File name:	Merry X-Mas Loser.exe.bin
Full analysis:	https://app.any.run/tasks/f5780e3c-641a-418d-baab-c57877950d1a
Verdict:	Malicious activity
Threats:	Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Remcos is a commercially distributed remote administration and surveillance tool that has been widely observed in unauthorized deployments, where threat actors use it to perform remote actions on compromised machines. It is actively maintained by its vendor, with new versions and feature updates released on a frequent, near-monthly basis. Remcos ist eine Malware vom Typ RAT, mit der Angreifer aus der Ferne Aktionen auf infizierten Computern durchführen können. Diese Malware ist extrem aktiv und wird fast jeden Monat mit Updates auf den neuesten Stand gebracht. Sality is a highly sophisticated malware known for infecting executable files and rapidly spreading across networks. It primarily creates a peer-to-peer botnet that is used for malicious activities such as spamming, data theft, and downloading additional malware. Sality has strong persistence mechanisms, including disabling security software, making it difficult to remove. Its ability to spread quickly and silently, along with its polymorphic nature, allows it to evade detection by traditional antivirus solutions. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	December 26, 2024, 09:37:47
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	xor-url generic ransomware sality upx remcos stealer
Indicators:
MIME:	application/x-7z-compressed
File info:	7-zip archive data, version 0.4
MD5:	B475A319C15D72933AA6DD84237EFF18
SHA1:	FF914F0BD3F4651D9EFF9E9CD2E2083CA0E82901
SHA256:	C98BE2DFD0ABDD8D86CDB34DBB13A9291DCB7ACDFA39BEC4CE2D9BDD1E61AFD8
SSDEEP:	12288:B9M7iXfHDc498T/j3SXPgXLGLDAwcEk9ZCnKpHWEbHTCIFT5E:B9eyfHDv9+/j3KgeAwchzCnKpHTbHTCB

.7z	\|	7-Zip compressed archive (v0.4) (57.1)
.7z	\|	7-Zip compressed archive (gen) (42.8)


(PID) Process:	(6380) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(6380) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(6380) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(6380) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\Merry X-Mas Loser.exe.bin.7z
(PID) Process:	(6380) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6380) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6380) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6380) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6380) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:	write	Name:	ShowPassword
Value: 0
(PID) Process:	(6912) Merry X-Mas Loser.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:	write	Name:	Adobe
Value: C:\Users\admin\Desktop\Merry X-Mas Loser.exe

PID	Process	Filename		Type
5496	Merry X-Mas Loser.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5		binary
		MD5:341C4AFB643DDC4B9D0A7BF232F72EE7	SHA256:C6051C97159E93A82559152EE676D65EE8B5E6C4D724BB8121DF38D021665320
6912	Merry X-Mas Loser.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef.pak		—
		MD5:—	SHA256:—
6912	Merry X-Mas Loser.exe	C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef.pak.RMCM1		—
		MD5:—	SHA256:—
6912	Merry X-Mas Loser.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_100_percent.pak		—
		MD5:—	SHA256:—
6912	Merry X-Mas Loser.exe	C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_100_percent.pak.RMCM1		—
		MD5:—	SHA256:—
6912	Merry X-Mas Loser.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_200_percent.pak		—
		MD5:—	SHA256:—
6912	Merry X-Mas Loser.exe	C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_200_percent.pak.RMCM1		—
		MD5:—	SHA256:—
6912	Merry X-Mas Loser.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_extensions.pak		—
		MD5:—	SHA256:—
6912	Merry X-Mas Loser.exe	C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_extensions.pak.RMCM1		—
		MD5:—	SHA256:—
5496	Merry X-Mas Loser.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_A9CA0AEFA6AD6F103983215499B0E822		binary
		MD5:81A4FB42333D97B8CC6E40FC4A74AE52	SHA256:039E79F34E1FAEEE81A78BD263E18A80439FAD8486A12C2A7CC95F421B94182D

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
5496	Merry X-Mas Loser.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAk%2BmfTb2czLSkOOaHw6sVI%3D	unknown	—	—	whitelisted
5496	Merry X-Mas Loser.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D	unknown	—	—	whitelisted
5496	Merry X-Mas Loser.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D	unknown	—	—	whitelisted
5496	Merry X-Mas Loser.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA52Wedn092tD1Y5ldpOTKs%3D	unknown	—	—	whitelisted
—	—	GET	200	23.36.77.81:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	96.6.17.223:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	96.6.17.223:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6072	svchost.exe	GET	200	23.36.77.81:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6072	svchost.exe	GET	200	96.6.17.223:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	23.36.77.227:443	www.bing.com	Akamai International B.V.	NO	whitelisted
—	—	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
4712	MoUsoCoreWorker.exe	23.36.77.81:80	crl.microsoft.com	Akamai International B.V.	NO	whitelisted
6072	svchost.exe	23.36.77.81:80	crl.microsoft.com	Akamai International B.V.	NO	whitelisted
—	—	23.36.77.81:80	crl.microsoft.com	Akamai International B.V.	NO	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	96.6.17.223:80	www.microsoft.com	AKAMAI-AS	NO	whitelisted
6072	svchost.exe	96.6.17.223:80	www.microsoft.com	AKAMAI-AS	NO	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208	whitelisted
google.com	142.250.74.110	whitelisted
www.bing.com	23.36.77.227	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
crl.microsoft.com	23.36.77.81	whitelisted
www.microsoft.com	96.6.17.223	whitelisted
onion1.pw	—	unknown

General Info

Merry X-Mas Loser.exe.bin

B475A319C15D72933AA6DD84237EFF18

FF914F0BD3F4651D9EFF9E9CD2E2083CA0E82901

C98BE2DFD0ABDD8D86CDB34DBB13A9291DCB7ACDFA39BEC4CE2D9BDD1E61AFD8

12288:B9M7iXfHDc498T/j3SXPgXLGLDAwcEk9ZCnKpHWEbHTCIFT5E:B9eyfHDv9+/j3KgeAwchzCnKpHTbHTCB

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

Changes the autorun value in the registry

RANSOMWARE has been detected

XORed URL has been found (YARA)

UAC/LUA settings modification

SALITY mutex has been found

REMCOS has been detected (YARA)

Steals credentials from Web Browsers

Actions looks like stealing of personal data

Changes Security Center notification settings

SUSPICIOUS

Searches for installed software

Reads security settings of Internet Explorer

Checks Windows Trust Settings

Application launched itself

Creates file in the systems drive root

Executable content was dropped or overwritten

Process drops legitimate windows executable

INFO

Executable content was dropped or overwritten

The process uses the downloaded file

Manual execution by a user

Checks supported languages

Reads the machine GUID from the registry

Reads the computer name

Creates files or folders in the user directory

Checks proxy server information

Reads the software policy settings

UPX packer has been detected

The sample compiled with english language support

Drops encrypted VBS script (Microsoft Script Encoder)

Reads CPU info

Create files in a temporary directory

Malware configuration

xor-url

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

xor-url

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings