Remcos | 42638e51cd3e

Filters:

File Name	Category	Type	Verdict	Actions

C:\Users\RDhJ0CNFevzX\Desktop\42638e51cd3eff415ce751e700d233596988fd51ffba584b18dd2e78ec07bc2b.exe

Sample File

Binary

Also Known As	C:\Users\RDhJ0CNFevzX\AppData\Roaming\ohnfNTVBamkg.exe (Accessed File)
MIME Type	application/vnd.microsoft.portable-executable
File Size	687.00 KB
MD5	f8b7ccfaa25ad7547501496c248c178e
SHA1	aae29f7ef62d5329c27c2040ed573d0ddc9a522e
SHA256	42638e51cd3eff415ce751e700d233596988fd51ffba584b18dd2e78ec07bc2b
SSDeep	12288:2u82iNDXR0NSqCGCHw1jZIvNds4mcGrONHhbP7r9r/+ppppppppppppppppppppZ:E1rvqCGCQJZIvoYGoHhb1qH
ImpHash	f34d5f2d4577ed6d9ceec516c1f5a744

File Reputation Information

Verdict	Malicious
Names	Mal/Generic-S

PE Information

Image Base	0x00400000
Entry Point	0x00477A92
Size Of Code	0x00075C00
Size Of Initialized Data	0x00035E00
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2022-07-26 02:47 (UTC+2)

Version Information (11)

Comments
CompanyName	Microsoft Corporation
FileDescription	Investor Tracker
FileVersion	1.0.0.0
InternalName	iZpEr.exe
LegalCopyright	Copyright © 2020
LegalTrademarks
OriginalFilename	iZpEr.exe
ProductName	Investor Tracker
ProductVersion	1.0.0.0
Assembly Version	1.0.0.0

Sections (3)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x00402000	0x00075A98	0x00075C00	0x00000200	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	7.65
.rsrc	0x00478000	0x00035B68	0x00035C00	0x00075E00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.52
.reloc	0x004AE000	0x0000000C	0x00000200	0x000ABA00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	0.1

Imports (1)

mscoree.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
_CorExeMain	-	0x00402000	0x00077A68	0x00075C68	0x00000000

Memory Dumps (64)

Name	Process ID	Start VA	End VA	Dump Reason	Bitness	Entry Point	Actions
42638e51cd3eff415ce751e700d233596988fd51ffba584b18dd2e78ec07bc2b.exe	1	0x00400000	0x004AFFFF	Relevant Image	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x04910000	0x04914FFF	Reflectively Loaded .NET Assembly	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x07A20000	0x07A87FFF	Reflectively Loaded .NET Assembly	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x0A170000	0x0A188FFF	Reflectively Loaded .NET Assembly	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x07A20000	0x07A87FFF	Reflectively Loaded .NET Assembly	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x07A20000	0x07A87FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x07A20000	0x07A87FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x07A20000	0x07A87FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x07A20000	0x07A87FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x07A20000	0x07A87FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x07A20000	0x07A87FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x07A20000	0x07A87FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x07A20000	0x07A87FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x07A20000	0x07A87FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x07A20000	0x07A87FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x07A20000	0x07A87FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x07A20000	0x07A87FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x07A20000	0x07A87FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x07A20000	0x07A87FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x07A20000	0x07A87FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x07A20000	0x07A87FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x07A20000	0x07A87FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x07A20000	0x07A87FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x07A20000	0x07A87FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x07A20000	0x07A87FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x07A20000	0x07A87FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x07A20000	0x07A87FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x07A20000	0x07A87FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x07A20000	0x07A87FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x07A20000	0x07A87FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x07A20000	0x07A87FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x07A20000	0x07A87FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x07A20000	0x07A87FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x07A20000	0x07A87FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x07A20000	0x07A87FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x07A20000	0x07A87FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x07A20000	0x07A87FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x07A20000	0x07A87FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x07A20000	0x07A87FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
42638e51cd3eff415ce751e700d233596988fd51ffba584b18dd2e78ec07bc2b.exe	1	0x00400000	0x004AFFFF	Final Dump	32-bit	-	... Actions Go to Process Download Dump
buffer	5	0x00400000	0x00416FFF	First Execution	32-bit	0x0040FD88	... Actions Go to Process Go to YARA Match Download Dump
42638e51cd3eff415ce751e700d233596988fd51ffba584b18dd2e78ec07bc2b.exe	1	0x00400000	0x004AFFFF	Process Termination	32-bit	-	... Actions Go to Process Download Dump
buffer	5	0x00400000	0x00416FFF	Content Changed	32-bit	0x004012FB	... Actions Go to Process Go to YARA Match Download Dump
buffer	5	0x00400000	0x00416FFF	Content Changed	32-bit	0x004020E1	... Actions Go to Process Go to YARA Match Download Dump
buffer	5	0x00400000	0x00416FFF	Content Changed	32-bit	0x00403507	... Actions Go to Process Go to YARA Match Download Dump
buffer	5	0x00400000	0x00416FFF	Content Changed	32-bit	0x00408150	... Actions Go to Process Go to YARA Match Download Dump
buffer	5	0x00400000	0x00416FFF	Content Changed	32-bit	0x00404077	... Actions Go to Process Go to YARA Match Download Dump
buffer	5	0x0240F000	0x0240FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	5	0x0230F000	0x0230FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	5	0x0210F000	0x0210FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	5	0x0019D000	0x0019FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	5	0x00400000	0x00416FFF	First Network Behavior	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
buffer	5	0x02202910	0x022029B8	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	5	0x00400000	0x00416FFF	Content Changed	32-bit	0x0040A000	... Actions Go to Process Go to YARA Match Download Dump
buffer	5	0x00400000	0x00416FFF	Content Changed	32-bit	0x004040CD	... Actions Go to Process Go to YARA Match Download Dump
buffer	5	0x00400000	0x00416FFF	Content Changed	32-bit	0x00403507	... Actions Go to Process Go to YARA Match Download Dump
buffer	5	0x00400000	0x00416FFF	Content Changed	32-bit	0x0040B604	... Actions Go to Process Go to YARA Match Download Dump
buffer	5	0x00400000	0x00416FFF	Content Changed	32-bit	0x00403A9A	... Actions Go to Process Go to YARA Match Download Dump
buffer	5	0x00400000	0x00416FFF	Content Changed	32-bit	0x0040FC1A	... Actions Go to Process Go to YARA Match Download Dump
buffer	5	0x00400000	0x00416FFF	Content Changed	32-bit	0x0040285A	... Actions Go to Process Go to YARA Match Download Dump
buffer	5	0x00400000	0x00416FFF	Content Changed	32-bit	0x00403B02	... Actions Go to Process Go to YARA Match Download Dump
buffer	5	0x00400000	0x00416FFF	Content Changed	32-bit	0x0040E898	... Actions Go to Process Go to YARA Match Download Dump
buffer	5	0x00400000	0x00416FFF	Content Changed	32-bit	0x0040A71E	... Actions Go to Process Go to YARA Match Download Dump
buffer	5	0x00400000	0x00416FFF	Content Changed	32-bit	0x0040B604	... Actions Go to Process Go to YARA Match Download Dump

8af9de3fab56ffd68d2aef25cbd3f04bc37fb7ccdf030afafecbd7432a69a5f0

Code Dump File

Stream

MIME Type	application/octet-stream
File Size	20.00 KB
MD5	527be05e40065fc92d1f0728c65597a4
SHA1	a7836d88c0aef7598befea45b2b5a61812fb7833
SHA256	8af9de3fab56ffd68d2aef25cbd3f04bc37fb7ccdf030afafecbd7432a69a5f0
SSDeep	384:p2NCC1nNJxh/6RHnqd3xtXZGwYD56Xr/TlqK19z2fj0IcPmh:cNN/WQh9ZGTV6DJP19z2fjwPmh
ImpHash	-

C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\tmp1326.tmp

Dropped File

Text

MIME Type	text/xml
File Size	1.61 KB
MD5	e748cf8dce51774a8e2270099a433d8c
SHA1	3e5a4c8768b8f8d314637a31f8c13dfb056084cf
SHA256	71b22b787508686ad7b11a8d5beb3912827b9eaed08ea3f78c58500525514a52
SSDeep	24:2dH4+SEqC9Y7JlNMFV/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBhNtn:cbh27JlNQV/rydbz9I3YODOLNdq3z
ImpHash	-

C:\Users\RDhJ0CNFevzX\AppData\Roaming\vbmcdsb\logs.dat

Dropped File

Text

MIME Type	text/plain
File Size	261 Bytes
MD5	140c48c4c7efc6d1474133f79b5b5c87
SHA1	d985b61efd30e3e31492ed3db19ae9627d00a7e2
SHA256	ea168190d591bb0e66a6b0dabdf741f056a3c42f3837e1410c80e7afa96e04d9
SSDeep	6:q//oo8eBHjdN84Z0S30ZkgFVsGXk/ooqGXk/ooqGXk/ooy:k/oo1DL84WSIVBXk/oovXk/oovXk/ooy
ImpHash	-

28b90965d78cbc8579bf8678d31d9d6b3886ec11e34030ad978e137f0696d263

Extracted File

Image

Parent File	C:\Users\RDhJ0CNFevzX\AppData\Roaming\ohnfNTVBamkg.exe
MIME Type	image/png
File Size	13.47 KB
MD5	846a77216562e12267837f95a0ad51c7
SHA1	aace704fe706de969308c46dad4841cfd582cc5d
SHA256	28b90965d78cbc8579bf8678d31d9d6b3886ec11e34030ad978e137f0696d263
SSDeep	384:5W7lHyLgoHSbieaUBCxC5DN+Zv37K/VwceWiNtJkUHJgbc:UMLgoHS1ahKk37K4t6Rc
ImpHash	-

Remarks (1/1)

There are no files for this filter

There are no files in this analysis

Classifications

Threat Names

Before

After

WHOIS Domain Information