File name:

x.exe

Full analysis: https://app.any.run/tasks/e5b25446-add3-42e1-a528-a747b9390799
Verdict: Malicious activity
Threats:

DBatLoader is a loader malware used for distributing payloads of different types, including WarzoneRAT and Formbook. It is employed in multi-stage attacks that usually start with a phishing email carrying a malicious attachment.

Malware Trends Tracker     >>>
Analysis date: February 08, 2024, 10:37:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
dbatloader
rat
remcos
remote
keylogger
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

84FE2BA6C3EC4EEA444B389021497A0D

SHA1:

5B1C59102786FBE75A743C84D977E381A4E7911A

SHA256:

B06D1E3423E430BFBDFD728F769FC77749AA4F3824D8290956F71556093518F4

SSDEEP:

98304:tQjBDWBgDBJZZSUXm+fmFmTsGz7d+ixPFjjP:

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • x.exe (PID: 268)

    • REMCOS has been detected (SURICATA)

      • colorcpl.exe (PID: 2736)

    • DBATLOADER has been detected (YARA)

      • x.exe (PID: 268)

    • Remcos is detected

      • colorcpl.exe (PID: 2736)

    • REMCOS has been detected (YARA)

      • colorcpl.exe (PID: 2736)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • x.exe (PID: 268)

    • Connects to unusual port

      • colorcpl.exe (PID: 2736)

    • Reads the Internet Settings

      • x.exe (PID: 268)
      • colorcpl.exe (PID: 2736)

    • Writes files like Keylogger logs

      • colorcpl.exe (PID: 2736)

  • INFO

    • Checks supported languages

      • x.exe (PID: 268)

    • Checks proxy server information

      • x.exe (PID: 268)
      • colorcpl.exe (PID: 2736)

    • Reads the computer name

      • x.exe (PID: 268)

    • Reads the machine GUID from the registry

      • x.exe (PID: 268)

    • Creates files or folders in the user directory

      • colorcpl.exe (PID: 2736)

    • Creates files in the program directory

      • colorcpl.exe (PID: 2736)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

DBatLoader

(PID) Process(268) x.exe
C2 (1)https://onedrive.live.com/download?resid=CF486ED8AAB9BD10%21163&authkey=!AOl9rq9lbdekVZk

Remcos

(PID) Process(2736) colorcpl.exe
C2 (1)172.245.208.5:2060
BotnetQHost
Options
Connect_interval1
Install_flagFalse
Install_HKCU\RunTrue
Install_HKLM\RunTrue
Install_HKLM\Explorer\Run1
Install_HKLM\Winlogon\Shell100000
Setup_path%LOCALAPPDATA%
Copy_fileremcos.exe
Startup_valueFalse
Hide_fileFalse
Mutex_nameRmc-2OLA39
Keylog_flag1
Keylog_path%LOCALAPPDATA%
Keylog_filelogs.dat
Keylog_cryptFalse
Hide_keylogFalse
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path%ProgramFiles%
Audio_dirMicRecords
Connect_delay0
Copy_dirRemcos
Keylog_dirremcos
No Malware configuration.

TRiD

.exe | InstallShield setup (53.2)
.exe | Win32 Executable Delphi generic (17.5)
.scr | Windows screen saver (16.1)
.exe | Win32 Executable (generic) (5.5)
.exe | Win16/32 Executable Delphi generic (2.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:20 00:22:17+02:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 421888
InitializedDataSize: 1412608
UninitializedDataSize: -
EntryPoint: 0x67ea4
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #DBATLOADER x.exe #REMCOS colorcpl.exe

Process information

PID
CMD
Path
Indicators
Parent process
268"C:\Users\admin\AppData\Local\Temp\x.exe" C:\Users\admin\AppData\Local\Temp\x.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\x.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
DBatLoader
(PID) Process(268) x.exe
C2 (1)https://onedrive.live.com/download?resid=CF486ED8AAB9BD10%21163&authkey=!AOl9rq9lbdekVZk
2736C:\Windows\System32\colorcpl.exeC:\Windows\System32\colorcpl.exe
x.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Color Control Panel
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\colorcpl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\colorui.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Remcos
(PID) Process(2736) colorcpl.exe
C2 (1)172.245.208.5:2060
BotnetQHost
Options
Connect_interval1
Install_flagFalse
Install_HKCU\RunTrue
Install_HKLM\RunTrue
Install_HKLM\Explorer\Run1
Install_HKLM\Winlogon\Shell100000
Setup_path%LOCALAPPDATA%
Copy_fileremcos.exe
Startup_valueFalse
Hide_fileFalse
Mutex_nameRmc-2OLA39
Keylog_flag1
Keylog_path%LOCALAPPDATA%
Keylog_filelogs.dat
Keylog_cryptFalse
Hide_keylogFalse
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path%ProgramFiles%
Audio_dirMicRecords
Connect_delay0
Copy_dirRemcos
Keylog_dirremcos
Total events
3 333
Read events
3 298
Write events
32
Delete events
3

Modification events

(PID) Process:(268) x.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(268) x.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:writeName:Blob
Value:
0300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB6200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3
(PID) Process:(268) x.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:delete keyName:(default)
Value:
(PID) Process:(2736) colorcpl.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2736) colorcpl.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2736) colorcpl.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2736) colorcpl.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2736) colorcpl.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2736) colorcpl.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2736) colorcpl.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
0
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2736colorcpl.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\json[1].jsonbinary
MD5:3F719AA76FD105A653E21D4E56D9B32A
SHA256:F2EEC624A5324F143CED13138B3BF52773DFAA874E6E87EB0E5FA32E2935C0DD
2736colorcpl.exeC:\ProgramData\remcos\logs.datbinary
MD5:8BBC52ACC6424E6059C2EAF4C10EB3E0
SHA256:E9E0FB9016A4F8E3C91F4B2FD58115902801AA2623E607BC6C802044E0314782
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
9
DNS requests
3
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2736
colorcpl.exe
GET
200
178.237.33.50:80
http://geoplugin.net/json.gp
unknown
binary
953 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
268
x.exe
13.107.137.11:443
onedrive.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
268
x.exe
13.107.42.12:443
13kpow.dm.files.1drv.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2736
colorcpl.exe
172.245.208.5:2060
AS-COLOCROSSING
US
malicious
2736
colorcpl.exe
178.237.33.50:80
geoplugin.net
Schuberg Philis B.V.
NL
malicious

DNS requests

Domain
IP
Reputation
onedrive.live.com
  • 13.107.137.11
  • 13.107.139.11
shared
13kpow.dm.files.1drv.com
  • 13.107.42.12
unknown
geoplugin.net
  • 178.237.33.50
malicious

Threats

PID
Process
Class
Message
2736
colorcpl.exe
Malware Command and Control Activity Detected
ET JA3 Hash - Remcos 3.x TLS Connection
2736
colorcpl.exe
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS JA3 Hash
1 ETPRO signatures available at the full report
No debug info