File name:	Purchasing_Order_00012012.exe
Full analysis:	https://app.any.run/tasks/8ed5b7fd-498c-4468-9e84-e3a62517492e
Verdict:	Malicious activity
Threats:	Remcos is a RAT type malware that attackers use to perform actions on infected machines remotely. This malware is extremely actively caped up to date with updates coming out almost every single month. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	August 13, 2020, 00:45:40
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	rat remcos trojan keylogger
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:	C1F0543F80F46A867D38CF9CD0D95A4E
SHA1:	29DB19FDBDB8F41B724A0F87409F9499598820A3
SHA256:	923483A20BFA8C7734FF5CD5F1D2EBB4A029EFE6AF2365CD4730A0955E038CCD
SSDEEP:	6144:/8x7eExhet/ziRZFU37K9v+7/EJWvSQd6gP2JXQYWLkF/A4L90UZHF9N1iwvJOh2:0ZPc+8e9G7sJWz+Jxg45T/NMwvZD

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

AssemblyVersion:	3.0.10.0
ProductVersion:	3.0.10.0
ProductName:	VLC media player
OriginalFileName:	Lime_LIMECRYPTER.exe
LegalTrademarks:	VLC media player, VideoLAN and x264 are registered trademarks from VideoLAN
LegalCopyright:	Copyright © 1996-2020 VideoLAN and VLC Authors
InternalName:	Lime_LIMECRYPTER.exe
FileVersion:	3.0.10.0
FileDescription:	VLC media player
CompanyName:	VideoLAN
Comments:	VLC media player
CharacterSet:	Unicode
LanguageCode:	Neutral
FileSubtype:	-
ObjectFileType:	Executable application
FileOS:	Win32
FileFlags:	(none)
FileFlagsMask:	0x003f
ProductVersionNumber:	3.0.10.0
FileVersionNumber:	3.0.10.0
Subsystem:	Windows GUI
SubsystemVersion:	4
ImageVersion:	-
OSVersion:	4
EntryPoint:	0x6778e
UninitializedDataSize:	-
InitializedDataSize:	78848
CodeSize:	415744
LinkerVersion:	11
PEType:	PE32
TimeStamp:	2020:08:12 11:36:58+02:00
MachineType:	Intel 386 or later, and compatibles

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	12-Aug-2020 09:36:58
Comments:	VLC media player
CompanyName:	VideoLAN
FileDescription:	VLC media player
FileVersion:	3.0.10.0
InternalName:	Lime_LIMECRYPTER.exe
LegalCopyright:	Copyright © 1996-2020 VideoLAN and VLC Authors
LegalTrademarks:	VLC media player, VideoLAN and x264 are registered trademarks from VideoLAN
OriginalFilename:	Lime_LIMECRYPTER.exe
ProductName:	VLC media player
ProductVersion:	3.0.10.0
Assembly Version:	3.0.10.0

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x00000080

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	3
Time date stamp:	12-Aug-2020 09:36:58
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE IMAGE_FILE_LINE_NUMS_STRIPPED IMAGE_FILE_LOCAL_SYMS_STRIPPED

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00002000	0x00065794	0x00065800	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	7.50355
.rsrc	0x00068000	0x00013078	0x00013200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	7.30333
.reloc	0x0007C000	0x0000000C	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	0.10191

Title	Entropy	Size	Codepage	Language	Type
1	4.99798	3115	UNKNOWN	UNKNOWN	RT_MANIFEST
2	4.3955	2216	UNKNOWN	UNKNOWN	RT_ICON
3	2.72268	1384	UNKNOWN	UNKNOWN	RT_ICON
4	7.98668	54430	UNKNOWN	UNKNOWN	RT_ICON
5	3.55772	9640	UNKNOWN	UNKNOWN	RT_ICON
6	3.649	4264	UNKNOWN	UNKNOWN	RT_ICON
7	4.17809	1128	UNKNOWN	UNKNOWN	RT_ICON
32512	2.68242	90	UNKNOWN	UNKNOWN	RT_GROUP_ICON

PID	CMD	Path	Indicators	Parent process
3268	"C:\Users\admin\AppData\Local\Temp\Purchasing_Order_00012012.exe"	C:\Users\admin\AppData\Local\Temp\Purchasing_Order_00012012.exe		explorer.exe
User: admin Company: VideoLAN Integrity Level: MEDIUM Description: VLC media player Exit code: 0 Version: 3.0.10.0
3696	"C:\Users\admin\AppData\Local\Temp\Purchasing_Order_00012012.exe"	C:\Users\admin\AppData\Local\Temp\Purchasing_Order_00012012.exe		Purchasing_Order_00012012.exe
User: admin Company: VideoLAN Integrity Level: MEDIUM Description: VLC media player Version: 3.0.10.0
3800	"C:\Windows\System32\dxdiag.exe" /t C:\Users\admin\AppData\Local\Temp\sysinfo.txt	C:\Windows\System32\dxdiag.exe	—	Purchasing_Order_00012012.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft DirectX Diagnostic Tool Version: 6.1.7600.16385 (win7_rtm.090713-1255)

PID	Process	Filename		Type
3268	Purchasing_Order_00012012.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe		executable
		MD5:C1F0543F80F46A867D38CF9CD0D95A4E	SHA256:923483A20BFA8C7734FF5CD5F1D2EBB4A029EFE6AF2365CD4730A0955E038CCD
3696	Purchasing_Order_00012012.exe	C:\Users\admin\AppData\Roaming\LimeCryp\logs.dat		text
		MD5:87A58436E030DAE1BC7F997F1A804A53	SHA256:BBF504B6E9AAE57CB81B3FD82C5031593661D85FCAA00AA788713C24924572A9

PID	Process	Class	Message
3696	Purchasing_Order_00012012.exe	A Network Trojan was detected	REMOTE [PTsecurity] Remcos.RAT
3696	Purchasing_Order_00012012.exe	A Network Trojan was detected	REMOTE [PTsecurity] Remcos.RAT
3696	Purchasing_Order_00012012.exe	A Network Trojan was detected	REMOTE [PTsecurity] Remcos.RAT
3696	Purchasing_Order_00012012.exe	A Network Trojan was detected	REMOTE [PTsecurity] Remcos.RAT
3696	Purchasing_Order_00012012.exe	A Network Trojan was detected	REMOTE [PTsecurity] Remcos.RAT
3696	Purchasing_Order_00012012.exe	A Network Trojan was detected	REMOTE [PTsecurity] Remcos.RAT
3696	Purchasing_Order_00012012.exe	A Network Trojan was detected	REMOTE [PTsecurity] Remcos.RAT

General Info

Purchasing_Order_00012012.exe

C1F0543F80F46A867D38CF9CD0D95A4E

29DB19FDBDB8F41B724A0F87409F9499598820A3

923483A20BFA8C7734FF5CD5F1D2EBB4A029EFE6AF2365CD4730A0955E038CCD

6144:/8x7eExhet/ziRZFU37K9v+7/EJWvSQd6gP2JXQYWLkF/A4L90UZHF9N1iwvJOh2:0ZPc+8e9G7sJWz+Jxg45T/NMwvZD

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

REMCOS was detected

Connects to CnC server

Changes the Startup folder

SUSPICIOUS

Creates files in the user directory

Executable content was dropped or overwritten

Writes files like Keylogger logs

Application launched itself

INFO

Malware configuration

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings