5296
Name:	secinit.exe
Path:	C:\Windows\SysWOW64\secinit.exe
Commandline:	C:\Windows\System32\secinit.exe
Size:	9728
MD5:	174A363BB5A2D88B224546C15DD10906
Time:	18:17:32
Date:	07/09/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x12a0000
Modulesize:	24576
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a thread in another existing process (thread injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

204.44.86.179

Details

Name:	204.44.86.179
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe
Source:	config extactor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Domains

Name

Malicious

cdn.discordapp.com

162.159.135.233

Details

Name:	cdn.discordapp.com
IP:	162.159.135.233
TargetID:	0
Current Path:	C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

204.44.86.179

unknown

United States

Details

IP:	204.44.86.179
TargetID:	8
Current Path:	C:\Windows\SysWOW64\mobsync.exe
Country:	United States
Countrycode:	USA
ASN number:	8100
ASN name:	ASN-QUADRANET-GLOBALUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

192.168.2.1

unknown

162.159.135.233

cdn.discordapp.com

United States

Details

IP:	162.159.135.233
TargetID:	0
Current Path:	C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	cdn.discordapp.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe

Cshgvzx

Details

TargetID:	0
Path:	C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe
Commandline:	'C:\Users\user\Desktop\RFQ-Order_Sheet#43254363-Sept-21_signed-copy.exe'
Value name:	Cshgvzx
Value data:	C:\Users\Public\Libraries\xzvghsC.url

Signature Hits	Behavior Group	Mitre Attack
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder

C:\Windows\SysWOW64\mobsync.exe

exepath

C:\Windows\SysWOW64\mobsync.exe

licence

Memdumps

Base Address

Regiontype

Protect

Malicious

30E7000

heap default

page read and write

2F98000

heap default

page read and write

500000

unkown

page execute and read and write

10590000

unkown

page execute and read and write

400000

unkown

page execute and read and write

400000

unkown

page execute and read and write

6E8000

heap default

page read and write

10590000

unkown

page execute and read and write

10590000

unkown

page execute and read and write

1040000

unkown

page read and write

10590000

unkown

page execute and read and write

3F24000

unkown

page read and write

3D30000

unkown

page read and write

2448000

unkown

page read and write

21CC000

unkown

page read and write

3F44000

unkown

page read and write

24C8000

unkown

page read and write

2468000

unkown

page read and write

24A0000

unkown

page read and write

8EE000

unkown

page read and write

3D60000

unkown

page read and write

6E0000

heap default

page read and write

11CF27F000

unkown

page read and write

3D30000

unkown

page read and write

2B528990000

unkown

page read and write

3220000

heap default

page read and write

3ED8000

unkown

page read and write

401000

unkown image

page execute read

3DB0000

unkown

page read and write

128ECA90000

unkown

page read and write

D20000

unkown

page execute and read and write

243C000

unkown

page read and write

21C0000

unkown

page read and write

3EA8000

unkown

page read and write

3ED8000

unkown

page read and write

3F08000

unkown

page read and write

3FE8000

unkown

page read and write

4044000

unkown

page read and write

3EF8000

unkown

page read and write

36E0000

unkown

page read and write

3FE8000

unkown

page read and write

128EB725000

unkown

page read and write

30E7000

heap default

page read and write

21E0000

unkown

page read and write

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOCReport

Files

Processes

URLs

Domains

IPs

Registry

Memdumps