Windows Analysis Report DW1VgsgHNU.exe

Overview

General Information

Sample Name:	DW1VgsgHNU.exe
Analysis ID:	491400
MD5:	b30b9c1d23026ff24f234a07a557dc83
SHA1:	044ceea8b2fb554e2fdd7bcf4d695dded3a58d3b
SHA256:	c54b1a3af48ef7f70434b9e90c33b4bcdccfbd20339d8164e34957890c67f888
Tags:	exeRemcosRAT
Infos:
Most interesting Screenshot:

Detection

GuLoader Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Potential malicious icon found

Multi AV Scanner detection for submitted file

GuLoader behavior detected

Yara detected Remcos RAT

Yara detected GuLoader

Hides threads from debuggers

Tries to detect Any.run

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Uses dynamic DNS services

Uses 32bit PE files

Sample file is different than original file name gathered from version info

PE file contains strange resources

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Detected TCP or UDP traffic on non-standard ports

Internet Provider seen in connection with other malware

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Abnormal high CPU Usage

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000019.00000002.767385154.0000000000948000.00000004.00000020.sdmp	Malware Configuration Extractor: Remcos {"Host:Port:Password": "dyn-wave.duckdns.org:1144:1dyn-wave.duckdns.org:2404:0", "Assigned name": "RemoteHost_NEW", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Remcos-2LBKGP", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "20000"}
Source: 00000001.00000002.499884696.00000000005A0000.00000040.00000001.sdmp	Malware Configuration Extractor: GuLoader {"Payload URL": "http://dypage.duckdns.org/remcos_d_QUBXVO174"}

Multi AV Scanner detection for submitted file

Source: DW1VgsgHNU.exe

Virustotal: Detection: 20%

Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 00000019.00000002.767385154.0000000000948000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DW1VgsgHNU.exe PID: 2800, type: MEMORYSTR

Machine Learning detection for sample

Source: DW1VgsgHNU.exe

Joe Sandbox ML: detected

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\DW1VgsgHNU.exe

Code function: 1_2_00402520 CryptDestroyHash,

1_2_00402520

Compliance:

Uses 32bit PE files

Source: DW1VgsgHNU.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: dyn-wave.duckdns.org
Source: Malware configuration extractor	URLs: http://dypage.duckdns.org/remcos_d_QUBXVO174

Uses dynamic DNS services

Source: unknown	DNS query: name: dypage.duckdns.org
Source: unknown	DNS query: name: dyn-wave.duckdns.org

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /remcos_d_QUBXVO174.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: dypage.duckdns.orgCache-Control: no-cache

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.7:49893 -> 23.146.241.70:1144

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: VDI-NETWORKUS VDI-NETWORKUS
Source: Joe Sandbox View	ASN Name: VDI-NETWORKUS VDI-NETWORKUS

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 23.146.242.85 23.146.242.85

Source: DW1VgsgHNU.exe, 00000019.00000002.767385154.0000000000948000.00000004.00000020.sdmp	String found in binary or memory: http://dypage.duckdns.org/remcos_d_QUBXVO174.bin
Source: DW1VgsgHNU.exe, 00000019.00000002.767385154.0000000000948000.00000004.00000020.sdmp	String found in binary or memory: http://dypage.duckdns.org/remcos_d_QUBXVO174.binD
Source: DW1VgsgHNU.exe, 00000019.00000002.767385154.0000000000948000.00000004.00000020.sdmp	String found in binary or memory: http://dypage.duckdns.org/remcos_d_QUBXVO174.binE

Source: unknown

DNS traffic detected: queries for: dypage.duckdns.org

Source: global traffic

HTTP traffic detected: GET /remcos_d_QUBXVO174.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: dypage.duckdns.orgCache-Control: no-cache

E-Banking Fraud:

Yara detected Remcos RAT

Source: Yara match	File source: 00000019.00000002.767385154.0000000000948000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DW1VgsgHNU.exe PID: 2800, type: MEMORYSTR

System Summary:

Potential malicious icon found

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Uses 32bit PE files

Source: DW1VgsgHNU.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Sample file is different than original file name gathered from version info

Source: DW1VgsgHNU.exe, 00000001.00000000.242528368.000000000042D000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSrklasse4.exe vs DW1VgsgHNU.exe
Source: DW1VgsgHNU.exe, 00000019.00000000.498515700.000000000042D000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSrklasse4.exe vs DW1VgsgHNU.exe
Source: DW1VgsgHNU.exe	Binary or memory string: OriginalFilenameSrklasse4.exe vs DW1VgsgHNU.exe

PE file contains strange resources

Source: DW1VgsgHNU.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Contains functionality to call native functions

Source: C:\Users\user\Desktop\DW1VgsgHNU.exe	Code function: 25_2_0056EED3 Sleep,NtProtectVirtualMemory,	25_2_0056EED3
Source: C:\Users\user\Desktop\DW1VgsgHNU.exe	Code function: 25_2_0056ED3B NtProtectVirtualMemory,	25_2_0056ED3B
Source: C:\Users\user\Desktop\DW1VgsgHNU.exe	Code function: 25_2_0056EDD4 NtProtectVirtualMemory,	25_2_0056EDD4
Source: C:\Users\user\Desktop\DW1VgsgHNU.exe	Code function: 25_2_0056ED50 NtProtectVirtualMemory,	25_2_0056ED50
Source: C:\Users\user\Desktop\DW1VgsgHNU.exe	Code function: 25_2_0056EF19 NtProtectVirtualMemory,	25_2_0056EF19
Source: C:\Users\user\Desktop\DW1VgsgHNU.exe	Code function: 25_2_0056ED2E NtProtectVirtualMemory,	25_2_0056ED2E

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\DW1VgsgHNU.exe

Process Stats: CPU usage > 98%

Source: DW1VgsgHNU.exe

Virustotal: Detection: 20%

Source: DW1VgsgHNU.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DW1VgsgHNU.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\DW1VgsgHNU.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DW1VgsgHNU.exe 'C:\Users\user\Desktop\DW1VgsgHNU.exe'
Source: C:\Users\user\Desktop\DW1VgsgHNU.exe	Process created: C:\Users\user\Desktop\DW1VgsgHNU.exe 'C:\Users\user\Desktop\DW1VgsgHNU.exe'
Source: C:\Users\user\Desktop\DW1VgsgHNU.exe	Process created: C:\Users\user\Desktop\DW1VgsgHNU.exe 'C:\Users\user\Desktop\DW1VgsgHNU.exe'	Jump to behavior

Source: C:\Users\user\Desktop\DW1VgsgHNU.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\DW1VgsgHNU.exe

Mutant created: \Sessions\1\BaseNamedObjects\Remcos-2LBKGP

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@3/0@2/2

Source: C:\Users\user\Desktop\DW1VgsgHNU.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\DW1VgsgHNU.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\DW1VgsgHNU.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.499884696.00000000005A0000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\DW1VgsgHNU.exe	Code function: 1_2_00409ABA pushad ; iretd		1_2_00409ABB
Source: C:\Users\user\Desktop\DW1VgsgHNU.exe	Code function: 1_2_00407B13 push ecx; retf		1_2_00407B14

Source: initial sample

Static PE information: section name: .text entropy: 6.92804161947

Source: C:\Users\user\Desktop\DW1VgsgHNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DW1VgsgHNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DW1VgsgHNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DW1VgsgHNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DW1VgsgHNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DW1VgsgHNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DW1VgsgHNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DW1VgsgHNU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect Any.run

Source: C:\Users\user\Desktop\DW1VgsgHNU.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\DW1VgsgHNU.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\DW1VgsgHNU.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\DW1VgsgHNU.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\DW1VgsgHNU.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\DW1VgsgHNU.exe

System information queried: ModuleInformation

Jump to behavior

Source: DW1VgsgHNU.exe, 00000019.00000002.767758753.00000000009A1000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: DW1VgsgHNU.exe, 00000019.00000002.767758753.00000000009A1000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW,

Anti Debugging:

Hides threads from debuggers

Source: C:\Users\user\Desktop\DW1VgsgHNU.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\DW1VgsgHNU.exe	Thread information set: HideFromDebugger			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\DW1VgsgHNU.exe

Process created: C:\Users\user\Desktop\DW1VgsgHNU.exe 'C:\Users\user\Desktop\DW1VgsgHNU.exe'

Jump to behavior

Source: DW1VgsgHNU.exe, 00000019.00000002.768074297.0000000000ED0000.00000002.00020000.sdmp	Binary or memory string: uProgram Manager
Source: DW1VgsgHNU.exe, 00000019.00000002.767385154.0000000000948000.00000004.00000020.sdmp	Binary or memory string: Program Manager
Source: DW1VgsgHNU.exe, 00000019.00000002.768074297.0000000000ED0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: DW1VgsgHNU.exe, 00000019.00000002.768074297.0000000000ED0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: DW1VgsgHNU.exe, 00000019.00000002.768074297.0000000000ED0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: DW1VgsgHNU.exe, 00000019.00000002.767758753.00000000009A1000.00000004.00000020.sdmp	Binary or memory string: \|Program Manager\|
Source: DW1VgsgHNU.exe, 00000019.00000002.767385154.0000000000948000.00000004.00000020.sdmp	Binary or memory string: Program ManagerY

Stealing of Sensitive Information:

GuLoader behavior detected

Source: Initial file

Signature Results: GuLoader behavior

Yara detected Remcos RAT

Source: Yara match	File source: 00000019.00000002.767385154.0000000000948000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DW1VgsgHNU.exe PID: 2800, type: MEMORYSTR

Remote Access Functionality:

Yara detected Remcos RAT

Source: Yara match	File source: 00000019.00000002.767385154.0000000000948000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DW1VgsgHNU.exe PID: 2800, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.146.241.70	dyn-wave.duckdns.org	Reserved		46664	VDI-NETWORKUS	true
23.146.242.85	dypage.duckdns.org	Reserved		46664	VDI-NETWORKUS	true

Contacted Domains

Name	IP	Active
dypage.duckdns.org	23.146.242.85	true
dyn-wave.duckdns.org	23.146.241.70	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://dypage.duckdns.org/remcos_d_QUBXVO174.bin	false	Avira URL Cloud: safe	unknown
dyn-wave.duckdns.org	true	Avira URL Cloud: safe	unknown
http://dypage.duckdns.org/remcos_d_QUBXVO174	true	Avira URL Cloud: safe	unknown

ID:	491400
Product:	CloudBasic
Start time:	14:52:48
Start date:	27.09.2021
Sample:	DW1VgsgHNU.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	b30b9c1d23026ff24f234a07a557dc83
SHA1:	044ceea8b2fb554e2fdd7bcf4d695dded3a58d3b
SHA256:	c54b1a3af48ef7f70434b9e90c33b4bcdccfbd20339d8164e34957890c67f888
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Windows Analysis Report DW1VgsgHNU.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Cryptography:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs