analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

DHL_0051673 receipt document.exe

Full analysis: https://app.any.run/tasks/fee36384-9cea-43c4-b875-0858fa84b444
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Analysis date: February 21, 2020, 18:29:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
remcos
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

1D534A440B9A79BA0F33FB5ED02291C6

SHA1:

F79BFF3991F934C06FA5CFE7CCDEC199A6B07219

SHA256:

7E2A294158DC40D01B4B85BA1EDC62C7D0D853E9E34E08A522EF2AB1F370BE8F

SSDEEP:

384:GbuARnAtZRitHAJwcIDSy9SQzw94pZKNjrEABlayQo2HImcpYpATW6MNp6V/CNxH:GBAyAMGyJsNj44abfHrM8p6yiEZqA1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • DHL_0051673 receipt document.exe (PID: 3180)
      • spindel.exe (PID: 2608)
    • REMCOS was detected

      • spindel.exe (PID: 3328)
    • Changes settings of System certificates

      • spindel.exe (PID: 3328)
  • SUSPICIOUS

    • Application launched itself

      • spindel.exe (PID: 2608)
      • DHL_0051673 receipt document.exe (PID: 3180)
    • Starts itself from another location

      • DHL_0051673 receipt document.exe (PID: 3000)
    • Executable content was dropped or overwritten

      • DHL_0051673 receipt document.exe (PID: 3000)
    • Reads Internet Cache Settings

      • spindel.exe (PID: 3328)
    • Creates files in the user directory

      • spindel.exe (PID: 3328)
    • Connects to unusual port

      • spindel.exe (PID: 3328)
    • Adds / modifies Windows certificates

      • spindel.exe (PID: 3328)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Microsoft Visual Basic 6 (90.6)
.exe | Win32 Executable (generic) (4.9)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

OriginalFileName: xenophobi.exe
InternalName: xenophobi
ProductVersion: 1
FileVersion: 1
ProductName: REVOLV
FileDescription: cutlas
CompanyName: Tyvende
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 1.0.0.0
FileVersionNumber: 1.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: 1
OSVersion: 4
EntryPoint: 0x1288
UninitializedDataSize: -
InitializedDataSize: 24576
CodeSize: 36864
LinkerVersion: 6
PEType: PE32
TimeStamp: 2009:12:09 00:58:02+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 08-Dec-2009 23:58:02
Detected languages:
  • English - United States
CompanyName: Tyvende
FileDescription: cutlas
ProductName: REVOLV
FileVersion: 1.00
ProductVersion: 1.00
InternalName: xenophobi
OriginalFilename: xenophobi.exe

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000B8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 08-Dec-2009 23:58:02
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00008648
0x00009000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
5.39101
.data
0x0000A000
0x00000A50
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x0000B000
0x0000456C
0x00005000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.46782

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.18561
584
Unicode (UTF 16LE)
English - United States
RT_VERSION

Imports

MSVBVM60.DLL
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
4
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start dhl_0051673 receipt document.exe dhl_0051673 receipt document.exe spindel.exe #REMCOS spindel.exe

Process information

PID
CMD
Path
Indicators
Parent process
3180"C:\Users\admin\AppData\Local\Temp\DHL_0051673 receipt document.exe" C:\Users\admin\AppData\Local\Temp\DHL_0051673 receipt document.exe
explorer.exe
User:
admin
Company:
Tyvende
Integrity Level:
MEDIUM
Description:
cutlas
Exit code:
0
Version:
1.00
3000"C:\Users\admin\AppData\Local\Temp\DHL_0051673 receipt document.exe" C:\Users\admin\AppData\Local\Temp\DHL_0051673 receipt document.exe
DHL_0051673 receipt document.exe
User:
admin
Company:
Tyvende
Integrity Level:
MEDIUM
Description:
cutlas
Exit code:
0
Version:
1.00
2608"C:\Users\admin\bisektione\spindel.exe" C:\Users\admin\bisektione\spindel.exe
DHL_0051673 receipt document.exe
User:
admin
Company:
Tyvende
Integrity Level:
MEDIUM
Description:
cutlas
Exit code:
0
Version:
1.00
3328"C:\Users\admin\bisektione\spindel.exe" C:\Users\admin\bisektione\spindel.exe
spindel.exe
User:
admin
Company:
Tyvende
Integrity Level:
MEDIUM
Description:
cutlas
Version:
1.00
Total events
3 922
Read events
358
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
4
Text files
2
Unknown types
2

Dropped files

PID
Process
Filename
Type
3328spindel.exeC:\Users\admin\AppData\Local\Temp\Cab283C.tmp
MD5:
SHA256:
3328spindel.exeC:\Users\admin\AppData\Local\Temp\Tar283D.tmp
MD5:
SHA256:
3328spindel.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203der
MD5:86E77FCFA948CE0AB6DA3863D01CC999
SHA256:DBDA3E5B03CA6456A1016940CE46C72DC8AAFFCAAF0F50A062DAAE9EF021B418
3328spindel.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6Fbinary
MD5:6C31231E2A5268458F16A5B8CA8DB20F
SHA256:D7533879D797768A4F8075105B8F5F0BB05A6821E5F64E1119990BBB3CBEF534
3328spindel.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\YT1LRFZJ.txttext
MD5:39ACF6AC1E513980D4DF040509E41C81
SHA256:068A15B50E05E3970CB2C3CBD330BA47A544771612E86B513C2EF8107EFF68FC
3000DHL_0051673 receipt document.exeC:\Users\admin\bisektione\spindel.exeexecutable
MD5:1D534A440B9A79BA0F33FB5ED02291C6
SHA256:7E2A294158DC40D01B4B85BA1EDC62C7D0D853E9E34E08A522EF2AB1F370BE8F
3328spindel.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203binary
MD5:CE84C9FB4F1D2F63F5F8D30DBBCB50E1
SHA256:DF0CE86AF74B15D54E9357A59B89FAF98CA3D48BE77FBFBC01C72FCA21EE5599
3000DHL_0051673 receipt document.exeC:\Users\admin\bisektione\spindel.vbstext
MD5:24AD92C2231A02BF16B103CB01E49DBD
SHA256:908A3DF4A7DD0A2AA744ABB13DB9CD6804B0350193D3EE49196E17A9F8EA0FEC
3328spindel.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6Fder
MD5:C26C775CD185239E05F60C4091E2DEFD
SHA256:D2035494386E8046540AD7B9DB4D9C9DCC8E2BA5A367F62638C159A088E49C22
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
69
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3328
spindel.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAtqs7A%2Bsan2xGCSaqjN%2FrM%3D
US
der
1.47 Kb
whitelisted
3328
spindel.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3328
spindel.exe
13.107.42.12:443
cziwuq.dm.files.1drv.com
Microsoft Corporation
US
suspicious
3328
spindel.exe
13.107.42.13:443
onedrive.live.com
Microsoft Corporation
US
malicious
3328
spindel.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3328
spindel.exe
79.134.225.77:5151
mygodissogoodtome.ddns.net
Andreas Fink trading as Fink Telecom Services
CH
malicious

DNS requests

Domain
IP
Reputation
onedrive.live.com
  • 13.107.42.13
shared
ocsp.digicert.com
  • 93.184.220.29
whitelisted
cziwuq.dm.files.1drv.com
  • 13.107.42.12
whitelisted
mygodissogoodtome.ddns.net
  • 79.134.225.77
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
No debug info