Windows Analysis Report
file.exe

Overview

General Information

Sample Name: file.exe
Analysis ID: 882711
MD5: 66108176e22e6f9513a62c76f2185468
SHA1: a05e217104b39485fbb4ce3cda9cb65b20960ccb
SHA256: e1eb3fe18ad660415f59eaac2c768afa1b20e07f107dfc207da8b0880a888aaf
Tags: NETexeMSILRemcosRATx64
Infos:

Detection

Remcos
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected UAC Bypass using CMSTP
Contains functionality to bypass UAC (CMSTPLUA)
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Remcos RAT
Sigma detected: Remcos
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Writes to foreign memory regions
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Machine Learning detection for sample
Allocates memory in foreign processes
Contains functionality to modify clipboard data
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Contains functionality to steal Chrome passwords or cookies
C2 URLs / IPs found in malware configuration
Uses dynamic DNS services
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to enumerate running services
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to read the PEB
Contains functionality to download and launch executables
Contains functionality to retrieve information about pressed keystrokes
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to simulate mouse events
Contains functionality for read data from the clipboard

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

AV Detection
barindex
Found malware configuration
Source: 00000002.00000002.813061315.00000000013F7000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": "pekonomia.duckdns.org:30861:1", "Assigned name": "RemoteHost", "Copy file": "remcos.exe", "Startup value": "Remcos", "Mutex": "Rmc-B0VP4N", "Keylog file": "logs.dat", "Screenshot file": "Screenshots", "Audio folder": "MicRecords", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100000"}
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 24%
Source: file.exe Virustotal: Detection: 32% Perma Link
Yara detected Remcos RAT
Source: Yara match File source: 1.2.file.exe.18f92636a68.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.file.exe.18f92636a68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.550296982.0000018F9283E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.813061315.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.550296982.0000018F91E43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6804, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: aspnet_compiler.exe PID: 6588, type: MEMORYSTR
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: pekonomia.duckdns.org Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: pekonomia.duckdns.org Virustotal: Detection: 6% Perma Link
Source: pekonomia.duckdns.org Virustotal: Detection: 6% Perma Link
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00432142 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 2_2_00432142
Source: file.exe, 00000001.00000002.550296982.0000018F9283E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 1.2.file.exe.18f92636a68.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.file.exe.18f92636a68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.550296982.0000018F9283E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.550296982.0000018F91E43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6804, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: aspnet_compiler.exe PID: 6588, type: MEMORYSTR

Privilege Escalation
barindex
Contains functionality to bypass UAC (CMSTPLUA)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00406B71 _wcslen,CoGetObject, 2_2_00406B71
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: CEMENT.pdb source: file.exe, 00000001.00000002.555430907.0000018FF8E60000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000001.00000002.550087026.0000018F8008D000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: NBB872.pdb source: file.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0044D0F9 FindFirstFileExA, 2_2_0044D0F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0040B0AA FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 2_2_0040B0AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0040B2B1 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 2_2_0040B2B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00418650 FindFirstFileW,FindNextFileW,FindNextFileW, 2_2_00418650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0040B8C7 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 2_2_0040B8C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00408909 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 2_2_00408909
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0041AC0A FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 2_2_0041AC0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00408D1B __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 2_2_00408D1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00407E80 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 2_2_00407E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00406EB0 FindFirstFileW,FindNextFileW, 2_2_00406EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0040730B SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 2_2_0040730B

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: pekonomia.duckdns.org
Uses dynamic DNS services
Source: unknown DNS query: name: pekonomia.duckdns.org
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WOWUS WOWUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 192.169.69.26 192.169.69.26
Source: Joe Sandbox View IP Address: 192.169.69.26 192.169.69.26
Source: aspnet_compiler.exe String found in binary or memory: http://geoplugin.net/json.gp
Source: file.exe, 00000001.00000002.550296982.0000018F9283E000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp/C
Source: unknown DNS traffic detected: queries for: pekonomia.duckdns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_004255BC recv, 2_2_004255BC

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to modify clipboard data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00415802 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 2_2_00415802
Contains functionality to read the clipboard data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00415802 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 2_2_00415802
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_004099E3 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx, 2_2_004099E3
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00415802 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 2_2_00415802

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 1.2.file.exe.18f92636a68.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.file.exe.18f92636a68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.550296982.0000018F9283E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.813061315.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.550296982.0000018F91E43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6804, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: aspnet_compiler.exe PID: 6588, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 1.2.file.exe.18f92636a68.1.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.file.exe.18f92636a68.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 1.2.file.exe.18f92636a68.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.2.file.exe.18f92636a68.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.file.exe.18f92636a68.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000001.00000002.550296982.0000018F9283E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000001.00000002.550296982.0000018F91E43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: file.exe PID: 6804, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: aspnet_compiler.exe PID: 6588, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Yara signature match
Source: 1.2.file.exe.18f92636a68.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.file.exe.18f92636a68.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 1.2.file.exe.18f92636a68.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.file.exe.18f92636a68.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.file.exe.18f92636a68.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000001.00000002.550296982.0000018F9283E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000001.00000002.550296982.0000018F91E43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: file.exe PID: 6804, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: aspnet_compiler.exe PID: 6588, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Detected potential crypto function
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00437040 2_2_00437040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_004361CE 2_2_004361CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_004131DA 2_2_004131DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0044C249 2_2_0044C249
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00432251 2_2_00432251
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00426351 2_2_00426351
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0041C46D 2_2_0041C46D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_004264BA 2_2_004264BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00436603 2_2_00436603
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0043C76D 2_2_0043C76D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00425719 2_2_00425719
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00434731 2_2_00434731
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_004358BA 2_2_004358BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_004529D9 2_2_004529D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0043C99C 2_2_0043C99C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0041DA05 2_2_0041DA05
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00436A38 2_2_00436A38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00444AF0 2_2_00444AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0043CBCB 2_2_0043CBCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00451BAB 2_2_00451BAB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00425CA8 2_2_00425CA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00435DB6 2_2_00435DB6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0043CE28 2_2_0043CE28
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: String function: 0043307B appears 41 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: String function: 00402073 appears 50 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: String function: 00433700 appears 54 times
PE file does not import any functions
Source: file.exe Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: file.exe Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000001.00000002.554923464.0000018FF8B19000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000001.00000002.555430907.0000018FF8E60000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameCEMENT.dll. vs file.exe
Source: file.exe, 00000001.00000002.550087026.0000018F8008D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCEMENT.dll. vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameNBB872.exe. vs file.exe
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: file.exe ReversingLabs: Detection: 24%
Source: file.exe Virustotal: Detection: 32%
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00416840 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 2_2_00416840
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winEXE@3/1@68/1
Source: file.exe Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
Source: C:\Users\user\Desktop\file.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_004195A5 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 2_2_004195A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0040E991 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CreateMutexA,CloseHandle, 2_2_0040E991
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Mutant created: \Sessions\1\BaseNamedObjects\Rmc-B0VP4N
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0041A003 FindResourceA,LoadResource,LockResource,SizeofResource, 2_2_0041A003
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: CEMENT.pdb source: file.exe, 00000001.00000002.555430907.0000018FF8E60000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000001.00000002.550087026.0000018F8008D000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: NBB872.pdb source: file.exe

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: file.exe, A/cfe605753591ecefb0de5afddfaa74037.cs .Net Code: c1675bf00bf077c2c9cbaa9d027c7d40f System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00456328 push eax; ret 2_2_00456346
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0045C51D push esi; ret 2_2_0045C526
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00433746 push ecx; ret 2_2_00433759
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00455A06 push ecx; ret 2_2_00455A19
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0041B4C9 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress, 2_2_0041B4C9
Source: initial sample Static PE information: section name: .text entropy: 7.966829562881022
Contains functionality to download and launch executables
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00406524 ShellExecuteW,URLDownloadToFileW, 2_2_00406524
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_004195A5 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 2_2_004195A5
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0041B4C9 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress, 2_2_0041B4C9
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Delayed program exit found
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0040ECEA Sleep,ExitProcess, 2_2_0040ECEA
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 3300 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Contains functionality to enumerate running services
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 2_2_004192A3
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe API coverage: 8.9 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0044D0F9 FindFirstFileExA, 2_2_0044D0F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0040B0AA FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 2_2_0040B0AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0040B2B1 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 2_2_0040B2B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00418650 FindFirstFileW,FindNextFileW,FindNextFileW, 2_2_00418650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0040B8C7 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 2_2_0040B8C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00408909 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 2_2_00408909
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0041AC0A FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 2_2_0041AC0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00408D1B __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 2_2_00408D1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00407E80 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 2_2_00407E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00406EB0 FindFirstFileW,FindNextFileW, 2_2_00406EB0
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0040730B SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 2_2_0040730B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe API call chain: ExitProcess graph end node
Source: aspnet_compiler.exe, 00000002.00000002.813061315.00000000013F7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00433304 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00433304
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0041B4C9 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress, 2_2_0041B4C9
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00411241 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError, 2_2_00411241
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00441B85 mov eax, dword ptr fs:[00000030h] 2_2_00441B85
Source: C:\Users\user\Desktop\file.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00433452 SetUnhandledExceptionFilter, 2_2_00433452
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00433304 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00433304
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0043A3F1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0043A3F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_004338CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_004338CC

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 457000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 46F000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 475000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 476000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 477000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 47C000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 10E4008 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\file.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A Jump to behavior
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 2_2_0041163A
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Jump to behavior
Contains functionality to simulate mouse events
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00418186 mouse_event, 2_2_00418186
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: GetLocaleInfoW, 2_2_0044716D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 2_2_00450558
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: EnumSystemLocalesW, 2_2_004507D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: EnumSystemLocalesW, 2_2_0045081B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: EnumSystemLocalesW, 2_2_004508B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 2_2_00450943
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: GetLocaleInfoW, 2_2_00450B93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: EnumSystemLocalesW, 2_2_00446C84
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_00450CBC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: GetLocaleInfoW, 2_2_00450DC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: GetLocaleInfoA, 2_2_0040EE14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 2_2_00450E90
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0043354D cpuid 2_2_0043354D
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00404F31 GetLocalTime,CreateEventA,CreateThread, 2_2_00404F31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_00447A10 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 2_2_00447A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 2_2_0041A168 GetUserNameW, 2_2_0041A168

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 1.2.file.exe.18f92636a68.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.file.exe.18f92636a68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.550296982.0000018F9283E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.813061315.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.550296982.0000018F91E43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6804, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: aspnet_compiler.exe PID: 6588, type: MEMORYSTR
Contains functionality to steal Firefox passwords or cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 2_2_0040B0AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: \key3.db 2_2_0040B0AA
Contains functionality to steal Chrome passwords or cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 2_2_0040AF8C

Remote Access Functionality
barindex
Yara detected Remcos RAT
Source: Yara match File source: 1.2.file.exe.18f92636a68.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.file.exe.18f92636a68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.550296982.0000018F9283E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.813061315.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.550296982.0000018F91E43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6804, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: aspnet_compiler.exe PID: 6588, type: MEMORYSTR
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: cmd.exe 2_2_0040567A
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 882711 Sample: file.exe Startdate: 06/06/2023 Architecture: WINDOWS Score: 100 18 Multi AV Scanner detection for domain / URL 2->18 20 Found malware configuration 2->20 22 Malicious sample detected (through community Yara rule) 2->22 24 10 other signatures 2->24 6 file.exe 1 2->6         started        process3 file4 14 C:\Users\user\AppData\Local\...\file.exe.log, CSV 6->14 dropped 26 Writes to foreign memory regions 6->26 28 Allocates memory in foreign processes 6->28 30 Injects a PE file into a foreign processes 6->30 10 aspnet_compiler.exe 3 6->10         started        signatures5 process6 dnsIp7 16 pekonomia.duckdns.org 192.169.69.26, 30861, 49694, 49695 WOWUS United States 10->16 32 Contains functionality to bypass UAC (CMSTPLUA) 10->32 34 Contains functionality to steal Chrome passwords or cookies 10->34 36 Contains functionality to modify clipboard data 10->36 38 2 other signatures 10->38 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
192.169.69.26
 pekonomia.duckdns.org United States
23033 WOWUS true

Contacted Domains

Name IP Active
pekonomia.duckdns.org 192.169.69.26 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
pekonomia.duckdns.org true
  • 7%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown