Malicious
Classifications
Backdoor
Threat Names
Remcos
Dynamic Analysis Report
Created on 2022-08-05T14:22:32+00:00
f384a96582763be490ea4eeed6d3f10291d7df964f64db077b4d10697149a7da.exe
Windows Exe (x86-32)
This is a filtered view
This list contains only the embedded files, downloaded files, and dropped files
Filters: |
There are no files for this filter
There are no files in this analysis
File Name | Category | Type | Verdict | Actions |
---|
C:\Users\RDhJ0CNFevzX\Desktop\f384a96582763be490ea4eeed6d3f10291d7df964f64db077b4d10697149a7da.exe | Sample File | Binary |
Malicious
|
...
|
»
File Reputation Information
»
Verdict |
Malicious
|
PE Information
»
Image Base | 0x00400000 |
Entry Point | 0x004E7E6E |
Size Of Code | 0x000E6000 |
Size Of Initialized Data | 0x00001E00 |
File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
Subsystem | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Machine Type | IMAGE_FILE_MACHINE_I386 |
Compile Timestamp | 2022-07-26 22:00 (UTC+2) |
Version Information (11)
»
Comments | |
CompanyName | |
FileDescription | LoLNotes |
FileVersion | 1.1 |
InternalName | ChannelServicesD.exe |
LegalCopyright | Copyright © high828 2011 |
LegalTrademarks | |
OriginalFilename | ChannelServicesD.exe |
ProductName | LoLNotes |
ProductVersion | 1.1 |
Assembly Version | 1.1.0.0 |
Sections (3)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x00402000 | 0x000E5E74 | 0x000E6000 | 0x00000200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.37 |
.rsrc | 0x004E8000 | 0x00001A90 | 0x00001C00 | 0x000E6200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.56 |
.reloc | 0x004EA000 | 0x0000000C | 0x00000200 | 0x000E7E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.1 |
Imports (1)
»
mscoree.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
_CorExeMain | - | 0x00402000 | 0x000E7E3C | 0x000E603C | 0x00000000 |
Memory Dumps (17)
»
Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
---|---|---|---|---|---|---|---|---|---|
f384a96582763be490ea4eeed6d3f10291d7df964f64db077b4d10697149a7da.exe | 1 | 0x00400000 | 0x004EBFFF | Relevant Image | 32-bit | - |
...
|
||
buffer | 1 | 0x07DB0000 | 0x07DBEFFF | Reflectively Loaded .NET Assembly | 32-bit | - |
...
|
||
buffer | 1 | 0x005B0000 | 0x005B2FFF | Reflectively Loaded .NET Assembly | 32-bit | - |
...
|
||
buffer | 1 | 0x04230000 | 0x04295FFF | Reflectively Loaded .NET Assembly | 32-bit | - |
...
|
||
buffer | 1 | 0x005B0000 | 0x005B2FFF | Reflectively Loaded .NET Assembly | 32-bit | - |
...
|
||
buffer | 1 | 0x07C30000 | 0x07C4BFFF | Reflectively Loaded .NET Assembly | 32-bit | - |
...
|
||
buffer | 2 | 0x00400000 | 0x00416FFF | First Execution | 32-bit | 0x0040FD88 |
...
|
||
f384a96582763be490ea4eeed6d3f10291d7df964f64db077b4d10697149a7da.exe | 1 | 0x00400000 | 0x004EBFFF | Process Termination | 32-bit | - |
...
|
||
buffer | 2 | 0x00400000 | 0x00416FFF | Content Changed | 32-bit | 0x004012FB |
...
|
||
buffer | 2 | 0x00400000 | 0x00416FFF | Content Changed | 32-bit | 0x004020E1 |
...
|
||
buffer | 2 | 0x00400000 | 0x00416FFF | Content Changed | 32-bit | 0x00403507 |
...
|
||
buffer | 2 | 0x00400000 | 0x00416FFF | Content Changed | 32-bit | 0x00408150 |
...
|
||
buffer | 2 | 0x00400000 | 0x00416FFF | Final Dump | 32-bit | 0x00406962 |
...
|
||
buffer | 2 | 0x00400000 | 0x00416FFF | Content Changed | 32-bit | 0x00403626 |
...
|
||
buffer | 2 | 0x00400000 | 0x00416FFF | Process Termination | 32-bit | - |
...
|
||
remcos.exe | 7 | 0x00400000 | 0x004EBFFF | Relevant Image | 32-bit | - |
...
|
||
remcos.exe | 7 | 0x00400000 | 0x004EBFFF | Final Dump | 32-bit | - |
...
|
8af9de3fab56ffd68d2aef25cbd3f04bc37fb7ccdf030afafecbd7432a69a5f0 | Code Dump File | Stream |
Malicious
|
...
|
»
C:\Users\RDHJ0C~1\AppData\Local\Temp\install.bat | Dropped File | Text |
Clean
|
...
|
»