Loading ...

Play interactive tourEdit tour

Windows Analysis Report xxTzyGLZx5.exe

Overview

General Information

Sample Name:xxTzyGLZx5.exe
Analysis ID:535501
MD5:d5f570694f0847caea18ccac8837b052
SHA1:b509737bb61ae0e9dee56ca2706456b3788ce553
SHA256:ea209f6ba95920038ac83985be8bcffc1fda49631ed3142cfdd9f2acd52584b1
Tags:exeRATRemcosRAT
Infos:

Most interesting Screenshot:

Detection

Remcos AgentTesla AveMaria HawkEye MailPassView SpyEx UACMe
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected MailPassView
Yara detected HawkEye Keylogger
Yara detected AgentTesla
Detected unpacking (changes PE section rights)
Antivirus detection for dropped file
Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for submitted file
Yara detected SpyEx stealer
Malicious sample detected (through community Yara rule)
Yara detected Remcos RAT
Yara detected UACMe UAC Bypass tool
Yara detected AveMaria stealer
Detected Remcos RAT
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Creates multiple autostart registry keys
Sigma detected: Suspicious Script Execution From Temp Folder
Connects to many ports of the same IP (likely port scanning)
Uses cmd line tools excessively to alter registry or file data
Contains functionality to steal Firefox passwords or cookies
Writes or reads registry keys via WMI
Allocates memory in foreign processes
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Contains functionality to inject code into remote processes
Sigma detected: WScript or CScript Dropper
Creates a thread in another existing process (thread injection)
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Sample uses process hollowing technique
Installs a global keyboard hook
Writes to foreign memory regions
Tries to steal Crypto Currency Wallets
Increases the number of concurrent connection per server for Internet Explorer
.NET source code references suspicious native API functions
Delayed program exit found
Contains functionality to hide user accounts
Contains functionality to log keystrokes (.Net Source)
Hides user accounts
Changes the view of files in windows explorer (hidden files and folders)
Yara detected WebBrowserPassView password recovery tool
Contains functionality to steal Chrome passwords or cookies
Sigma detected: Powershell Defender Exclusion
Machine Learning detection for dropped file
Tries to steal Instant Messenger accounts or passwords
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
One or more processes crash
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to enumerate running services
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Modifies existing windows services
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Uses reg.exe to modify the Windows registry
Spawns drivers
PE file contains more sections than normal
Yara detected Keylogger Generic
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
PE file contains sections with non-standard names
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to read the clipboard data
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Detected TCP or UDP traffic on non-standard ports
Contains functionality to download and launch executables
Contains capabilities to detect virtual machines
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates or modifies windows services
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to simulate mouse events
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

  • System is w10x64
  • xxTzyGLZx5.exe (PID: 6780 cmdline: "C:\Users\user\Desktop\xxTzyGLZx5.exe" MD5: D5F570694F0847CAEA18CCAC8837B052)
    • xxTzyGLZx5.exe (PID: 7008 cmdline: "C:\Users\user\Desktop\xxTzyGLZx5.exe" MD5: D5F570694F0847CAEA18CCAC8837B052)
      • bin.exe (PID: 7116 cmdline: "C:\Users\user\AppData\Local\Temp\bin.exe" 0 MD5: 805FBB84293E86F25B566A5B2C2815D2)
        • powershell.exe (PID: 6324 cmdline: powershell Add-MpPreference -ExclusionPath C:\ MD5: DBA3E6449E97D4E3DF64527EF7012A10)
          • conhost.exe (PID: 2524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • cmd.exe (PID: 5984 cmdline: C:\Windows\System32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 1328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • rem9090sta.exe (PID: 7136 cmdline: "C:\Users\user\AppData\Local\Temp\rem9090sta.exe" 0 MD5: 083D4CDE33E6721F595A468BB7D17ADA)
        • cmd.exe (PID: 7156 cmdline: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 4812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • reg.exe (PID: 6204 cmdline: C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • wscript.exe (PID: 3740 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)
          • cmd.exe (PID: 6620 cmdline: C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Roaming\Remcos\remcos.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 2368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • remcos.exe (PID: 3228 cmdline: C:\Users\user\AppData\Roaming\Remcos\remcos.exe MD5: 083D4CDE33E6721F595A468BB7D17ADA)
  • remcos.exe (PID: 4200 cmdline: "C:\Users\user\AppData\Roaming\Remcos\remcos.exe" MD5: 083D4CDE33E6721F595A468BB7D17ADA)
    • cmd.exe (PID: 6076 cmdline: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • reg.exe (PID: 7092 cmdline: C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
    • remcos.exe (PID: 3228 cmdline: C:\Users\user\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\jmtceghqeepjeivm" MD5: 083D4CDE33E6721F595A468BB7D17ADA)
    • remcos.exe (PID: 7100 cmdline: C:\Users\user\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\moyvwyrrsmhoowrqsha" MD5: 083D4CDE33E6721F595A468BB7D17ADA)
    • remcos.exe (PID: 4720 cmdline: C:\Users\user\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\user\AppData\Local\Temp\wilgxqclgvztqcfubsndyj" MD5: 083D4CDE33E6721F595A468BB7D17ADA)
    • dwn.exe (PID: 6476 cmdline: "C:\Users\user\AppData\Roaming\Remcos\dwn.exe" MD5: 32EB10C12A29B38F13730CD1F5DCAD4D)
      • 21.exe (PID: 3064 cmdline: "C:\Users\user\AppData\Local\Temp\21.exe" 0 MD5: 6C9447A6F1B04C75D95594338AE61E06)
        • 21.exe (PID: 1900 cmdline: "C:\Users\user\AppData\Local\Temp\21.exe" 0 MD5: 6C9447A6F1B04C75D95594338AE61E06)
      • 5.exe (PID: 5212 cmdline: "C:\Users\user\AppData\Local\Temp\5.exe" 0 MD5: 3F332B62EEE0970F3189C689D5BD042A)
        • 5.exe (PID: 1020 cmdline: "C:\Users\user\AppData\Local\Temp\5.exe" 0 MD5: 3F332B62EEE0970F3189C689D5BD042A)
          • Windows Update.exe (PID: 3980 cmdline: "C:\Users\user\AppData\Roaming\Windows Update.exe" MD5: 3F332B62EEE0970F3189C689D5BD042A)
            • Windows Update.exe (PID: 6084 cmdline: "C:\Users\user\AppData\Roaming\Windows Update.exe" MD5: 3F332B62EEE0970F3189C689D5BD042A)
              • dw20.exe (PID: 5276 cmdline: dw20.exe -x -s 2132 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
              • vbc.exe (PID: 980 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)
              • vbc.exe (PID: 2932 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • 4.exe (PID: 6140 cmdline: "C:\Users\user\AppData\Local\Temp\4.exe" 0 MD5: 78EDE0254C66FA9E667E4CEB88754E1C)
        • 4.exe (PID: 1260 cmdline: "C:\Users\user\AppData\Local\Temp\4.exe" 0 MD5: 78EDE0254C66FA9E667E4CEB88754E1C)
  • rdpdr.sys (PID: 4 cmdline: MD5: 52A6CC99F5934CFAE88353C47B6193E7)
  • tsusbhub.sys (PID: 4 cmdline: MD5: 3A84A09CBC42148A0C7D00B3E82517F1)
  • bin.exe (PID: 6472 cmdline: "C:\Users\user\AppData\Local\Temp\bin.exe" MD5: 805FBB84293E86F25B566A5B2C2815D2)
  • remcos.exe (PID: 6416 cmdline: "C:\Users\user\AppData\Roaming\Remcos\remcos.exe" MD5: 083D4CDE33E6721F595A468BB7D17ADA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\bin.exeCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
  • 0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
C:\Users\user\AppData\Local\Temp\bin.exeCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
  • 0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
  • 0x191f0:$c1: Elevation:Administrator!new:
C:\Users\user\AppData\Local\Temp\bin.exeMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
  • 0x144e8:$a1: \Opera Software\Opera Stable\Login Data
  • 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data
  • 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
C:\Users\user\AppData\Local\Temp\bin.exeJoeSecurity_UACMeYara detected UACMe UAC Bypass toolJoe Security
    C:\Users\user\AppData\Local\Temp\bin.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Click to see the 6 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000030.00000000.890118500.0000000000400000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        00000029.00000002.937591060.0000000000616000.00000004.00000020.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000029.00000002.937591060.0000000000616000.00000004.00000020.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            0000001F.00000000.728375820.0000000000454000.00000002.00020000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
              0000001D.00000002.730867358.00000000000E4000.00000002.00020000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security