852rat_c1bc60587353e61f9ed04b1269eb0afb_jpg_2019-09-03_18_30.txt

1.  
2. * ID: 852
3. * MalFamily: "Remcos"
4.  
5. * MalScore: 10.0
6.  
7. * File Name: "rat_c1bc60587353e61f9ed04b1269eb0afb.jpg"
8. * File Size: 1064960
9. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
10. * SHA256: "fa9a94b32f7fa1e1e3eef63d3fb9003fda8d295e1f1a3e521691725e4c7da9f3"
11. * MD5: "c1bc60587353e61f9ed04b1269eb0afb"
12. * SHA1: "b8fa6fbd4d3d08c2a8b89460c9e7fd4e7094d962"
13. * SHA512: "1ec653c03b257bfe1ba5fb08890d861d78bbc106fccb60668f007cfa5c28765eaeab7ee163f63c240387bcb2c240df42f029a4fafc18be59bbba1ceaa9718e0e"
14. * CRC32: "3A83E124"
15. * SSDEEP: "12288:3Mr6y90gD5M+gpgHDEkaNr4KhhbRG+0nrjrl+5cPFSqE+2Oy:Ny1adpylaVy+mZ+CMqE+25"
16.  
17. * Process Execution:
18. "jMSZCRubR.exe",
19. "REMCOS~4.EXE",
20. "FO.exe",
21. "explorer.exe"
22.  
23.  
24. * Executed Commands:
25. "C:\\Users\\user\\AppData\\Local\\Temp\\IXP000.TMP\\REMCOS~4.EXE",
26. "\"C:\\Users\\user\\Jos5\\FO.exe\"",
27. "C:\\Users\\user\\Jos5\\FO.exe "
28.  
29.  
30. * Signatures Detected:
31.  
32. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
33. "Details":
34.  
35.  
36. "Description": "Behavioural detection: Executable code extraction",
37. "Details":
38.  
39.  
40. "Description": "Possible date expiration check, exits too soon after checking local time",
41. "Details":
42.  
43. "process": "REMCOS~4.EXE, PID 2228"
44.  
45.  
46.  
47.  
48. "Description": "A process attempted to delay the analysis task.",
49. "Details":
50.  
51. "Process": "FO.exe tried to sleep 694 seconds, actually delayed analysis time by 0 seconds"
52.  
53.  
54.  
55.  
56. "Description": "Reads data out of its own binary image",
57. "Details":
58.  
59. "self_read": "process: REMCOS~4.EXE, pid: 2228, offset: 0x00000000, length: 0x17e2f401"
60.  
61.  
62.  
63.  
64. "Description": "Installs itself for autorun at Windows startup",
65. "Details":
66.  
67. "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\wextract_cleanup0"
68.  
69.  
70. "data": "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\user\\AppData\\Local\\Temp\\IXP000.TMP\\\""
71.  
72.  
73. "file": "C:\\Windows\\win.ini"
74.  
75.  
76. "file": "C:\\Windows\\win.ini"
77.  
78.  
79.  
80.  
81. "Description": "CAPE detected the Remcos malware family",
82. "Details":
83.  
84.  
85. "Description": "File has been identified by 14 Antiviruses on VirusTotal as malicious",
86. "Details":
87.  
88. "FireEye": "Generic.mg.c1bc60587353e61f"
89.  
90.  
91. "Cylance": "Unsafe"
92.  
93.  
94. "Cybereason": "malicious.d4d3d0"
95.  
96.  
97. "Invincea": "heuristic"
98.  
99.  
100. "APEX": "Malicious"
101.  
102.  
103. "F-Secure": "Trojan.TR/Dropper.Gen"
104.  
105.  
106. "Paloalto": "generic.ml"
107.  
108.  
109. "Jiangmin": "Trojan-PSW.Azorult.b"
110.  
111.  
112. "Avira": "TR/Dropper.Gen"
113.  
114.  
115. "Antiy-AVL": "TrojanArcBomb/Win32.Agent"
116.  
117.  
118. "Endgame": "malicious (moderate confidence)"
119.  
120.  
121. "Ikarus": "Trojan-Spy.Agent"
122.  
123.  
124. "AVG": "FileRepMetagen Malware"
125.  
126.  
127. "Qihoo-360": "HEUR/QVM20.1.A4BB.Malware.Gen"
128.  
129.  
130.  
131.  
132. "Description": "Drops a binary and executes it",
133. "Details":
134.  
135. "binary": "C:\\Users\\user\\Jos5\\FO.exe"
136.  
137.  
138. "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\IXP000.TMP\\REMCOS~4.EXE"
139.  
140.  
141.  
142.  
143. "Description": "Created network traffic indicative of malicious activity",
144. "Details":
145.  
146. "signature": "ET TROJAN Remcos RAT Checkin 23"
147.  
148.  
149.  
150.  
151.  
152. * Started Service:
153.  
154. * Mutexes:
155. "CicLoadWinStaWinSta0",
156. "Local\\MSCTF.CtfMonitorInstMutexDefault1",
157. "Remcos_Mutex_Inj",
158. "Remcos-HW1SL4"
159.  
160.  
161. * Modified Files:
162. "C:\\Users\\user\\AppData\\Local\\Temp\\IXP000.TMP\\TMP4351$.TMP",
163. "C:\\Users\\user\\AppData\\Local\\Temp\\IXP000.TMP\\REMCOS~4.EXE",
164. "C:\\Users\\user\\AppData\\Local\\Temp\\~DFEC39AEC1DFCAC8A6.TMP",
165. "C:\\Windows\\win.ini",
166. "C:\\Users\\user\\Jos5\\FO.exe",
167. "C:\\Users\\user\\Jos5\\FO.vbs",
168. "C:\\Users\\user\\AppData\\Local\\Temp\\~DF9B99B0324A132D3A.TMP"
169.  
170.  
171. * Deleted Files:
172. "C:\\Users\\user\\AppData\\Local\\Temp\\IXP000.TMP",
173. "C:\\Users\\user\\AppData\\Local\\Temp\\IXP000.TMP\\REMCOS~4.EXE",
174. "C:\\Users\\user\\AppData\\Local\\Temp\\IXP000.TMP\\"
175.  
176.  
177. * Modified Registry Keys:
178. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\wextract_cleanup0",
179. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7\\pzq.rkr",
180. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\HRZR_PGYFRFFVBA",
181. "HKEY_CURRENT_USER\\Software\\Remcos-HW1SL4\\",
182. "HKEY_CURRENT_USER\\Software\\Remcos-HW1SL4\\exepath",
183. "HKEY_CURRENT_USER\\Software\\Remcos-HW1SL4\\licence"
184.  
185.  
186. * Deleted Registry Keys:
187. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\wextract_cleanup0"
188.  
189.  
190. * DNS Communications:
191.  
192. * Domains:
193.  
194. * Network Communication - ICMP:
195.  
196. * Network Communication - HTTP:
197.  
198. * Network Communication - SMTP:
199.  
200. * Network Communication - Hosts:
201.  
202. "country_name": "Ukraine",
203. "ip": "37.19.193.217",
204. "inaddrarpa": "",
205. "hostname": ""
206.  
207.  
208.  
209. * Network Communication - IRC: