Remcos | f384a9658276

Filters:

File Name	Category	Type	Verdict	Actions

C:\Users\RDhJ0CNFevzX\Desktop\f384a96582763be490ea4eeed6d3f10291d7df964f64db077b4d10697149a7da.exe

Sample File

Binary

Also Known As	C:\Users\RDhJ0CNFevzX\remcos\remcos.exe (Dropped File, Accessed File)
MIME Type	application/vnd.microsoft.portable-executable
File Size	928.00 KB
MD5	de9784a4f56eaf8affc96754a15a5cd3
SHA1	35c361a8bfdb894e80fe99728e60ad7d08745af1
SHA256	f384a96582763be490ea4eeed6d3f10291d7df964f64db077b4d10697149a7da
SSDeep	12288:4Rb0kj3oTB2b2UVFdPBGjIKHfrLPVPf1cLlq+R3rU8weZd+ydGRuwJGdaTuM18N5:4RA0siGjIKHf/NH1eFR7U8wWkTRk
ImpHash	f34d5f2d4577ed6d9ceec516c1f5a744

File Reputation Information

Verdict

Malicious

PE Information

Image Base	0x00400000
Entry Point	0x004E7E6E
Size Of Code	0x000E6000
Size Of Initialized Data	0x00001E00
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2022-07-26 22:00 (UTC+2)

Version Information (11)

Comments
CompanyName
FileDescription	LoLNotes
FileVersion	1.1
InternalName	ChannelServicesD.exe
LegalCopyright	Copyright © high828 2011
LegalTrademarks
OriginalFilename	ChannelServicesD.exe
ProductName	LoLNotes
ProductVersion	1.1
Assembly Version	1.1.0.0

Sections (3)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x00402000	0x000E5E74	0x000E6000	0x00000200	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	7.37
.rsrc	0x004E8000	0x00001A90	0x00001C00	0x000E6200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.56
.reloc	0x004EA000	0x0000000C	0x00000200	0x000E7E00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	0.1

Imports (1)

mscoree.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
_CorExeMain	-	0x00402000	0x000E7E3C	0x000E603C	0x00000000

Memory Dumps (17)

Name	Process ID	Start VA	End VA	Dump Reason	Bitness	Entry Point	Actions
f384a96582763be490ea4eeed6d3f10291d7df964f64db077b4d10697149a7da.exe	1	0x00400000	0x004EBFFF	Relevant Image	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x07DB0000	0x07DBEFFF	Reflectively Loaded .NET Assembly	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x005B0000	0x005B2FFF	Reflectively Loaded .NET Assembly	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x04230000	0x04295FFF	Reflectively Loaded .NET Assembly	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x005B0000	0x005B2FFF	Reflectively Loaded .NET Assembly	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x07C30000	0x07C4BFFF	Reflectively Loaded .NET Assembly	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x00400000	0x00416FFF	First Execution	32-bit	0x0040FD88	... Actions Go to Process Go to YARA Match Download Dump
f384a96582763be490ea4eeed6d3f10291d7df964f64db077b4d10697149a7da.exe	1	0x00400000	0x004EBFFF	Process Termination	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x00400000	0x00416FFF	Content Changed	32-bit	0x004012FB	... Actions Go to Process Go to YARA Match Download Dump
buffer	2	0x00400000	0x00416FFF	Content Changed	32-bit	0x004020E1	... Actions Go to Process Go to YARA Match Download Dump
buffer	2	0x00400000	0x00416FFF	Content Changed	32-bit	0x00403507	... Actions Go to Process Go to YARA Match Download Dump
buffer	2	0x00400000	0x00416FFF	Content Changed	32-bit	0x00408150	... Actions Go to Process Go to YARA Match Download Dump
buffer	2	0x00400000	0x00416FFF	Final Dump	32-bit	0x00406962	... Actions Go to Process Go to YARA Match Download Dump
buffer	2	0x00400000	0x00416FFF	Content Changed	32-bit	0x00403626	... Actions Go to Process Go to YARA Match Download Dump
buffer	2	0x00400000	0x00416FFF	Process Termination	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
remcos.exe	7	0x00400000	0x004EBFFF	Relevant Image	32-bit	-	... Actions Go to Process Download Dump
remcos.exe	7	0x00400000	0x004EBFFF	Final Dump	32-bit	-	... Actions Go to Process Download Dump

8af9de3fab56ffd68d2aef25cbd3f04bc37fb7ccdf030afafecbd7432a69a5f0

Code Dump File

Stream

MIME Type	application/octet-stream
File Size	20.00 KB
MD5	527be05e40065fc92d1f0728c65597a4
SHA1	a7836d88c0aef7598befea45b2b5a61812fb7833
SHA256	8af9de3fab56ffd68d2aef25cbd3f04bc37fb7ccdf030afafecbd7432a69a5f0
SSDeep	384:p2NCC1nNJxh/6RHnqd3xtXZGwYD56Xr/TlqK19z2fj0IcPmh:cNN/WQh9ZGTV6DJP19z2fjwPmh
ImpHash	-

C:\Users\RDHJ0C~1\AppData\Local\Temp\install.bat

Dropped File

Text

MIME Type	text/plain
File Size	90 Bytes
MD5	5fe811d3c6b160eb537421d709212c20
SHA1	bbe32b5191efe83c58f74bc60153667b4477f01b
SHA256	7facb45b7dd680d9dd92572885114d1c21e26653a9b3db8d512b916fa40afaf7
SSDeep	3:cQxCvfn9m1Oc9J0K+QHovBkwbM2n:cQ2fE1Oc9Jz+SovKwo2n
ImpHash	-

Remarks (1/1)

There are no files for this filter

There are no files in this analysis

Classifications

Threat Names

Before

After

WHOIS Domain Information