Report - rem.exe

Browser Login Data Stealer Generic Malware Malicious Library Downloader Malicious Packer UPX PE File PE32 OS Processor Check
ScreenShot
Created 2024.05.16 09:06 Machine s1_win7_x6401
Filename rem.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
6
Behavior Score
3.2
ZERO API file : mailcious
VT API (file) 64 detected (Common, Remcos, Windows, Malicious, score, RemcosIH, S31010159, GenericKD, unsafe, Save, Kryptik, Genus, Rescoms, FDQO, RATX, keikbt, CLASSIC, Siggen22, YXEC3Z, Detected, ai score=83, 1OHYAG0, SMWB, R625673, ZexaF, ECW@amUxy2pi, Genetic, UD1aXITfKmk, Static AI, Malicious PE, susgen)
md5 06f5b8dffc6c138828adbc7f29cfc7f0
sha256 03ba551339062106448ff58cbc393338483439513ec8439497bf47153e13f4b7
ssdeep 6144:aXIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZDAXYcNx5Gv:aX7tPMK8ctGe4Dzl4h2QnuPs/ZDIcv
imphash 8d5087ff5de35c3fbb9f212b47d63cad
impfuzzy 96:mKSzrpXI9LHcp+1OMsZiSLQfGLLuZ58KNUz7KgKd3YdP5uPosV:rAYwZzL1y5GPiZw5ubV
  Network IP location

Signature (6cnts)

Level Description
danger File has been identified by 64 AntiVirus engines on VirusTotal as malicious
watch Creates a windows hook that monitors keyboard input (keylogger)
watch Installs itself for autorun at Windows startup
notice A process attempted to delay the analysis task.
info Checks amount of memory in system
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (9cnts)

Level Name Description Collection
danger infoStealer_browser_b_Zero browser info stealer binaries (upload)
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch Network_Downloader File Downloader binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (2cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
leetboy.dynuddns.net CH Simple Carrier LLC 185.196.11.252 clean
185.196.11.252 CH Simple Carrier LLC 185.196.11.252 clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x4590b4 FindNextFileA
 0x4590b8 ExpandEnvironmentStringsA
 0x4590bc GetLongPathNameW
 0x4590c0 CopyFileW
 0x4590c4 GetLocaleInfoA
 0x4590c8 CreateToolhelp32Snapshot
 0x4590cc Process32NextW
 0x4590d0 Process32FirstW
 0x4590d4 VirtualProtect
 0x4590d8 SetLastError
 0x4590dc VirtualFree
 0x4590e0 VirtualAlloc
 0x4590e4 GetNativeSystemInfo
 0x4590e8 HeapAlloc
 0x4590ec GetProcessHeap
 0x4590f0 FreeLibrary
 0x4590f4 IsBadReadPtr
 0x4590f8 GetTempPathW
 0x4590fc OpenProcess
 0x459100 OpenMutexA
 0x459104 lstrcatW
 0x459108 GetCurrentProcessId
 0x45910c GetTempFileNameW
 0x459110 UnmapViewOfFile
 0x459114 DuplicateHandle
 0x459118 CreateFileMappingW
 0x45911c MapViewOfFile
 0x459120 GetSystemDirectoryA
 0x459124 GlobalAlloc
 0x459128 GlobalLock
 0x45912c GetTickCount
 0x459130 GlobalUnlock
 0x459134 WriteProcessMemory
 0x459138 ResumeThread
 0x45913c GetThreadContext
 0x459140 ReadProcessMemory
 0x459144 CreateProcessW
 0x459148 SetThreadContext
 0x45914c LocalAlloc
 0x459150 GlobalFree
 0x459154 MulDiv
 0x459158 SizeofResource
 0x45915c QueryDosDeviceW
 0x459160 FindFirstVolumeW
 0x459164 GetConsoleScreenBufferInfo
 0x459168 SetConsoleTextAttribute
 0x45916c lstrlenW
 0x459170 GetStdHandle
 0x459174 SetFilePointer
 0x459178 FindResourceA
 0x45917c LockResource
 0x459180 LoadResource
 0x459184 LocalFree
 0x459188 FindVolumeClose
 0x45918c GetVolumePathNamesForVolumeNameW
 0x459190 lstrcpyW
 0x459194 FindFirstFileA
 0x459198 FormatMessageA
 0x45919c FindNextVolumeW
 0x4591a0 AllocConsole
 0x4591a4 lstrcmpW
 0x4591a8 GetModuleFileNameA
 0x4591ac lstrcpynA
 0x4591b0 QueryPerformanceFrequency
 0x4591b4 QueryPerformanceCounter
 0x4591b8 EnterCriticalSection
 0x4591bc LeaveCriticalSection
 0x4591c0 InitializeCriticalSection
 0x4591c4 DeleteCriticalSection
 0x4591c8 HeapSize
 0x4591cc WriteConsoleW
 0x4591d0 SetStdHandle
 0x4591d4 SetEnvironmentVariableW
 0x4591d8 SetEnvironmentVariableA
 0x4591dc FreeEnvironmentStringsW
 0x4591e0 GetEnvironmentStringsW
 0x4591e4 GetCommandLineW
 0x4591e8 GetCommandLineA
 0x4591ec GetOEMCP
 0x4591f0 IsValidCodePage
 0x4591f4 FindFirstFileExA
 0x4591f8 ReadConsoleW
 0x4591fc GetConsoleMode
 0x459200 GetConsoleCP
 0x459204 FlushFileBuffers
 0x459208 GetFileType
 0x45920c GetTimeZoneInformation
 0x459210 EnumSystemLocalesW
 0x459214 GetUserDefaultLCID
 0x459218 IsValidLocale
 0x45921c GetTimeFormatW
 0x459220 GetDateFormatW
 0x459224 HeapReAlloc
 0x459228 GetACP
 0x45922c GetModuleHandleExW
 0x459230 MoveFileExW
 0x459234 RtlUnwind
 0x459238 RaiseException
 0x45923c LoadLibraryExW
 0x459240 GetCPInfo
 0x459244 GetStringTypeW
 0x459248 GetLocaleInfoW
 0x45924c LCMapStringW
 0x459250 CompareStringW
 0x459254 TlsFree
 0x459258 TlsSetValue
 0x45925c TlsGetValue
 0x459260 GetFileSize
 0x459264 TerminateThread
 0x459268 GetLastError
 0x45926c CreateDirectoryW
 0x459270 GetModuleHandleA
 0x459274 RemoveDirectoryW
 0x459278 MoveFileW
 0x45927c SetFilePointerEx
 0x459280 GetLogicalDriveStringsA
 0x459284 DeleteFileW
 0x459288 DeleteFileA
 0x45928c SetFileAttributesW
 0x459290 GetFileAttributesW
 0x459294 FindClose
 0x459298 lstrlenA
 0x45929c GetDriveTypeA
 0x4592a0 FindNextFileW
 0x4592a4 GetFileSizeEx
 0x4592a8 FindFirstFileW
 0x4592ac GetModuleHandleW
 0x4592b0 ExitProcess
 0x4592b4 CreateMutexA
 0x4592b8 GetCurrentProcess
 0x4592bc GetProcAddress
 0x4592c0 LoadLibraryA
 0x4592c4 CreateProcessA
 0x4592c8 PeekNamedPipe
 0x4592cc CreatePipe
 0x4592d0 TerminateProcess
 0x4592d4 ReadFile
 0x4592d8 HeapFree
 0x4592dc HeapCreate
 0x4592e0 CreateEventA
 0x4592e4 GetLocalTime
 0x4592e8 CreateThread
 0x4592ec SetEvent
 0x4592f0 CreateEventW
 0x4592f4 WaitForSingleObject
 0x4592f8 Sleep
 0x4592fc GetModuleFileNameW
 0x459300 CloseHandle
 0x459304 ExitThread
 0x459308 CreateFileW
 0x45930c WriteFile
 0x459310 SetConsoleOutputCP
 0x459314 TlsAlloc
 0x459318 InitializeCriticalSectionAndSpinCount
 0x45931c MultiByteToWideChar
 0x459320 DecodePointer
 0x459324 EncodePointer
 0x459328 WideCharToMultiByte
 0x45932c InitializeSListHead
 0x459330 GetSystemTimeAsFileTime
 0x459334 GetCurrentThreadId
 0x459338 IsProcessorFeaturePresent
 0x45933c GetStartupInfoW
 0x459340 SetUnhandledExceptionFilter
 0x459344 UnhandledExceptionFilter
 0x459348 IsDebuggerPresent
 0x45934c WaitForSingleObjectEx
 0x459350 ResetEvent
 0x459354 SetEndOfFile
USER32.dll
 0x459380 GetWindowTextW
 0x459384 wsprintfW
 0x459388 GetClipboardData
 0x45938c UnhookWindowsHookEx
 0x459390 GetForegroundWindow
 0x459394 ToUnicodeEx
 0x459398 GetKeyboardLayout
 0x45939c SetWindowsHookExA
 0x4593a0 CloseClipboard
 0x4593a4 OpenClipboard
 0x4593a8 GetKeyboardState
 0x4593ac CallNextHookEx
 0x4593b0 GetKeyboardLayoutNameA
 0x4593b4 GetKeyState
 0x4593b8 GetWindowTextLengthW
 0x4593bc GetWindowThreadProcessId
 0x4593c0 GetMessageA
 0x4593c4 SetClipboardData
 0x4593c8 EnumWindows
 0x4593cc ExitWindowsEx
 0x4593d0 EmptyClipboard
 0x4593d4 ShowWindow
 0x4593d8 SetWindowTextW
 0x4593dc MessageBoxW
 0x4593e0 IsWindowVisible
 0x4593e4 CloseWindow
 0x4593e8 SendInput
 0x4593ec EnumDisplaySettingsW
 0x4593f0 mouse_event
 0x4593f4 CreatePopupMenu
 0x4593f8 DispatchMessageA
 0x4593fc TranslateMessage
 0x459400 TrackPopupMenu
 0x459404 DefWindowProcA
 0x459408 CreateWindowExA
 0x45940c GetIconInfo
 0x459410 GetSystemMetrics
 0x459414 AppendMenuA
 0x459418 RegisterClassExA
 0x45941c GetCursorPos
 0x459420 SetForegroundWindow
 0x459424 DrawIcon
 0x459428 SystemParametersInfoW
GDI32.dll
 0x459088 BitBlt
 0x45908c CreateCompatibleBitmap
 0x459090 SelectObject
 0x459094 CreateCompatibleDC
 0x459098 StretchBlt
 0x45909c GetDIBits
 0x4590a0 DeleteObject
 0x4590a4 CreateDCA
 0x4590a8 GetObjectA
 0x4590ac DeleteDC
ADVAPI32.dll
 0x459000 CryptAcquireContextA
 0x459004 CryptGenRandom
 0x459008 CryptReleaseContext
 0x45900c GetUserNameW
 0x459010 RegEnumKeyExA
 0x459014 QueryServiceStatus
 0x459018 CloseServiceHandle
 0x45901c OpenSCManagerW
 0x459020 OpenSCManagerA
 0x459024 ControlService
 0x459028 StartServiceW
 0x45902c QueryServiceConfigW
 0x459030 ChangeServiceConfigW
 0x459034 OpenServiceW
 0x459038 EnumServicesStatusW
 0x45903c AdjustTokenPrivileges
 0x459040 LookupPrivilegeValueA
 0x459044 OpenProcessToken
 0x459048 RegCreateKeyA
 0x45904c RegCloseKey
 0x459050 RegQueryInfoKeyW
 0x459054 RegQueryValueExA
 0x459058 RegCreateKeyExW
 0x45905c RegEnumKeyExW
 0x459060 RegSetValueExW
 0x459064 RegSetValueExA
 0x459068 RegOpenKeyExA
 0x45906c RegOpenKeyExW
 0x459070 RegCreateKeyW
 0x459074 RegDeleteValueW
 0x459078 RegEnumValueW
 0x45907c RegQueryValueExW
 0x459080 RegDeleteKeyA
SHELL32.dll
 0x45935c ShellExecuteExA
 0x459360 Shell_NotifyIconA
 0x459364 ExtractIconA
 0x459368 ShellExecuteW
ole32.dll
 0x4594e0 CoInitializeEx
 0x4594e4 CoUninitialize
 0x4594e8 CoGetObject
SHLWAPI.dll
 0x459370 PathFileExistsW
 0x459374 PathFileExistsA
 0x459378 StrToIntA
WINMM.dll
 0x459444 waveInUnprepareHeader
 0x459448 waveInOpen
 0x45944c waveInStart
 0x459450 waveInAddBuffer
 0x459454 PlaySoundW
 0x459458 mciSendStringA
 0x45945c mciSendStringW
 0x459460 waveInClose
 0x459464 waveInStop
 0x459468 waveInPrepareHeader
WS2_32.dll
 0x459470 gethostbyname
 0x459474 send
 0x459478 WSAStartup
 0x45947c closesocket
 0x459480 inet_ntoa
 0x459484 htons
 0x459488 htonl
 0x45948c getservbyname
 0x459490 ntohs
 0x459494 getservbyport
 0x459498 gethostbyaddr
 0x45949c inet_addr
 0x4594a0 WSASetLastError
 0x4594a4 WSAGetLastError
 0x4594a8 recv
 0x4594ac connect
 0x4594b0 socket
urlmon.dll
 0x4594f0 URLOpenBlockingStreamW
 0x4594f4 URLDownloadToFileW
gdiplus.dll
 0x4594b8 GdipSaveImageToStream
 0x4594bc GdipGetImageEncodersSize
 0x4594c0 GdipFree
 0x4594c4 GdipDisposeImage
 0x4594c8 GdipAlloc
 0x4594cc GdipCloneImage
 0x4594d0 GdipGetImageEncoders
 0x4594d4 GdiplusStartup
 0x4594d8 GdipLoadImageFromStream
WININET.dll
 0x459430 InternetOpenUrlW
 0x459434 InternetOpenW
 0x459438 InternetCloseHandle
 0x45943c InternetReadFile

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure