Windows Analysis Report
INV NO -609983773 60983768.exe

Overview

General Information

Sample Name: INV NO -609983773 60983768.exe
Analysis ID: 715073
MD5: 4e06d9889629e7ff0faba3b139dcc950
SHA1: 11db4a20ec8fc4a88bc5b75dc5de730e719b9f57
SHA256: 341b6ff76b63e3e74b8fd97b301462f9a6544405946271b7766c4ff4c8c28150
Tags: exe
Infos:

Detection

Remcos
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
.NET source code references suspicious native API functions
Machine Learning detection for sample
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Yara signature match
Sample file is different than original file name gathered from version info
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates a process in suspended mode (likely to inject code)
Contains long sleeps (>= 3 min)
Enables debug privileges

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: INV NO -609983773 60983768.exe Virustotal: Detection: 9% Perma Link
Yara detected Remcos RAT
Source: Yara match File source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INV NO -609983773 60983768.exe.13db409f9a8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INV NO -609983773 60983768.exe.13db407f970.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INV NO -609983773 60983768.exe.13db3f8fb00.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.245237358.0000013DB3F8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: INV NO -609983773 60983768.exe PID: 6048, type: MEMORYSTR
Machine Learning detection for sample
Source: INV NO -609983773 60983768.exe Joe Sandbox ML: detected
Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.raw.unpack Malware Configuration Extractor: Remcos {"Version": "3.8.0 Pro", "Host:Port:Password": "172.111.234.110:5888", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-O7I9HK", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Source: INV NO -609983773 60983768.exe, 00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY-----
Source: INV NO -609983773 60983768.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 172.111.234.110
Source: INV NO -609983773 60983768.exe String found in binary or memory: http://fsf.org/
Source: INV NO -609983773 60983768.exe, 00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmp, INV NO -609983773 60983768.exe, 00000000.00000002.245237358.0000013DB3F8F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp/C
Source: INV NO -609983773 60983768.exe String found in binary or memory: http://itextpdf.com/terms-of-use/
Source: INV NO -609983773 60983768.exe String found in binary or memory: http://www.gnu.org/licenses
Source: INV NO -609983773 60983768.exe String found in binary or memory: http://www.gnu.org/licenses/
Source: INV NO -609983773 60983768.exe String found in binary or memory: http://www.gnu.org/licenses/gpl-faq.html#FontException
Source: INV NO -609983773 60983768.exe String found in binary or memory: https://opensource.bulkpdf.de/
Source: INV NO -609983773 60983768.exe String found in binary or memory: https://opensource.bulkpdf.de/Whttps://opensource.bulkpdf.de/documentation
Source: INV NO -609983773 60983768.exe String found in binary or memory: https://opensource.bulkpdf.de/documentation

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INV NO -609983773 60983768.exe.13db409f9a8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INV NO -609983773 60983768.exe.13db407f970.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INV NO -609983773 60983768.exe.13db3f8fb00.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.245237358.0000013DB3F8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: INV NO -609983773 60983768.exe PID: 6048, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.INV NO -609983773 60983768.exe.13db409f9a8.5.raw.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.INV NO -609983773 60983768.exe.13db409f9a8.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.raw.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.INV NO -609983773 60983768.exe.13db407f970.6.raw.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.INV NO -609983773 60983768.exe.13db407f970.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.INV NO -609983773 60983768.exe.13db3f8fb00.4.raw.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.INV NO -609983773 60983768.exe.13db3f8fb00.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.245237358.0000013DB3F8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: INV NO -609983773 60983768.exe PID: 6048, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
PE file does not import any functions
Source: INV NO -609983773 60983768.exe Static PE information: No import functions for PE file found
Yara signature match
Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.INV NO -609983773 60983768.exe.13db409f9a8.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.INV NO -609983773 60983768.exe.13db409f9a8.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.INV NO -609983773 60983768.exe.13db407f970.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.INV NO -609983773 60983768.exe.13db407f970.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.INV NO -609983773 60983768.exe.13db3f8fb00.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.INV NO -609983773 60983768.exe.13db3f8fb00.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.245237358.0000013DB3F8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: INV NO -609983773 60983768.exe PID: 6048, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Sample file is different than original file name gathered from version info
Source: INV NO -609983773 60983768.exe Binary or memory string: OriginalFilename vs INV NO -609983773 60983768.exe
Source: INV NO -609983773 60983768.exe, 00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRunpeX.Stub.Framework.exeL vs INV NO -609983773 60983768.exe
Source: INV NO -609983773 60983768.exe, 00000000.00000002.242964715.0000013DA2109000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs INV NO -609983773 60983768.exe
Source: INV NO -609983773 60983768.exe, 00000000.00000002.245237358.0000013DB3F8F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRunpeX.Stub.Framework.exeL vs INV NO -609983773 60983768.exe
Source: INV NO -609983773 60983768.exe, 00000000.00000000.237710745.0000013DA1F42000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameBulkPDF.exe0 vs INV NO -609983773 60983768.exe
Source: INV NO -609983773 60983768.exe, 00000000.00000002.243176170.0000013DA2420000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameRunpeX.Stub.Framework.exeL vs INV NO -609983773 60983768.exe
Source: INV NO -609983773 60983768.exe Binary or memory string: OriginalFilenameBulkPDF.exe0 vs INV NO -609983773 60983768.exe
Source: INV NO -609983773 60983768.exe Virustotal: Detection: 9%
Source: INV NO -609983773 60983768.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: INV NO -609983773 60983768.exe Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\INV NO -609983773 60983768.exe C:\Users\user\Desktop\INV NO -609983773 60983768.exe
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Jump to behavior
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Jump to behavior
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Jump to behavior
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Jump to behavior
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Jump to behavior
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\INV NO -609983773 60983768.exe.log Jump to behavior
Source: classification engine Classification label: mal76.troj.evad.winEXE@11/1@0/0
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: INV NO -609983773 60983768.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: INV NO -609983773 60983768.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Code function: 0_2_00007FFDC3A1000A push fs; ret 0_2_00007FFDC3A1004B
Source: initial sample Static PE information: section name: .text entropy: 7.3605775158149305
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe TID: 5164 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: INV NO -609983773 60983768.exe, BIDEN_HARRISu003du003e1housand/BIDEN_HARRISu003du003eFollo8ing.cs Reference to suspicious API methods: ('BIDEN_HARRIS=>6housand', 'VirtualProtect@kernel32.dll'), ('BIDEN_HARRIS=>Contra3t', 'GetProcAddress@kernel32.dll'), ('BIDEN_HARRIS=>Loa8', 'LoadLibrary@kernel32.dll')
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Jump to behavior
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Jump to behavior
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Jump to behavior
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Jump to behavior
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Queries volume information: C:\Users\user\Desktop\INV NO -609983773 60983768.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INV NO -609983773 60983768.exe.13db409f9a8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INV NO -609983773 60983768.exe.13db407f970.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INV NO -609983773 60983768.exe.13db3f8fb00.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.245237358.0000013DB3F8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: INV NO -609983773 60983768.exe PID: 6048, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Remcos RAT
Source: Yara match File source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INV NO -609983773 60983768.exe.13db409f9a8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INV NO -609983773 60983768.exe.13db407f970.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INV NO -609983773 60983768.exe.13db3f8fb00.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.245237358.0000013DB3F8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: INV NO -609983773 60983768.exe PID: 6048, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 715073 Sample: INV NO -609983773 60983768.exe Startdate: 03/10/2022 Architecture: WINDOWS Score: 76 19 Malicious sample detected (through community Yara rule) 2->19 21 Multi AV Scanner detection for submitted file 2->21 23 Yara detected Remcos RAT 2->23 25 3 other signatures 2->25 6 INV NO -609983773 60983768.exe 1 2->6         started        process3 file4 17 C:\...\INV NO -609983773 60983768.exe.log, CSV 6->17 dropped 9 RegAsm.exe 6->9         started        11 RegAsm.exe 6->11         started        13 RegAsm.exe 6->13         started        15 2 other processes 6->15 process5
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
172.111.234.110 true
  • 5%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown