analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

MAERSK_Tracking_Document.scr

Full analysis: https://app.any.run/tasks/7326d72d-254d-498d-a4a3-b7e64da4de29
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Analysis date: December 18, 2018, 19:52:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
remcos
keylogger
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

EBAEBB4DB252F98682FA97D9C024CEBA

SHA1:

83E47881718961AAC8A8F7D6FC981AFF10805F38

SHA256:

54E995EF9C0A82741A6E13D8CA60847220BFD45BA44014610A4553B1A3AFABFC

SSDEEP:

49152:saPcu7x8QhBKyej5L+kI+mtG2FpkXv+sxlhyQyBsuF2eOZ:saPcuNBPK9NA/R3knCsuF2X

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • MAERSK_Tracking_Document.scr (PID: 3692)
    • REMCOS RAT was detected

      • MAERSK_Tracking_Document.scr (PID: 3352)
    • Detected logs from REMCOS RAT

      • MAERSK_Tracking_Document.scr (PID: 3352)
  • SUSPICIOUS

    • Application launched itself

      • MAERSK_Tracking_Document.scr (PID: 3692)
    • Starts application with an unusual extension

      • MAERSK_Tracking_Document.scr (PID: 3692)
    • Executable content was dropped or overwritten

      • MAERSK_Tracking_Document.scr (PID: 3692)
    • Creates files in the user directory

      • MAERSK_Tracking_Document.scr (PID: 3352)
    • Connects to unusual port

      • MAERSK_Tracking_Document.scr (PID: 3352)
    • Writes files like Keylogger logs

      • MAERSK_Tracking_Document.scr (PID: 3352)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:20 00:22:17+02:00
PEType: PE32
LinkerVersion: 2.25
CodeSize: 473600
InitializedDataSize: 558080
UninitializedDataSize: -
EntryPoint: 0x515000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.99.6.1400
ProductVersionNumber: 1.99.6.1400
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Windows, Cyrillic
CompanyName: Heaventools Software
FileDescription: PE Explorer
FileVersion: 1.99.6.1400
InternalName: PE Explorer
LegalCopyright: Copyright © 2000-2009 Heaventools Software
LegalTrademarks: PE Explorer is a trademark of Heaventools Software
OriginalFileName: pexplorer.exe
ProductName: PE Explorer
ProductVersion: 1.99.6.1400
Comments: -

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 19-Jun-1992 22:22:17
Detected languages:
  • Arabic - Egypt
  • English - United States

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0050
Pages in file: 0x0002
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x000F
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x001A
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000040

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 19-Jun-1992 22:22:17
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
0x00001000
0x00087000
0x0003AE00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.98175
.rsrc
0x00088000
0x0007C3AC
0x0003CE00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.96904
.idata
0x00105000
0x00001000
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.30872
0x00106000
0x00273000
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.260771
bjrninup
0x00379000
0x0019C000
0x0019BC00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.77875
ukljtsxx
0x00515000
0x00001000
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.98597

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.95218
581
Latin 1 / Western European
English - United States
RT_MANIFEST
2
2.7163
3240
Latin 1 / Western European
Arabic - Egypt
RT_ICON
3
3.82771
872
Latin 1 / Western European
Arabic - Egypt
RT_ICON
4
7.28638
308
Latin 1 / Western European
English - United States
RT_CURSOR
5
7.27543
308
Latin 1 / Western European
English - United States
RT_CURSOR
6
7.31664
308
Latin 1 / Western European
English - United States
RT_CURSOR
7
7.2667
308
Latin 1 / Western European
English - United States
RT_CURSOR
50
2.62913
744
Latin 1 / Western European
UNKNOWN
RT_ICON
51
2.7844
296
Latin 1 / Western European
UNKNOWN
RT_ICON
52
1.67759
11432
Latin 1 / Western European
UNKNOWN
RT_ICON

Imports

comctl32.dll
kernel32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
33
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start maersk_tracking_document.scr #REMCOS maersk_tracking_document.scr explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3692"C:\Users\admin\AppData\Local\Temp\MAERSK_Tracking_Document.scr" /SC:\Users\admin\AppData\Local\Temp\MAERSK_Tracking_Document.scr
explorer.exe
User:
admin
Company:
Heaventools Software
Integrity Level:
MEDIUM
Description:
PE Explorer
Exit code:
0
Version:
1.99.6.1400
3352"C:\Users\admin\AppData\Local\Temp\MAERSK_Tracking_Document.scr" /SC:\Users\admin\AppData\Local\Temp\MAERSK_Tracking_Document.scr
MAERSK_Tracking_Document.scr
User:
admin
Company:
Heaventools Software
Integrity Level:
MEDIUM
Description:
PE Explorer
Version:
1.99.6.1400
3576"C:\Windows\explorer.exe"C:\Windows\explorer.exeMAERSK_Tracking_Document.scr
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
9
Read events
6
Write events
3
Delete events
0

Modification events

(PID) Process:(3692) MAERSK_Tracking_Document.scrKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Microsoft OneDrive
Value:
C:\Users\admin\AppData\Local\Chrome\StikyNot.exe
(PID) Process:(3352) MAERSK_Tracking_Document.scrKey:HKEY_CURRENT_USER\Software\Remcos-UBYV3Z
Operation:writeName:exepath
Value:
966DEF0B2160205F3A82099AA34632A4E74D6C41E10B20FC00CCBF7230F8961C613541B8656BE4FA9CBF0AE16B57DAA4096E62CF8E3F1E96CF9089390FBD27A245AD45859EF79D0D7CBDC775D2B7E9580DC126FA442E80314614D667F32FD1A7282E5CF98A559BFC4A5673E3B70AC53A6472A3B64EA6A1C0FBF456BB6B7D
(PID) Process:(3352) MAERSK_Tracking_Document.scrKey:HKEY_CURRENT_USER\Software\Remcos-UBYV3Z
Operation:writeName:licence
Value:
CC34E7FC3DF2B6732B3ED6618609F71E
Executable files
2
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3352MAERSK_Tracking_Document.scrC:\Users\admin\AppData\Roaming\Screenshots\time_20181218_195324.pngimage
MD5:8226F694461D2375CEB5D694C7A8E7E3
SHA256:31A0E7FFC4DE19E68689133434FC96E65C9B3C8D4491EF4709D7DB7C9F86C7BA
3352MAERSK_Tracking_Document.scrC:\Users\admin\AppData\Roaming\remcos\logs.dattext
MD5:EDF51B4F00E1FF17A8AFBF03F3F209E7
SHA256:8B467DAB1FC9F960341328821F123B616DB685D0294C390D4F5F2C0D6BC11552
3692MAERSK_Tracking_Document.scrC:\Users\admin\AppData\Local\Temp\Disk.sysexecutable
MD5:EBAEBB4DB252F98682FA97D9C024CEBA
SHA256:54E995EF9C0A82741A6E13D8CA60847220BFD45BA44014610A4553B1A3AFABFC
3692MAERSK_Tracking_Document.scrC:\Users\admin\AppData\Local\Chrome\StikyNot.exeexecutable
MD5:EBAEBB4DB252F98682FA97D9C024CEBA
SHA256:54E995EF9C0A82741A6E13D8CA60847220BFD45BA44014610A4553B1A3AFABFC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3352
MAERSK_Tracking_Document.scr
216.170.116.129:3338
pdfworld.us
ColoCrossing
US
malicious

DNS requests

Domain
IP
Reputation
pdfworld.us
  • 216.170.116.129
malicious

Threats

No threats detected
No debug info