Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:882705
MD5:58a91896eaf6efe03ffe6ebb7b731792
SHA1:e3ec7807b22e91e887dd1bc752c426041607216f
SHA256:dc984e3a8de291d49bab5940b8f8047d2a7d8f0dab4231342c36edcee9cbb92e
Tags:NETexeMSILx64zgRAT
Infos:

Detection

Remcos, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected UAC Bypass using CMSTP
Contains functionality to bypass UAC (CMSTPLUA)
Multi AV Scanner detection for submitted file
Yara detected zgRAT
Malicious sample detected (through community Yara rule)
Yara detected Remcos RAT
Sigma detected: Remcos
Writes to foreign memory regions
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Machine Learning detection for sample
Allocates memory in foreign processes
Contains functionality to modify clipboard data
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Contains functionality to steal Chrome passwords or cookies
.NET source code contains method to dynamically call methods (often used by packers)
C2 URLs / IPs found in malware configuration
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to enumerate running services
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
PE file does not import any functions
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Contains functionality to download and launch executables
Binary contains a suspicious time stamp
Contains functionality to retrieve information about pressed keystrokes
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to simulate mouse events
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 3852 cmdline: C:\Users\user\Desktop\file.exe MD5: 58A91896EAF6EFE03FFE6EBB7B731792)
    • aspnet_compiler.exe (PID: 6780 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
    • aspnet_compiler.exe (PID: 6768 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
    • aspnet_compiler.exe (PID: 5828 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
    • aspnet_compiler.exe (PID: 5796 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
zgRATNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "127.0.0.1:55433:1185.65.134.166:55433:110.11.0.5:55433:145.128.234.54:55433:1", "Assigned name": "RemoteHost", "Copy file": "remcos.exe", "Startup value": "Remcos", "Mutex": "Rmc-UQ90W9", "Keylog file": "logs.dat", "Screenshot file": "Screenshots", "Audio folder": "MicRecords", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100000"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
file.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    file.exeMALWARE_Win_zgRATDetects zgRATditekSHen
    • 0x33851:$s1: file:///
    • 0x337ad:$s2: {11111-22222-10009-11112}
    • 0x337e1:$s3: {11111-22222-50001-00000}
    • 0x2f33d:$s4: get_Module
    • 0x2ba2e:$s5: Reverse
    • 0x2baeb:$s6: BlockCopy
    • 0x2c1ba:$s7: ReadByte
    • 0x33865:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
          • 0x643b8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
          • 0x6434c:$s1: CoGetObject
          • 0x64360:$s1: CoGetObject
          • 0x6437c:$s1: CoGetObject
          • 0x6e15e:$s1: CoGetObject
          • 0x6430c:$s2: Elevation:Administrator!new:
          00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x6a470:$a1: Remcos restarted by watchdog!
          • 0x6a9d4:$a3: %02i:%02i:%02i:%03i
          Click to see the 10 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          4.2.aspnet_compiler.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            4.2.aspnet_compiler.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              4.2.aspnet_compiler.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
              • 0x633b8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
              • 0x6334c:$s1: CoGetObject
              • 0x63360:$s1: CoGetObject
              • 0x6337c:$s1: CoGetObject
              • 0x6d15e:$s1: CoGetObject
              • 0x6330c:$s2: Elevation:Administrator!new:
              4.2.aspnet_compiler.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x69470:$a1: Remcos restarted by watchdog!
              • 0x699d4:$a3: %02i:%02i:%02i:%03i
              4.2.aspnet_compiler.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
              • 0x634c4:$str_a1: C:\Windows\System32\cmd.exe
              • 0x63440:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x63440:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x63938:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
              • 0x64168:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
              • 0x63534:$str_b2: Executing file:
              • 0x645b4:$str_b3: GetDirectListeningPort
              • 0x63f58:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
              • 0x640d8:$str_b7: \update.vbs
              • 0x6355c:$str_b9: Downloaded file:
              • 0x63548:$str_b10: Downloading file:
              • 0x635ec:$str_b12: Failed to upload file:
              • 0x6457c:$str_b13: StartForward
              • 0x6459c:$str_b14: StopForward
              • 0x64030:$str_b15: fso.DeleteFile "
              • 0x63fc4:$str_b16: On Error Resume Next
              • 0x64060:$str_b17: fso.DeleteFolder "
              • 0x635dc:$str_b18: Uploaded file:
              • 0x6359c:$str_b19: Unable to delete:
              • 0x63ff8:$str_b20: while fso.FileExists("
              • 0x63a71:$str_c0: [Firefox StoredLogins not found]
              Click to see the 18 entries

              Sigma Signatures

              Stealing of Sensitive Information

              barindex
              Sigma detected: Remcos
              Source: Registry Key setAuthor: Joe Security: Data: Details: B8 44 BD 83 D8 99 C8 1A 1F B1 2D B6 25 A1 5D 8A 03 5A B2 9B E4 8C 13 84 AA 33 63 EB 80 AF 7A 48 CB F5 21 D2 59 12 53 78 41 FD 3C 3E FC E0 99 D2 EF C8 AE 2A AB A8 F5 EF FE 5B F1 7F 36 AD 4B 29 AC 6A 0B 2C 7E 19 B1 0F E4 48 4F A9 3D 87 DA 03 93 BB 9F DA ED 8E A0 DD CC E5 F1 B7 02 19 23 C1 63 53 44 B9 17 19 14 64 43 E6 AD BC 04 35 F1 20 6B 9F 4E B8 0E 8E 0E 69 39 51 E0 75 1C BD 62 DC C2 F7 D3 DD , EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ProcessId: 5796, TargetObject: HKEY_CURRENT_USER\Software\Rmc-UQ90W9\exepath

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "127.0.0.1:55433:1185.65.134.166:55433:110.11.0.5:55433:145.128.234.54:55433:1", "Assigned name": "RemoteHost", "Copy file": "remcos.exe", "Startup value": "Remcos", "Mutex": "Rmc-UQ90W9", "Keylog file": "logs.dat", "Screenshot file": "Screenshots", "Audio folder": "MicRecords", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100000"}
              Multi AV Scanner detection for submitted file
              Source: file.exeReversingLabs: Detection: 35%
              Source: file.exeVirustotal: Detection: 46%Perma Link
              Yara detected Remcos RAT
              Source: Yara matchFile source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.17793a03e98.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.17793a03e98.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 3852, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 5796, type: MEMORYSTR
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00432142 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,
              Source: file.exe, 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----

              Exploits

              barindex
              Yara detected UAC Bypass using CMSTP
              Source: Yara matchFile source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.17793a03e98.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.17793a03e98.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 3852, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 5796, type: MEMORYSTR

              Privilege Escalation

              barindex
              Contains functionality to bypass UAC (CMSTPLUA)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00406B71 _wcslen,CoGetObject,
              Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: CEMENT.pdb source: file.exe, 00000000.00000002.567234773.00000177EB320000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.564438533.000001778003B000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: NBNNhH873.pdb source: file.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0044D0F9 FindFirstFileExA,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0040B0AA FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0040B2B1 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00418650 FindFirstFileW,FindNextFileW,FindNextFileW,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0040B8C7 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00408909 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0041AC0A FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00408D1B __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00407E80 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00406EB0 FindFirstFileW,FindNextFileW,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0040730B SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

              Networking

              barindex
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: 127.0.0.1
              Source: Joe Sandbox ViewASN Name: ESAB-ASSE ESAB-ASSE
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
              Source: global trafficTCP traffic: 192.168.2.4:49693 -> 185.65.134.166:55433
              Source: global trafficTCP traffic: 192.168.2.4:49698 -> 45.128.234.54:55433
              Source: unknownTCP traffic detected without corresponding DNS query: 185.65.134.166
              Source: unknownTCP traffic detected without corresponding DNS query: 185.65.134.166
              Source: unknownTCP traffic detected without corresponding DNS query: 185.65.134.166
              Source: unknownTCP traffic detected without corresponding DNS query: 45.128.234.54
              Source: unknownTCP traffic detected without corresponding DNS query: 45.128.234.54
              Source: unknownTCP traffic detected without corresponding DNS query: 45.128.234.54
              Source: unknownTCP traffic detected without corresponding DNS query: 45.128.234.54
              Source: unknownTCP traffic detected without corresponding DNS query: 45.128.234.54
              Source: unknownTCP traffic detected without corresponding DNS query: 45.128.234.54
              Source: unknownTCP traffic detected without corresponding DNS query: 45.128.234.54
              Source: unknownTCP traffic detected without corresponding DNS query: 45.128.234.54
              Source: unknownTCP traffic detected without corresponding DNS query: 45.128.234.54
              Source: unknownTCP traffic detected without corresponding DNS query: 45.128.234.54
              Source: unknownTCP traffic detected without corresponding DNS query: 45.128.234.54
              Source: aspnet_compiler.exe, 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/j
              Source: aspnet_compiler.exe, 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.814983139.0000000000F4B000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000003.658074028.0000000000F10000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000003.658074028.0000000000F4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
              Source: file.exe, 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
              Source: aspnet_compiler.exe, 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp1
              Source: aspnet_compiler.exe, 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp2C9DCABD6423689A465F00D4F
              Source: aspnet_compiler.exe, 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpESS
              Source: aspnet_compiler.exe, 00000004.00000002.814983139.0000000000F4B000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000003.658074028.0000000000F4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpf
              Source: aspnet_compiler.exe, 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gples8
              Source: aspnet_compiler.exe, 00000004.00000002.814983139.0000000000F4B000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000003.658074028.0000000000F4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gprol
              Source: unknownDNS traffic detected: queries for: geoplugin.net
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_004255BC recv,
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to modify clipboard data
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00415802 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00415802 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_004099E3 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00415802 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.17793a03e98.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.17793a03e98.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 3852, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 5796, type: MEMORYSTR

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: file.exe, type: SAMPLEMatched rule: Detects zgRAT Author: ditekSHen
              Source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.2.file.exe.17793a03e98.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2.file.exe.17793a03e98.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.file.exe.17793a03e98.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.0.file.exe.177e97b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
              Source: 0.2.file.exe.177e97b0000.3.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
              Source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.2.file.exe.17793a03e98.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2.file.exe.17793a03e98.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: file.exe PID: 3852, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: aspnet_compiler.exe PID: 5796, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: file.exe, type: SAMPLEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
              Source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.2.file.exe.17793a03e98.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2.file.exe.17793a03e98.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.file.exe.17793a03e98.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.0.file.exe.177e97b0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
              Source: 0.2.file.exe.177e97b0000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
              Source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.2.file.exe.17793a03e98.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2.file.exe.17793a03e98.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: file.exe PID: 3852, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: aspnet_compiler.exe PID: 5796, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF814F23AAA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00437040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_004361CE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_004131DA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0044C249
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00432251
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00426351
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0041C46D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_004264BA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00436603
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0043C76D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00425719
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00434731
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_004358BA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_004529D9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0043C99C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0041DA05
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00436A38
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00444AF0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0043CBCB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00451BAB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00425CA8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00435DB6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0043CE28
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 0043307B appears 41 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 00402073 appears 50 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 00433700 appears 54 times
              Source: file.exeStatic PE information: No import functions for PE file found
              Source: file.exe, 00000000.00000002.567234773.00000177EB320000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCEMENT.dll. vs file.exe
              Source: file.exe, 00000000.00000002.566970526.00000177E991C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
              Source: file.exe, 00000000.00000002.566934362.00000177E9842000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNBNNhH873.exe4 vs file.exe
              Source: file.exe, 00000000.00000002.564438533.000001778003B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCEMENT.dll. vs file.exe
              Source: file.exeBinary or memory string: OriginalFilenameNBNNhH873.exe4 vs file.exe
              Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: file.exeReversingLabs: Detection: 35%
              Source: file.exeVirustotal: Detection: 46%
              Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00416840 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.logJump to behavior
              Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@9/2@1/5
              Source: file.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
              Source: C:\Users\user\Desktop\file.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_004195A5 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0040E991 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CreateMutexA,CloseHandle,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-UQ90W9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0041A003 FindResourceA,LoadResource,LockResource,SizeofResource,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: CEMENT.pdb source: file.exe, 00000000.00000002.567234773.00000177EB320000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.564438533.000001778003B000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: NBNNhH873.pdb source: file.exe

              Data Obfuscation

              barindex
              .NET source code contains potential unpacker
              Source: file.exe, JLcALfheHFNKcZnPLt/EP1EGhU66g5S5M02Ye.cs.Net Code: Ref8At7ZI System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: file.exe, rU0ptD4llTJ1hV0R3g/X0fs42yqQa7Qy1FGHk.cs.Net Code: X0fs42yqQa7Qy1FGHk.rA1j5nF0vJo1tmjB8Xu(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), X0fs42yqQa7Qy1FGHk.rA1j5nF0vJo1tmjB8Xu(typeof(Type).TypeHandle) })
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00000177E97B2C75 push FFFFFFBAh; iretd
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00456328 push eax; ret
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0045C51D push esi; ret
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00433746 push ecx; ret
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00455A06 push ecx; ret
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0041B4C9 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,
              Source: file.exeStatic PE information: 0xEACDEA53 [Sun Oct 31 11:36:51 2094 UTC]
              Source: initial sampleStatic PE information: section name: .text entropy: 7.511239938683684
              Source: file.exe, c2VdCkcfuulLVd3JSVN/dMdjZgcZKPfS5AC2lDf.csHigh entropy of concatenated method names: 'WcocIY8WWi', 'KHTcmWEX8l', 'ReIcHq3C21', 'rtAc6rInaP', 'SCxcOUCgho', 'HRxcCvZRpO', 'Ce4cNESpOo', '.ctor', '.cctor', 'B49EjuYwa6e1tR1hSn7'
              Source: file.exe, rU0ptD4llTJ1hV0R3g/X0fs42yqQa7Qy1FGHk.csHigh entropy of concatenated method names: '.cctor', 'X1reT73iit', 'Au7kmKk34', 'grrJKvsrg', 'RLK0bfYJn', 'MrGifVCYO', 'y84SWi6la', 'xJLo4XVgE', 'AlD1yfQTm', '.ctor'
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00406524 ShellExecuteW,URLDownloadToFileW,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_004195A5 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0041B4C9 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Delayed program exit found
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0040ECEA Sleep,ExitProcess,
              Source: C:\Users\user\Desktop\file.exe TID: 5464Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 944Thread sleep count: 176 > 30
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 944Thread sleep time: -88000s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeLast function: Thread delayed
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeLast function: Thread delayed
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,
              Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0044D0F9 FindFirstFileExA,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0040B0AA FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0040B2B1 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00418650 FindFirstFileW,FindNextFileW,FindNextFileW,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0040B8C7 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00408909 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0041AC0A FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00408D1B __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00407E80 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00406EB0 FindFirstFileW,FindNextFileW,
              Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0040730B SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeAPI call chain: ExitProcess graph end node
              Source: file.exe, 00000000.00000002.564591902.00000177920B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: HgfsSa/7Mz4
              Source: file.exe, 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %bl%HgfsSa/7Mz4AIvfRNmLk/Cs/YU5W
              Source: file.exe, 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %bVHgfsSa/7Mz4AIvfRNmLk/Cs/YU5W
              Source: aspnet_compiler.exe, 00000004.00000002.814983139.0000000000F51000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.814983139.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000003.658074028.0000000000F4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %bl%HgfsSa/7Mz4
              Source: aspnet_compiler.exe, 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
              Source: file.exe, 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %bVHgfsSa/7Mz4AIvfRNmLk/Cs/YU5WBLrwdvF/nOMbOXnxggMpO2I4rdwEEEPuX43KdCEpLr8hfjnvbzKgncgEFnjBxtlFg4TfjKuZ4Cr/qhLBl/Kscx8p3EhZQxAe2rApE/tcOjHfPhRncUf4Rk3/wAyaUcppDB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00433304 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0041B4C9 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00411241 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,
              Source: C:\Users\user\Desktop\file.exeProcess token adjusted: Debug
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00441B85 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guard
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00433452 SetUnhandledExceptionFilter,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00433304 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0043A3F1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_004338CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 457000
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 46F000
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 475000
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 476000
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 477000
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 47C000
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: B04008
              Allocates memory in foreign processes
              Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 protect: page execute and read and write
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00418186 mouse_event,
              Source: aspnet_compiler.exe, 00000004.00000002.814760961.0000000000F32000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: program managerW9\
              Source: aspnet_compiler.exe, 00000004.00000002.814760961.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: GetLocaleInfoW,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: EnumSystemLocalesW,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: EnumSystemLocalesW,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: EnumSystemLocalesW,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: GetLocaleInfoW,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: EnumSystemLocalesW,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: GetLocaleInfoW,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: GetLocaleInfoA,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0043354D cpuid
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00404F31 GetLocalTime,CreateEventA,CreateThread,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00447A10 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0041A168 GetUserNameW,

              Stealing of Sensitive Information

              barindex
              Yara detected zgRAT
              Source: Yara matchFile source: file.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.file.exe.177e97b0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.177e97b0000.3.unpack, type: UNPACKEDPE
              Yara detected Remcos RAT
              Source: Yara matchFile source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.17793a03e98.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.17793a03e98.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 3852, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 5796, type: MEMORYSTR
              Contains functionality to steal Firefox passwords or cookies
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: \key3.db
              Contains functionality to steal Chrome passwords or cookies
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

              Remote Access Functionality

              barindex
              Yara detected zgRAT
              Source: Yara matchFile source: file.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.file.exe.177e97b0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.177e97b0000.3.unpack, type: UNPACKEDPE
              Yara detected Remcos RAT
              Source: Yara matchFile source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.17793a03e98.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.17793a03e98.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 3852, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 5796, type: MEMORYSTR
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: cmd.exe

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts1
              Native API              		1
              Windows Service              		1
              Bypass User Access Control              		1
              Disable or Modify Tools              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services11
              Archive Collected Data              		Exfiltration Over Other Network Medium12
              Ingress Tool Transfer              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default Accounts1
              Command and Scripting Interpreter              		Boot or Logon Initialization Scripts1
              Access Token Manipulation              		1
              Deobfuscate/Decode Files or Information              		11
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol11
              Input Capture              		Exfiltration Over Bluetooth2
              Encrypted Channel              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain Accounts2
              Service Execution              		Logon Script (Windows)1
              Windows Service              		3
              Obfuscated Files or Information              		2
              Credentials In Files              		1
              System Service Discovery              		SMB/Windows Admin Shares12
              Clipboard Data              		Automated Exfiltration1
              Non-Standard Port              		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)322
              Process Injection              		22
              Software Packing              		NTDS2
              File and Directory Discovery              		Distributed Component Object ModelInput CaptureScheduled Transfer2
              Non-Application Layer Protocol              		SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
              Timestomp              		LSA Secrets33
              System Information Discovery              		SSHKeyloggingData Transfer Size Limits12
              Application Layer Protocol              		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common1
              Bypass User Access Control              		Cached Domain Credentials21
              Security Software Discovery              		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup Items1
              Masquerading              		DCSync21
              Virtualization/Sandbox Evasion              		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job21
              Virtualization/Sandbox Evasion              		Proc Filesystem3
              Process Discovery              		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
              Access Token Manipulation              		/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
              Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)322
              Process Injection              		Network Sniffing1
              Remote System Discovery              		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe35%ReversingLabsWin64.Trojan.Cerbu
              file.exe46%VirustotalBrowse
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              geoplugin.net1%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://geoplugin.net/json.gp0%URL Reputationsafe
              http://geoplugin.net/json.gp0%URL Reputationsafe
              http://geoplugin.net/json.gples80%Avira URL Cloudsafe
              http://geoplugin.net/json.gp/C0%URL Reputationsafe
              http://geoplugin.net/j0%URL Reputationsafe
              http://geoplugin.net/json.gp2C9DCABD6423689A465F00D4F0%Avira URL Cloudsafe
              http://geoplugin.net/json.gp10%Avira URL Cloudsafe
              http://geoplugin.net/json.gprol0%Avira URL Cloudsafe
              http://geoplugin.net/json.gpESS0%Avira URL Cloudsafe
              http://geoplugin.net/json.gpf0%Avira URL Cloudsafe
              127.0.0.10%Avira URL Cloudsafe
              http://geoplugin.net/json.gpf0%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              geoplugin.net
              		178.237.33.50
              		truefalseunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://geoplugin.net/json.gpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              127.0.0.1true
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://geoplugin.net/json.gples8aspnet_compiler.exe, 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://geoplugin.net/json.gprolaspnet_compiler.exe, 00000004.00000002.814983139.0000000000F4B000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000003.658074028.0000000000F4B000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://geoplugin.net/json.gp1aspnet_compiler.exe, 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://geoplugin.net/json.gp2C9DCABD6423689A465F00D4Faspnet_compiler.exe, 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://geoplugin.net/json.gpfaspnet_compiler.exe, 00000004.00000002.814983139.0000000000F4B000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000003.658074028.0000000000F4B000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://geoplugin.net/json.gp/Cfile.exe, 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://geoplugin.net/json.gpESSaspnet_compiler.exe, 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://geoplugin.net/jaspnet_compiler.exe, 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              185.65.134.166
              		unknownSweden
              		39351ESAB-ASSEtrue
              178.237.33.50
              		geoplugin.netNetherlands
              		8455ATOM86-ASATOM86NLfalse
              45.128.234.54
              		unknownUnited Kingdom
              		208861RACKTECHRUtrue

              Private

              IP
              10.11.0.5
              127.0.0.1

              General Information

              Joe Sandbox Version:37.1.0 Beryl
              Analysis ID:882705
              Start date and time:2023-06-06 17:16:58 +02:00
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 9m 50s
              Hypervisor based Inspection enabled:false
              Report type:light
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:5
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample file name:file.exe
              Detection:MAL
              Classification:mal100.troj.spyw.expl.evad.winEXE@9/2@1/5
              EGA Information:
              • Successful, ratio: 50%
              HDC Information:
              • Successful, ratio: 83.7% (good quality ratio 79.2%)
              • Quality average: 83.6%
              • Quality standard deviation: 26.6%
              HCA Information:
              • Successful, ratio: 71%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
              • Execution Graph export aborted for target file.exe, PID 3852 because it is empty
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.log

              Download File
              Process:C:\Users\user\Desktop\file.exe
              File Type:CSV text
              Category:dropped
              Size (bytes):226
              Entropy (8bit):5.354940450065058
              Encrypted:false
              SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2wlAsDZiIv:Q3La/KDLI4MWuPTxAIv
              MD5:B10E37251C5B495643F331DB2EEC3394
              SHA1:25A5FFE4C2554C2B9A7C2794C9FE215998871193
              SHA-256:8A6B926C70F8DCFD915D68F167A1243B9DF7B9F642304F570CE584832D12102D
              SHA-512:296BC182515900934AA96E996FC48B565B7857801A07FEFA0D3D1E0C165981B266B084E344DB5B53041D1171F9C6708B4EE0D444906391C4FC073BCC23B92C37
              Malicious:true
              Reputation:high, very likely benign file
              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..

              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\json[1].json

              Download File
              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              File Type:JSON data
              Category:dropped
              Size (bytes):944
              Entropy (8bit):4.990870805423288
              Encrypted:false
              SSDEEP:12:tkEI7nd6CsGkMyGWKyMPVGADRPrmai+H0mGdAPORkoao9W7im51w7CSD9pF6RjSu:qHdRNuKyM8kzst7266m7RJaCo
              MD5:F415E2ACABAFB737E34EA7C1A7E9AE08
              SHA1:6CFEF6515535A0D3820C8F9B0C1882DC0D47F808
              SHA-256:97ABDE670EC722AA8D24DBB5DCA416ECF3AFC766FD627A4831E00E52855435D1
              SHA-512:B8DDB221554A642E08539C8E63D916773C26D37078AC3B4E3A96CA54C7F4391349FFD069E8B01C820B8E0D7968EE21CAF24AFFD07EA40B208214C68530BEB5E9
              Malicious:false
              Preview:{. "geoplugin_request":"102.129.143.77",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite data created by MaxMind, available from <a href='http:\/\/www.maxmind.com'>http:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Hunenberg",. "geoplugin_region":"Zug",. "geoplugin_regionCode":"ZG",. "geoplugin_regionName":"Zug",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"",. "geoplugin_countryCode":"CH",. "geoplugin_countryName":"Switzerland",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"EU",. "geoplugin_continentName":"Europe",. "geoplugin_latitude":"47.173",. "geoplugin_longitude":"8.4204",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"Europe\/Zurich",. "geoplugin_currencyCode":"CHF",. "geoplugin_currencySymbol":"CHF",. "geoplugin_currencySymbol_UTF8":"CHF",. "geoplugin_currencyConverter":0.9045.}

              Static File Info

              General

              File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
              Entropy (8bit):7.504178499744059
              TrID:
              • Win64 Executable GUI Net Framework (217006/5) 49.88%
              • Win64 Executable GUI (202006/5) 46.43%
              • Win64 Executable (generic) (12005/4) 2.76%
              • Generic Win/DOS Executable (2004/3) 0.46%
              • DOS Executable Generic (2002/1) 0.46%
              File name:file.exe
              File size:585216
              MD5:58a91896eaf6efe03ffe6ebb7b731792
              SHA1:e3ec7807b22e91e887dd1bc752c426041607216f
              SHA256:dc984e3a8de291d49bab5940b8f8047d2a7d8f0dab4231342c36edcee9cbb92e
              SHA512:9c764a0ec4d5f628fe998d90836fe39b2e112ebb21dc97e323c5ef0e50d6790ed36b5d89609c4aa4be2a5aaf6f4859e6e5a70150ce8b446868189417d9dffc23
              SSDEEP:12288:OBm+u0O5pDETlQ6ocFa59nBTDvdeLu3jaLWGaGAXd:uzAgQ6Y59hDvdeLuTwK
              TLSH:CEC4BF4A776AD46ED28D673BC6C50814A7A0DD82E30BDB4630C727994D0F3A7DF0929B
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...S.................0.................. ....@...... .......................@............`...@......@............... .....

              File Icon

              Icon Hash:90cececece8e8eb0

              Static PE Info

              General

              Entrypoint:0x400000
              Entrypoint Section:
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE
              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Time Stamp:0xEACDEA53 [Sun Oct 31 11:36:51 2094 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:

              Entrypoint Preview

              Instruction
              dec ebp
              pop edx
              nop
              add byte ptr [ebx], al
              add byte ptr [eax], al
              add byte ptr [eax+eax], al
              add byte ptr [eax], al

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x920000x5a8.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x903f20x1c.text
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x20000x8e4400x8e600False0.7875963701712028data7.511239938683684IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rsrc0x920000x5a80x600False0.419921875data4.123920436980398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_VERSION0x920a00x31cdata
              RT_MANIFEST0x923bc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

              Network Behavior

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jun 6, 2023 17:18:06.283744097 CEST4969355433192.168.2.4185.65.134.166
              Jun 6, 2023 17:18:09.289627075 CEST4969355433192.168.2.4185.65.134.166
              Jun 6, 2023 17:18:15.290169954 CEST4969355433192.168.2.4185.65.134.166
              Jun 6, 2023 17:18:27.316764116 CEST4969455433192.168.2.410.11.0.5
              Jun 6, 2023 17:18:30.322700024 CEST4969455433192.168.2.410.11.0.5
              Jun 6, 2023 17:18:36.354473114 CEST4969455433192.168.2.410.11.0.5
              Jun 6, 2023 17:18:48.361797094 CEST4969855433192.168.2.445.128.234.54
              Jun 6, 2023 17:18:48.391845942 CEST554334969845.128.234.54192.168.2.4
              Jun 6, 2023 17:18:48.392015934 CEST4969855433192.168.2.445.128.234.54
              Jun 6, 2023 17:18:48.413088083 CEST4969855433192.168.2.445.128.234.54
              Jun 6, 2023 17:18:48.452032089 CEST554334969845.128.234.54192.168.2.4
              Jun 6, 2023 17:18:48.496220112 CEST4969855433192.168.2.445.128.234.54
              Jun 6, 2023 17:18:48.522089958 CEST554334969845.128.234.54192.168.2.4
              Jun 6, 2023 17:18:48.536987066 CEST4969855433192.168.2.445.128.234.54
              Jun 6, 2023 17:18:48.625186920 CEST554334969845.128.234.54192.168.2.4
              Jun 6, 2023 17:18:48.625369072 CEST4969855433192.168.2.445.128.234.54
              Jun 6, 2023 17:18:48.693269014 CEST554334969845.128.234.54192.168.2.4
              Jun 6, 2023 17:18:49.297676086 CEST554334969845.128.234.54192.168.2.4
              Jun 6, 2023 17:18:49.301040888 CEST4969855433192.168.2.445.128.234.54
              Jun 6, 2023 17:18:49.348654032 CEST554334969845.128.234.54192.168.2.4
              Jun 6, 2023 17:18:49.402436972 CEST4969855433192.168.2.445.128.234.54
              Jun 6, 2023 17:18:49.540925980 CEST4969980192.168.2.4178.237.33.50
              Jun 6, 2023 17:18:49.565812111 CEST8049699178.237.33.50192.168.2.4
              Jun 6, 2023 17:18:49.565912008 CEST4969980192.168.2.4178.237.33.50
              Jun 6, 2023 17:18:49.566293001 CEST4969980192.168.2.4178.237.33.50
              Jun 6, 2023 17:18:49.598249912 CEST8049699178.237.33.50192.168.2.4
              Jun 6, 2023 17:18:49.598454952 CEST4969980192.168.2.4178.237.33.50
              Jun 6, 2023 17:18:49.665569067 CEST4969855433192.168.2.445.128.234.54
              Jun 6, 2023 17:18:49.732357979 CEST554334969845.128.234.54192.168.2.4
              Jun 6, 2023 17:18:50.597860098 CEST8049699178.237.33.50192.168.2.4
              Jun 6, 2023 17:18:50.597980022 CEST4969980192.168.2.4178.237.33.50
              Jun 6, 2023 17:19:07.185269117 CEST554334969845.128.234.54192.168.2.4
              Jun 6, 2023 17:19:07.188301086 CEST4969855433192.168.2.445.128.234.54
              Jun 6, 2023 17:19:07.265501022 CEST554334969845.128.234.54192.168.2.4
              Jun 6, 2023 17:19:37.214919090 CEST554334969845.128.234.54192.168.2.4
              Jun 6, 2023 17:19:37.218048096 CEST4969855433192.168.2.445.128.234.54
              Jun 6, 2023 17:19:37.287739038 CEST554334969845.128.234.54192.168.2.4

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jun 6, 2023 17:18:49.507006884 CEST5223953192.168.2.48.8.8.8
              Jun 6, 2023 17:18:49.527475119 CEST53522398.8.8.8192.168.2.4

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
              Jun 6, 2023 17:18:49.507006884 CEST192.168.2.48.8.8.80xc59aStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Jun 6, 2023 17:18:49.527475119 CEST8.8.8.8192.168.2.40xc59aNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

              HTTP Request Dependency Graph

              • geoplugin.net

              Statistics

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:17:17:57
              Start date:06/06/2023
              Path:C:\Users\user\Desktop\file.exe
              Wow64 process (32bit):false
              Commandline:C:\Users\user\Desktop\file.exe
              Imagebase:0x177e97b0000
              File size:585216 bytes
              MD5 hash:58A91896EAF6EFE03FFE6EBB7B731792
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
              Reputation:low

              General

              Target ID:1
              Start time:17:18:04
              Start date:06/06/2023
              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              Imagebase:0x60000
              File size:55400 bytes
              MD5 hash:17CC69238395DF61AAF483BCEF02E7C9
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:2
              Start time:17:18:04
              Start date:06/06/2023
              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              Imagebase:0x250000
              File size:55400 bytes
              MD5 hash:17CC69238395DF61AAF483BCEF02E7C9
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:3
              Start time:17:18:04
              Start date:06/06/2023
              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              Imagebase:0x420000
              File size:55400 bytes
              MD5 hash:17CC69238395DF61AAF483BCEF02E7C9
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:4
              Start time:17:18:04
              Start date:06/06/2023
              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              Wow64 process (32bit):true
              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              Imagebase:0x890000
              File size:55400 bytes
              MD5 hash:17CC69238395DF61AAF483BCEF02E7C9
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
              • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
              Reputation:high

              Disassembly

              No disassembly