File name: | AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exe |
Full analysis: | https://app.any.run/tasks/b77eed7e-face-4948-a8c4-2b0d0d0c2a98 |
Verdict: | Malicious activity |
Threats: | Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. |
Analysis date: | December 05, 2022, 20:22:46 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | C9D36E490B60B2E1964FD7311D8BB0BD |
SHA1: | EBD73E29F1FD1F2D0A5BFD0FA3AD1BFEB17A6F75 |
SHA256: | CCA6FBBBB4B240BD2D713677E01DC377FFFFB4A99DEDAB5EEA9813F9D855AF56 |
SSDEEP: | 12288:oHzdKZ26f6MgGse8hAvQHQ1aqM8Dg5SiaPeX:edKvgsaqM805SiaPe |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (63.1) |
---|---|---|
.exe | | | Win64 Executable (generic) (23.8) |
.dll | | | Win32 Dynamic Link Library (generic) (5.6) |
.exe | | | Win32 Executable (generic) (3.8) |
.exe | | | Generic Win/DOS Executable (1.7) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2022-Dec-05 14:11:32 |
Comments: | - |
CompanyName: | MagnaSolution |
FileDescription: | Leather Worker |
FileVersion: | 1.3.0.0 |
InternalName: | JIBE.exe |
LegalCopyright: | MagnaSolution 2022 |
LegalTrademarks: | - |
OriginalFilename: | JIBE.exe |
ProductName: | Leather Worker |
ProductVersion: | 1.3.0.0 |
Assembly Version: | 1.3.0.0 |
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 128 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 3 |
TimeDateStamp: | 2022-Dec-05 14:11:32 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 8192 | 566116 | 566272 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.76144 |
.rsrc | 581632 | 271872 | 271872 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.54892 |
.reloc | 860160 | 12 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.10191 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.54323 | 270376 | Latin 1 / Western European | UNKNOWN | RT_ICON |
1 (#2) | 1.41904 | 20 | Latin 1 / Western European | UNKNOWN | RT_GROUP_ICON |
1 (#3) | 3.3143 | 832 | Latin 1 / Western European | UNKNOWN | RT_VERSION |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1328 | "C:\Users\admin\AppData\Local\Temp\AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exe" | C:\Users\admin\AppData\Local\Temp\AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exe | Explorer.EXE | ||||||||||||
User: admin Company: MagnaSolution Integrity Level: MEDIUM Description: Leather Worker Exit code: 0 Version: 1.3.0.0 Modules
| |||||||||||||||
3528 | "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LaeCyBpJKSBFqo" /XML "C:\Users\admin\AppData\Local\Temp\tmp9069.tmp" | C:\Windows\System32\schtasks.exe | — | AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3904 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Services Installation Utility Version: 4.0.30319.34209 built by: FX452RTMGDR Modules
Remcos(PID) Process(3904) RegSvcs.exe Max_keylog_file10000 Keylog_dirremcos Copy_dirRemcos Connect_delay0 Audio_dirMicRecords Audio_path%APPDATA% Audio_record_time5 Delete_fileFalse Mouse_optionFalse Screenshot_cryptFalse Screenshot_fileScreenshots Screenshot_path%APPDATA% Screenshot_namewikipedia;solitaire; Take_ScreenshotFalse Screenshot_time5 Screenshot_flagFalse Hide_keylogFalse Keylog_cryptFalse Keylog_filelogs.dat Keylog_path%APPDATA% Keylog_flag1 Mutex_nameRemcos-WLGLS0 Hide_fileFalse Startup_valueRemcos Copy_fileremcos.exe Setup_path%APPDATA% Install_HKCU\RunTrue Install_flagFalse Connect_interval1 BotnetBRASIL Hosts (1)brasil.con-ip.com:2001 |
(PID) Process: | (1328) AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (1328) AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (1328) AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (1328) AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (3904) RegSvcs.exe | Key: | HKEY_CURRENT_USER\Software\Remcos-WLGLS0 |
Operation: | write | Name: | exepath |
Value: B3BC0100CED9A35B0EB209D6F0C0BBDA44CF12924643B1690AD0CB2A285B67DA9A13F41C5EF73747C4E7E168288D484B1D39DD6AC74B06A9AE431D3B4FC65890B9F2DE7CD5035B7049A426CE6CAD28640A6261AC573DFF76258D99A027E872BDAE6AF35411EC949EA19F9107E84893D240924C3F | |||
(PID) Process: | (3904) RegSvcs.exe | Key: | HKEY_CURRENT_USER\Software\Remcos-WLGLS0 |
Operation: | write | Name: | licence |
Value: 4D8686C6E91369B6B3B3FD8BFC740299 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3904 | RegSvcs.exe | C:\Users\admin\AppData\Roaming\remcos\logs.dat | binary | |
MD5:212899296B4A3F4F706F30A428889342 | SHA256:69A2A7BB5B344E00FF0D7D93E342301CAC85E582C4D89242B39F047B91128791 | |||
1328 | AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exe | C:\Users\admin\AppData\Roaming\LaeCyBpJKSBFqo.exe | executable | |
MD5:C9D36E490B60B2E1964FD7311D8BB0BD | SHA256:CCA6FBBBB4B240BD2D713677E01DC377FFFFB4A99DEDAB5EEA9813F9D855AF56 | |||
1328 | AUDIENCIAPRELIMINARES20221205 AUDIENCIAPRELIMINARES20221206.exe | C:\Users\admin\AppData\Local\Temp\tmp9069.tmp | xml | |
MD5:398D4F044ADD842408FC683F6FE36A4F | SHA256:94BFF2A167B975CF3F6959E87FF9DB5C2855BF9A988AC451B128697874EFEBDB |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3904 | RegSvcs.exe | 179.13.0.69:2001 | brasil.con-ip.com | Colombia Movil | CO | malicious |
Domain | IP | Reputation |
---|---|---|
brasil.con-ip.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO DNS Redirection Service Domain in DNS Lookup (con-ip .com) |
3904 | RegSvcs.exe | A Network Trojan was detected | AV TROJAN Win32/Remcos RAT Checkin - pass |