ScreenShot
| Created | 2023.06.08 17:34 | Machine | s1_win7_x6401 |
| Filename | remcos_a2.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 60 detected (AIDetectMalware, Remcos, FDQO, Rescoms, Save, malicious, confidence, 100%, ZexaF, DCW@aa7aGYci, GenusT, DIZM, ABBackdoor, NMFU, Attribute, HighConfidence, Windows, score, RATX, Gencirc, Kryptik, R002C0DF523, Emogen, Static AI, Suspicious PE, ai score=87, Wacatac, Detected, BScope, unsafe, GdSda, CLASSIC, nFcse4ftzhs, susgen) | ||
| md5 | 9aa44989b63c667ede9f25e26497c20f | ||
| sha256 | 202577211d7d1710869244007ccb21c8fdf3140c3445481ca6e839da82fef962 | ||
| ssdeep | 6144:h1EwL0xQk9VdeLuVnQs8QLgt8cBvnkCX/3Rde+A+DdsAOZZRXXrcN12OhX:h1EZT90uNQzYgScBvnn/XpTs/ZRdOhX | ||
| imphash | 3f3d4ba55ce3e8f736704310c56bf5aa | ||
| impfuzzy | 96:mKSzrmXkgLHcp+1OMeriSLhfGLLuZ57yKNUz7KgKd3YdP5uPosV:rt09rzLky58PiZw5ubV | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 60 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Installs itself for autorun at Windows startup |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| info | Checks amount of memory in system |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (8cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | Network_Downloader | File Downloader | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET MALWARE Remcos 3.x Unencrypted Checkin
ET MALWARE Remcos 3.x Unencrypted Server Response
ET MALWARE Remcos 3.x Unencrypted Server Response
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x4580b4 FindNextFileA
0x4580b8 ExpandEnvironmentStringsA
0x4580bc GetLongPathNameW
0x4580c0 CopyFileW
0x4580c4 GetLocaleInfoA
0x4580c8 CreateToolhelp32Snapshot
0x4580cc Process32NextW
0x4580d0 Process32FirstW
0x4580d4 VirtualProtect
0x4580d8 SetLastError
0x4580dc VirtualFree
0x4580e0 VirtualAlloc
0x4580e4 GetNativeSystemInfo
0x4580e8 HeapAlloc
0x4580ec GetProcessHeap
0x4580f0 FreeLibrary
0x4580f4 IsBadReadPtr
0x4580f8 GetTempPathW
0x4580fc OpenProcess
0x458100 OpenMutexA
0x458104 lstrcatW
0x458108 GetCurrentProcessId
0x45810c GetTempFileNameW
0x458110 GetSystemDirectoryA
0x458114 GlobalAlloc
0x458118 GlobalLock
0x45811c GetTickCount
0x458120 GlobalUnlock
0x458124 WriteProcessMemory
0x458128 ResumeThread
0x45812c GetThreadContext
0x458130 ReadProcessMemory
0x458134 CreateProcessW
0x458138 SetThreadContext
0x45813c LocalAlloc
0x458140 GlobalFree
0x458144 MulDiv
0x458148 SizeofResource
0x45814c GetConsoleScreenBufferInfo
0x458150 SetConsoleTextAttribute
0x458154 GetStdHandle
0x458158 SetFilePointer
0x45815c FindResourceA
0x458160 LockResource
0x458164 LoadResource
0x458168 LocalFree
0x45816c SetConsoleOutputCP
0x458170 FormatMessageA
0x458174 AllocConsole
0x458178 FindFirstFileA
0x45817c lstrcpynA
0x458180 QueryPerformanceFrequency
0x458184 QueryPerformanceCounter
0x458188 EnterCriticalSection
0x45818c LeaveCriticalSection
0x458190 InitializeCriticalSection
0x458194 DeleteCriticalSection
0x458198 HeapSize
0x45819c WriteConsoleW
0x4581a0 SetStdHandle
0x4581a4 SetEnvironmentVariableW
0x4581a8 SetEnvironmentVariableA
0x4581ac FreeEnvironmentStringsW
0x4581b0 GetEnvironmentStringsW
0x4581b4 GetCommandLineW
0x4581b8 GetCommandLineA
0x4581bc GetOEMCP
0x4581c0 IsValidCodePage
0x4581c4 FindFirstFileExA
0x4581c8 ReadConsoleW
0x4581cc GetConsoleMode
0x4581d0 GetConsoleCP
0x4581d4 FlushFileBuffers
0x4581d8 GetFileType
0x4581dc GetTimeZoneInformation
0x4581e0 EnumSystemLocalesW
0x4581e4 GetUserDefaultLCID
0x4581e8 IsValidLocale
0x4581ec GetTimeFormatW
0x4581f0 GetDateFormatW
0x4581f4 HeapReAlloc
0x4581f8 GetACP
0x4581fc GetModuleHandleExW
0x458200 MoveFileExW
0x458204 RtlUnwind
0x458208 RaiseException
0x45820c LoadLibraryExW
0x458210 GetCPInfo
0x458214 GetStringTypeW
0x458218 GetLocaleInfoW
0x45821c LCMapStringW
0x458220 CompareStringW
0x458224 TlsFree
0x458228 TlsSetValue
0x45822c TlsGetValue
0x458230 GetFileSize
0x458234 TerminateThread
0x458238 GetLastError
0x45823c GetModuleHandleA
0x458240 RemoveDirectoryW
0x458244 MoveFileW
0x458248 SetFilePointerEx
0x45824c GetLogicalDriveStringsA
0x458250 DeleteFileW
0x458254 CreateDirectoryW
0x458258 DeleteFileA
0x45825c SetFileAttributesW
0x458260 GetFileAttributesW
0x458264 FindClose
0x458268 lstrlenA
0x45826c GetDriveTypeA
0x458270 FindNextFileW
0x458274 GetFileSizeEx
0x458278 FindFirstFileW
0x45827c GetModuleHandleW
0x458280 ExitProcess
0x458284 CreateMutexA
0x458288 GetCurrentProcess
0x45828c GetProcAddress
0x458290 LoadLibraryA
0x458294 CreateProcessA
0x458298 PeekNamedPipe
0x45829c CreatePipe
0x4582a0 TerminateProcess
0x4582a4 ReadFile
0x4582a8 HeapFree
0x4582ac HeapCreate
0x4582b0 CreateEventA
0x4582b4 GetLocalTime
0x4582b8 CreateThread
0x4582bc SetEvent
0x4582c0 CreateEventW
0x4582c4 WaitForSingleObject
0x4582c8 Sleep
0x4582cc GetModuleFileNameW
0x4582d0 CloseHandle
0x4582d4 ExitThread
0x4582d8 CreateFileW
0x4582dc WriteFile
0x4582e0 GetModuleFileNameA
0x4582e4 TlsAlloc
0x4582e8 InitializeCriticalSectionAndSpinCount
0x4582ec MultiByteToWideChar
0x4582f0 DecodePointer
0x4582f4 EncodePointer
0x4582f8 WideCharToMultiByte
0x4582fc InitializeSListHead
0x458300 GetSystemTimeAsFileTime
0x458304 GetCurrentThreadId
0x458308 IsProcessorFeaturePresent
0x45830c GetStartupInfoW
0x458310 SetUnhandledExceptionFilter
0x458314 UnhandledExceptionFilter
0x458318 IsDebuggerPresent
0x45831c WaitForSingleObjectEx
0x458320 ResetEvent
0x458324 SetEndOfFile
USER32.dll
0x458350 GetWindowTextW
0x458354 wsprintfW
0x458358 GetClipboardData
0x45835c UnhookWindowsHookEx
0x458360 GetForegroundWindow
0x458364 ToUnicodeEx
0x458368 GetKeyboardLayout
0x45836c SetWindowsHookExA
0x458370 CloseClipboard
0x458374 OpenClipboard
0x458378 GetKeyboardState
0x45837c CallNextHookEx
0x458380 GetKeyboardLayoutNameA
0x458384 GetKeyState
0x458388 GetWindowTextLengthW
0x45838c GetWindowThreadProcessId
0x458390 GetMessageA
0x458394 SetClipboardData
0x458398 EnumWindows
0x45839c ExitWindowsEx
0x4583a0 EmptyClipboard
0x4583a4 ShowWindow
0x4583a8 SetWindowTextW
0x4583ac MessageBoxW
0x4583b0 IsWindowVisible
0x4583b4 CloseWindow
0x4583b8 SendInput
0x4583bc EnumDisplaySettingsW
0x4583c0 mouse_event
0x4583c4 CreatePopupMenu
0x4583c8 DispatchMessageA
0x4583cc TranslateMessage
0x4583d0 TrackPopupMenu
0x4583d4 DefWindowProcA
0x4583d8 CreateWindowExA
0x4583dc GetIconInfo
0x4583e0 GetSystemMetrics
0x4583e4 AppendMenuA
0x4583e8 RegisterClassExA
0x4583ec GetCursorPos
0x4583f0 SetForegroundWindow
0x4583f4 DrawIcon
0x4583f8 SystemParametersInfoW
GDI32.dll
0x458088 CreateCompatibleBitmap
0x45808c SelectObject
0x458090 CreateCompatibleDC
0x458094 StretchBlt
0x458098 GetDIBits
0x45809c DeleteDC
0x4580a0 DeleteObject
0x4580a4 CreateDCA
0x4580a8 GetObjectA
0x4580ac BitBlt
ADVAPI32.dll
0x458000 CryptAcquireContextA
0x458004 CryptGenRandom
0x458008 CryptReleaseContext
0x45800c GetUserNameW
0x458010 RegEnumKeyExA
0x458014 QueryServiceStatus
0x458018 CloseServiceHandle
0x45801c OpenSCManagerW
0x458020 OpenSCManagerA
0x458024 ControlService
0x458028 StartServiceW
0x45802c QueryServiceConfigW
0x458030 ChangeServiceConfigW
0x458034 OpenServiceW
0x458038 EnumServicesStatusW
0x45803c AdjustTokenPrivileges
0x458040 LookupPrivilegeValueA
0x458044 OpenProcessToken
0x458048 RegCreateKeyA
0x45804c RegCloseKey
0x458050 RegQueryInfoKeyW
0x458054 RegQueryValueExA
0x458058 RegCreateKeyExW
0x45805c RegEnumKeyExW
0x458060 RegSetValueExW
0x458064 RegSetValueExA
0x458068 RegOpenKeyExA
0x45806c RegOpenKeyExW
0x458070 RegCreateKeyW
0x458074 RegDeleteValueW
0x458078 RegEnumValueW
0x45807c RegQueryValueExW
0x458080 RegDeleteKeyA
SHELL32.dll
0x45832c ShellExecuteExA
0x458330 Shell_NotifyIconA
0x458334 ExtractIconA
0x458338 ShellExecuteW
ole32.dll
0x4584b0 CoInitializeEx
0x4584b4 CoUninitialize
0x4584b8 CoGetObject
SHLWAPI.dll
0x458340 PathFileExistsW
0x458344 PathFileExistsA
0x458348 StrToIntA
WINMM.dll
0x458414 waveInUnprepareHeader
0x458418 waveInOpen
0x45841c waveInStart
0x458420 waveInAddBuffer
0x458424 PlaySoundW
0x458428 mciSendStringA
0x45842c mciSendStringW
0x458430 waveInClose
0x458434 waveInStop
0x458438 waveInPrepareHeader
WS2_32.dll
0x458440 gethostbyname
0x458444 send
0x458448 WSAStartup
0x45844c closesocket
0x458450 inet_ntoa
0x458454 htons
0x458458 htonl
0x45845c getservbyname
0x458460 ntohs
0x458464 getservbyport
0x458468 gethostbyaddr
0x45846c inet_addr
0x458470 WSASetLastError
0x458474 WSAGetLastError
0x458478 recv
0x45847c connect
0x458480 socket
urlmon.dll
0x4584c0 URLOpenBlockingStreamW
0x4584c4 URLDownloadToFileW
gdiplus.dll
0x458488 GdipSaveImageToStream
0x45848c GdipGetImageEncodersSize
0x458490 GdipFree
0x458494 GdipDisposeImage
0x458498 GdipAlloc
0x45849c GdipCloneImage
0x4584a0 GdipGetImageEncoders
0x4584a4 GdiplusStartup
0x4584a8 GdipLoadImageFromStream
WININET.dll
0x458400 InternetOpenUrlW
0x458404 InternetOpenW
0x458408 InternetCloseHandle
0x45840c InternetReadFile
EAT(Export Address Table) is none
KERNEL32.dll
0x4580b4 FindNextFileA
0x4580b8 ExpandEnvironmentStringsA
0x4580bc GetLongPathNameW
0x4580c0 CopyFileW
0x4580c4 GetLocaleInfoA
0x4580c8 CreateToolhelp32Snapshot
0x4580cc Process32NextW
0x4580d0 Process32FirstW
0x4580d4 VirtualProtect
0x4580d8 SetLastError
0x4580dc VirtualFree
0x4580e0 VirtualAlloc
0x4580e4 GetNativeSystemInfo
0x4580e8 HeapAlloc
0x4580ec GetProcessHeap
0x4580f0 FreeLibrary
0x4580f4 IsBadReadPtr
0x4580f8 GetTempPathW
0x4580fc OpenProcess
0x458100 OpenMutexA
0x458104 lstrcatW
0x458108 GetCurrentProcessId
0x45810c GetTempFileNameW
0x458110 GetSystemDirectoryA
0x458114 GlobalAlloc
0x458118 GlobalLock
0x45811c GetTickCount
0x458120 GlobalUnlock
0x458124 WriteProcessMemory
0x458128 ResumeThread
0x45812c GetThreadContext
0x458130 ReadProcessMemory
0x458134 CreateProcessW
0x458138 SetThreadContext
0x45813c LocalAlloc
0x458140 GlobalFree
0x458144 MulDiv
0x458148 SizeofResource
0x45814c GetConsoleScreenBufferInfo
0x458150 SetConsoleTextAttribute
0x458154 GetStdHandle
0x458158 SetFilePointer
0x45815c FindResourceA
0x458160 LockResource
0x458164 LoadResource
0x458168 LocalFree
0x45816c SetConsoleOutputCP
0x458170 FormatMessageA
0x458174 AllocConsole
0x458178 FindFirstFileA
0x45817c lstrcpynA
0x458180 QueryPerformanceFrequency
0x458184 QueryPerformanceCounter
0x458188 EnterCriticalSection
0x45818c LeaveCriticalSection
0x458190 InitializeCriticalSection
0x458194 DeleteCriticalSection
0x458198 HeapSize
0x45819c WriteConsoleW
0x4581a0 SetStdHandle
0x4581a4 SetEnvironmentVariableW
0x4581a8 SetEnvironmentVariableA
0x4581ac FreeEnvironmentStringsW
0x4581b0 GetEnvironmentStringsW
0x4581b4 GetCommandLineW
0x4581b8 GetCommandLineA
0x4581bc GetOEMCP
0x4581c0 IsValidCodePage
0x4581c4 FindFirstFileExA
0x4581c8 ReadConsoleW
0x4581cc GetConsoleMode
0x4581d0 GetConsoleCP
0x4581d4 FlushFileBuffers
0x4581d8 GetFileType
0x4581dc GetTimeZoneInformation
0x4581e0 EnumSystemLocalesW
0x4581e4 GetUserDefaultLCID
0x4581e8 IsValidLocale
0x4581ec GetTimeFormatW
0x4581f0 GetDateFormatW
0x4581f4 HeapReAlloc
0x4581f8 GetACP
0x4581fc GetModuleHandleExW
0x458200 MoveFileExW
0x458204 RtlUnwind
0x458208 RaiseException
0x45820c LoadLibraryExW
0x458210 GetCPInfo
0x458214 GetStringTypeW
0x458218 GetLocaleInfoW
0x45821c LCMapStringW
0x458220 CompareStringW
0x458224 TlsFree
0x458228 TlsSetValue
0x45822c TlsGetValue
0x458230 GetFileSize
0x458234 TerminateThread
0x458238 GetLastError
0x45823c GetModuleHandleA
0x458240 RemoveDirectoryW
0x458244 MoveFileW
0x458248 SetFilePointerEx
0x45824c GetLogicalDriveStringsA
0x458250 DeleteFileW
0x458254 CreateDirectoryW
0x458258 DeleteFileA
0x45825c SetFileAttributesW
0x458260 GetFileAttributesW
0x458264 FindClose
0x458268 lstrlenA
0x45826c GetDriveTypeA
0x458270 FindNextFileW
0x458274 GetFileSizeEx
0x458278 FindFirstFileW
0x45827c GetModuleHandleW
0x458280 ExitProcess
0x458284 CreateMutexA
0x458288 GetCurrentProcess
0x45828c GetProcAddress
0x458290 LoadLibraryA
0x458294 CreateProcessA
0x458298 PeekNamedPipe
0x45829c CreatePipe
0x4582a0 TerminateProcess
0x4582a4 ReadFile
0x4582a8 HeapFree
0x4582ac HeapCreate
0x4582b0 CreateEventA
0x4582b4 GetLocalTime
0x4582b8 CreateThread
0x4582bc SetEvent
0x4582c0 CreateEventW
0x4582c4 WaitForSingleObject
0x4582c8 Sleep
0x4582cc GetModuleFileNameW
0x4582d0 CloseHandle
0x4582d4 ExitThread
0x4582d8 CreateFileW
0x4582dc WriteFile
0x4582e0 GetModuleFileNameA
0x4582e4 TlsAlloc
0x4582e8 InitializeCriticalSectionAndSpinCount
0x4582ec MultiByteToWideChar
0x4582f0 DecodePointer
0x4582f4 EncodePointer
0x4582f8 WideCharToMultiByte
0x4582fc InitializeSListHead
0x458300 GetSystemTimeAsFileTime
0x458304 GetCurrentThreadId
0x458308 IsProcessorFeaturePresent
0x45830c GetStartupInfoW
0x458310 SetUnhandledExceptionFilter
0x458314 UnhandledExceptionFilter
0x458318 IsDebuggerPresent
0x45831c WaitForSingleObjectEx
0x458320 ResetEvent
0x458324 SetEndOfFile
USER32.dll
0x458350 GetWindowTextW
0x458354 wsprintfW
0x458358 GetClipboardData
0x45835c UnhookWindowsHookEx
0x458360 GetForegroundWindow
0x458364 ToUnicodeEx
0x458368 GetKeyboardLayout
0x45836c SetWindowsHookExA
0x458370 CloseClipboard
0x458374 OpenClipboard
0x458378 GetKeyboardState
0x45837c CallNextHookEx
0x458380 GetKeyboardLayoutNameA
0x458384 GetKeyState
0x458388 GetWindowTextLengthW
0x45838c GetWindowThreadProcessId
0x458390 GetMessageA
0x458394 SetClipboardData
0x458398 EnumWindows
0x45839c ExitWindowsEx
0x4583a0 EmptyClipboard
0x4583a4 ShowWindow
0x4583a8 SetWindowTextW
0x4583ac MessageBoxW
0x4583b0 IsWindowVisible
0x4583b4 CloseWindow
0x4583b8 SendInput
0x4583bc EnumDisplaySettingsW
0x4583c0 mouse_event
0x4583c4 CreatePopupMenu
0x4583c8 DispatchMessageA
0x4583cc TranslateMessage
0x4583d0 TrackPopupMenu
0x4583d4 DefWindowProcA
0x4583d8 CreateWindowExA
0x4583dc GetIconInfo
0x4583e0 GetSystemMetrics
0x4583e4 AppendMenuA
0x4583e8 RegisterClassExA
0x4583ec GetCursorPos
0x4583f0 SetForegroundWindow
0x4583f4 DrawIcon
0x4583f8 SystemParametersInfoW
GDI32.dll
0x458088 CreateCompatibleBitmap
0x45808c SelectObject
0x458090 CreateCompatibleDC
0x458094 StretchBlt
0x458098 GetDIBits
0x45809c DeleteDC
0x4580a0 DeleteObject
0x4580a4 CreateDCA
0x4580a8 GetObjectA
0x4580ac BitBlt
ADVAPI32.dll
0x458000 CryptAcquireContextA
0x458004 CryptGenRandom
0x458008 CryptReleaseContext
0x45800c GetUserNameW
0x458010 RegEnumKeyExA
0x458014 QueryServiceStatus
0x458018 CloseServiceHandle
0x45801c OpenSCManagerW
0x458020 OpenSCManagerA
0x458024 ControlService
0x458028 StartServiceW
0x45802c QueryServiceConfigW
0x458030 ChangeServiceConfigW
0x458034 OpenServiceW
0x458038 EnumServicesStatusW
0x45803c AdjustTokenPrivileges
0x458040 LookupPrivilegeValueA
0x458044 OpenProcessToken
0x458048 RegCreateKeyA
0x45804c RegCloseKey
0x458050 RegQueryInfoKeyW
0x458054 RegQueryValueExA
0x458058 RegCreateKeyExW
0x45805c RegEnumKeyExW
0x458060 RegSetValueExW
0x458064 RegSetValueExA
0x458068 RegOpenKeyExA
0x45806c RegOpenKeyExW
0x458070 RegCreateKeyW
0x458074 RegDeleteValueW
0x458078 RegEnumValueW
0x45807c RegQueryValueExW
0x458080 RegDeleteKeyA
SHELL32.dll
0x45832c ShellExecuteExA
0x458330 Shell_NotifyIconA
0x458334 ExtractIconA
0x458338 ShellExecuteW
ole32.dll
0x4584b0 CoInitializeEx
0x4584b4 CoUninitialize
0x4584b8 CoGetObject
SHLWAPI.dll
0x458340 PathFileExistsW
0x458344 PathFileExistsA
0x458348 StrToIntA
WINMM.dll
0x458414 waveInUnprepareHeader
0x458418 waveInOpen
0x45841c waveInStart
0x458420 waveInAddBuffer
0x458424 PlaySoundW
0x458428 mciSendStringA
0x45842c mciSendStringW
0x458430 waveInClose
0x458434 waveInStop
0x458438 waveInPrepareHeader
WS2_32.dll
0x458440 gethostbyname
0x458444 send
0x458448 WSAStartup
0x45844c closesocket
0x458450 inet_ntoa
0x458454 htons
0x458458 htonl
0x45845c getservbyname
0x458460 ntohs
0x458464 getservbyport
0x458468 gethostbyaddr
0x45846c inet_addr
0x458470 WSASetLastError
0x458474 WSAGetLastError
0x458478 recv
0x45847c connect
0x458480 socket
urlmon.dll
0x4584c0 URLOpenBlockingStreamW
0x4584c4 URLDownloadToFileW
gdiplus.dll
0x458488 GdipSaveImageToStream
0x45848c GdipGetImageEncodersSize
0x458490 GdipFree
0x458494 GdipDisposeImage
0x458498 GdipAlloc
0x45849c GdipCloneImage
0x4584a0 GdipGetImageEncoders
0x4584a4 GdiplusStartup
0x4584a8 GdipLoadImageFromStream
WININET.dll
0x458400 InternetOpenUrlW
0x458404 InternetOpenW
0x458408 InternetCloseHandle
0x45840c InternetReadFile
EAT(Export Address Table) is none