File name: | MerchantSticpayAgreements.pif |
Full analysis: | https://app.any.run/tasks/f26fd95b-3cc1-4578-abf1-17289380ebe5 |
Verdict: | Malicious activity |
Threats: | Remcos is a RAT type malware that attackers use to perform actions on infected machines remotely. This malware is extremely actively caped up to date with updates coming out almost every single month. |
Analysis date: | March 17, 2023, 10:16:37 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | E81AD778CA7344EA6586C6D4AC295CDE |
SHA1: | 433CF8E8FEE868D816D743F7A119519084887182 |
SHA256: | B1AFBCE51AD052F936B989214964D56E2290A7FB5548763273C1FC4382CD5C1C |
SSDEEP: | 24576:80BRq7wHHJ9qEvIMGpepH5HYN3425J+6Nx0nXSy2pydqoPCKTZ08E:qUWo6cF5HKoCIa0GpydqoPbTZ0X |
.exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
---|---|---|
.exe | | | Win64 Executable (generic) (37.3) |
.dll | | | Win32 Dynamic Link Library (generic) (8.8) |
.exe | | | Win32 Executable (generic) (6) |
.exe | | | Generic Win/DOS Executable (2.7) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2014:05:27 00:39:45+00:00 |
ImageFileCharacteristics: | No relocs, Executable, 32-bit |
PEType: | PE32 |
LinkerVersion: | 9 |
CodeSize: | 572928 |
InitializedDataSize: | 906752 |
UninitializedDataSize: | - |
EntryPoint: | 0x6eb6d |
OSVersion: | 5 |
ImageVersion: | - |
SubsystemVersion: | 5 |
Subsystem: | Windows GUI |
FileVersionNumber: | 7.2.0.0 |
ProductVersionNumber: | 7.2.0.0 |
FileFlagsMask: | 0x0017 |
FileFlags: | (none) |
FileOS: | Win32 |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | English (U.S.) |
CharacterSet: | Unicode |
CompanyName: | TrueCrypt Foundation |
FileDescription: | TrueCrypt |
FileVersion: | 7.2 |
LegalTrademarks: | TrueCrypt |
OriginalFileName: | TrueCrypt.exe |
ProductName: | TrueCrypt |
ProductVersion: | 7.2 |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 27-May-2014 00:39:45 |
Detected languages: |
|
CompanyName: | TrueCrypt Foundation |
FileDescription: | TrueCrypt |
FileVersion: | 7.2 |
LegalTrademarks: | TrueCrypt |
OriginalFilename: | TrueCrypt.exe |
ProductName: | TrueCrypt |
ProductVersion: | 7.2 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000F0 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 4 |
Time date stamp: | 27-May-2014 00:39:45 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0008BCD6 | 0x0008BE00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.6494 |
.rdata | 0x0008D000 | 0x0002206C | 0x00022200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.36631 |
.data | 0x000B0000 | 0x00034780 | 0x00004E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.29441 |
.rsrc | 0x000E5000 | 0x000B64F4 | 0x000B6600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.4068 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.16621 | 881 | Latin 1 / Western European | English - United States | RT_MANIFEST |
2 | 7.22346 | 872 | Latin 1 / Western European | English - United States | RT_ICON |
3 | 6.48494 | 1864 | Latin 1 / Western European | English - United States | RT_ICON |
4 | 6.54975 | 3240 | Latin 1 / Western European | English - United States | RT_ICON |
5 | 5.94405 | 7336 | Latin 1 / Western European | English - United States | RT_ICON |
6 | 6.35582 | 872 | Latin 1 / Western European | English - United States | RT_ICON |
7 | 1.34631 | 50 | Latin 1 / Western European | English - United States | RT_STRING |
8 | 6.42626 | 3240 | Latin 1 / Western European | English - United States | RT_ICON |
9 | 6.39646 | 7336 | Latin 1 / Western European | English - United States | RT_ICON |
10 | 6.67113 | 872 | Latin 1 / Western European | English - United States | RT_ICON |
ADVAPI32.dll |
COMCTL32.dll |
COMDLG32.dll |
GDI32.dll |
KERNEL32.dll |
OLEAUT32.dll |
SETUPAPI.dll |
SHELL32.dll |
USER32.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2672 | "C:\Users\admin\AppData\Local\Temp\MerchantSticpayAgreements.pif.exe" | C:\Users\admin\AppData\Local\Temp\MerchantSticpayAgreements.pif.exe | explorer.exe | ||||||||||||
User: admin Company: TrueCrypt Foundation Integrity Level: MEDIUM Description: TrueCrypt Version: 7.2 Modules
| |||||||||||||||
3336 | "C:\Users\admin\AppData\Roaming\36c011cd\vlc.exe" | C:\Users\admin\AppData\Roaming\36c011cd\vlc.exe | — | svchost.exe | |||||||||||
User: admin Company: VideoLAN Integrity Level: MEDIUM Description: VLC media player Exit code: 0 Version: 3.0.17.4 Modules
| |||||||||||||||
3436 | "C:\Windows\system32\cmd.exe" | C:\Windows\System32\cmd.exe | — | vlc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
3808 | "C:\Windows\system32\cmd.exe" | C:\Windows\System32\cmd.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
Remcos(PID) Process(3808) cmd.exe Hosts (1)kallitredabbacaza.com:2404 BotnetNEWSSPAM Connect_interval1 Install_flagFalse Install_HKCU\RunTrue Install_HKLM\RunTrue Install_HKLM\Explorer\Run1 Setup_path%LOCALAPPDATA% Copy_fileremcos.exe Startup_valueRemcos Hide_fileFalse Mutex_namety546n45vv6-ZQMTKE Keylog_flag0 Keylog_path%LOCALAPPDATA% Keylog_filelogs.dat Keylog_cryptFalse Hide_keylogFalse Screenshot_flagFalse Screenshot_time5 Take_ScreenshotFalse Screenshot_path%APPDATA% Screenshot_fileScreenshots Screenshot_cryptFalse Mouse_optionFalse Delete_fileFalse Audio_record_time5 Audio_path%ProgramFiles% Audio_dirMicRecords Connect_delay0 Copy_dirRemcos Keylog_dirremcos Max_keylog_file100000 |
(PID) Process: | (2672) MerchantSticpayAgreements.pif.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US |
PID | Process | Filename | Type | |
---|---|---|---|---|
2672 | MerchantSticpayAgreements.pif.exe | C:\Users\admin\AppData\Local\Temp\bb5de60 | — | |
MD5:— | SHA256:— | |||
2672 | MerchantSticpayAgreements.pif.exe | C:\Users\admin\AppData\Roaming\36c011cd\Fruit.png | — | |
MD5:— | SHA256:— | |||
3436 | cmd.exe | C:\Users\admin\AppData\Local\Temp\8ed38a07.png | — | |
MD5:— | SHA256:— | |||
3436 | cmd.exe | C:\Users\admin\AppData\Local\Temp\9e1b0770.dll | — | |
MD5:— | SHA256:— | |||
2672 | MerchantSticpayAgreements.pif.exe | C:\Users\admin\AppData\Roaming\36c011cd\vlc.exe | executable | |
MD5:4CF6217603DAC78494D273BDD9A3DE84 | SHA256:1A403269242218A67E401C7E321BF466EF6B381BC7CB8A56EA77D504F7F81A44 | |||
2672 | MerchantSticpayAgreements.pif.exe | C:\Users\admin\AppData\Roaming\36c011cd\libvlccore.dll | executable | |
MD5:B37E9BADAF4F669960134B6BBDEFDABE | SHA256:E7754D8E4C33B35B85D85554488069FE731190201FA9E42D1B53F38C843025A3 | |||
2672 | MerchantSticpayAgreements.pif.exe | C:\Users\admin\AppData\Roaming\36c011cd\tree.log | binary | |
MD5:A007C4F45ADBD258797CB86568FEEEE9 | SHA256:B6B0CF04B0C17EEB394D03D64422DE0EA14BC046C86CD881ABA8C1187F388025 | |||
2672 | MerchantSticpayAgreements.pif.exe | C:\Users\admin\AppData\Roaming\36c011cd\libvlc.dll | executable | |
MD5:08BA25A0598F94A2E9E52C7C7608F6F6 | SHA256:072D31910B2A1CD83341BB8270FD2EEBD8CA5A6E01FA0C6339E0867F59D2F29E | |||
2672 | MerchantSticpayAgreements.pif.exe | C:\Users\admin\AppData\Roaming\36c011cd\tree.mp4 | binary | |
MD5:5B6C3A0797B578850CF380334E96B914 | SHA256:62F9501D1ECD2FE15B6330AA1A08964BE89CCB75106F3797D35D8908CFDC62D2 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2672 | MerchantSticpayAgreements.pif.exe | 146.75.116.193:443 | i.imgur.com | FASTLY | US | malicious |
Domain | IP | Reputation |
---|---|---|
i.imgur.com |
| shared |