Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
IMG-ZIRAATI03102022.exe

Overview

General Information

Sample Name:IMG-ZIRAATI03102022.exe
Analysis ID:715079
MD5:3b4a0b66d0415af1e216224497c59b4b
SHA1:d5f559097a703f155bad6b8610a48ea2dbd68b27
SHA256:95c80a6add91050a965c4d38e3db1736c7cfc8c286e87c9d1c3aeb46ee3a95de
Tags:exegeoRemcosRATTURZiraatBank
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Remcos RAT
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Installs a global keyboard hook
Yara detected Costura Assembly Loader
Encrypted powershell cmdline option found
Uses the Telegram API (likely for C&C communication)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

  • System is w10x64
  • IMG-ZIRAATI03102022.exe (PID: 5820 cmdline: C:\Users\user\Desktop\IMG-ZIRAATI03102022.exe MD5: 3B4A0B66D0415AF1E216224497C59B4B)
    • powershell.exe (PID: 6036 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • IMG-ZIRAATI03102022.exe (PID: 4124 cmdline: C:\Users\user\Desktop\IMG-ZIRAATI03102022.exe MD5: 3B4A0B66D0415AF1E216224497C59B4B)
      • wscript.exe (PID: 5032 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)
  • FILE.exe (PID: 4184 cmdline: "C:\Users\user\AppData\Roaming\FILE.exe" MD5: 3B4A0B66D0415AF1E216224497C59B4B)
    • powershell.exe (PID: 2464 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • FILE.exe (PID: 6112 cmdline: C:\Users\user\AppData\Roaming\FILE.exe MD5: 3B4A0B66D0415AF1E216224497C59B4B)
  • cleanup
{"Version": "3.8.0 Pro", "Host:Port:Password": "remcapi.duckdns.org:2028:1", "Assigned name": "NEW", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Disable", "Setup HKLM\\Run": "Disable", "Install path": "Application path", "Copy file": "FILE.EXE", "Startup value": "file", "Hide file": "Disable", "Mutex": "Rmc-L9LQMY", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Enable", "Audio record time": "5"}
SourceRuleDescriptionAuthorStrings
00000000.00000002.424695583.0000000005F60000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    00000000.00000003.406392535.00000000044C4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000000.00000002.416884855.0000000002F97000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        0000000C.00000000.414784551.0000000000456000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          0000000C.00000000.414784551.0000000000456000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x131e0:$a1: Remcos restarted by watchdog!
          • 0x13738:$a3: %02i:%02i:%02i:%03i
          • 0x13abd:$a4: * Remcos v
          Click to see the 17 entries
          SourceRuleDescriptionAuthorStrings
          0.2.IMG-ZIRAATI03102022.exe.5f60000.6.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            0.2.IMG-ZIRAATI03102022.exe.4173680.3.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              0.2.IMG-ZIRAATI03102022.exe.4173680.3.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewerdetects Windows exceutables potentially bypassing UAC using eventvwr.exeditekSHen
              • 0x60100:$s1: \Classes\mscfile\shell\open\command
              • 0x60160:$s1: \Classes\mscfile\shell\open\command
              • 0x60148:$s2: eventvwr.exe
              0.2.IMG-ZIRAATI03102022.exe.4173680.3.unpackWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x661e0:$a1: Remcos restarted by watchdog!
              • 0x66738:$a3: %02i:%02i:%02i:%03i
              • 0x66abd:$a4: * Remcos v
              0.2.IMG-ZIRAATI03102022.exe.4173680.3.unpackREMCOS_RAT_variantsunknownunknown
              • 0x611e4:$str_a1: C:\Windows\System32\cmd.exe
              • 0x61160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x61160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x60610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
              • 0x60e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
              • 0x6020c:$str_b2: Executing file:
              • 0x61328:$str_b3: GetDirectListeningPort
              • 0x60c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
              • 0x60e30:$str_b7: \update.vbs
              • 0x60234:$str_b9: Downloaded file:
              • 0x60220:$str_b10: Downloading file:
              • 0x602c4:$str_b12: Failed to upload file:
              • 0x612f0:$str_b13: StartForward
              • 0x61310:$str_b14: StopForward
              • 0x60dd8:$str_b15: fso.DeleteFile "
              • 0x60d6c:$str_b16: On Error Resume Next
              • 0x60e08:$str_b17: fso.DeleteFolder "
              • 0x602b4:$str_b18: Uploaded file:
              • 0x60274:$str_b19: Unable to delete:
              • 0x60da0:$str_b20: while fso.FileExists("
              • 0x60749:$str_c0: [Firefox StoredLogins not found]