Try VMRay Platform
Malicious
Classifications

Exploit Spyware Keylogger Backdoor +1

Threat Names

Remcos Mal/Generic-S Mal/HTMLGen-A

Dynamic Analysis Report

Created on 2024-06-21T09:27:56+00:00

3c981da1aae9809f83d2516ead1df45fc27403bad738f8424c61bc97e0037cff.doc

Word Document
...

Remarks (1/1)

(0x02000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

Filters:
File Name Category Type Verdict Actions
C:\Users\kEecfMwgj\Desktop\3c981da1aae9809f83d2516ead1df45fc27403bad738f8424c61bc97e0037cff.doc Sample File Word Document
Malicious
...
»
MIME Type application/vnd.openxmlformats-officedocument.wordprocessingml.document
File Size 16.04 KB
MD5 9386e40d3ca054a475b7a7985b389952 Copy to Clipboard
SHA1 af25471124ecff96979d505561cb695460971ce8 Copy to Clipboard
SHA256 3c981da1aae9809f83d2516ead1df45fc27403bad738f8424c61bc97e0037cff Copy to Clipboard
SSDeep 384:2yXYipcW2s8PL8wi4OEwH8TIbE91r2fROJY9viJSwpskX:2cYNd5P3DOqnYJoUvESwp1 Copy to Clipboard
ImpHash -
File Reputation Information
»
Verdict
Malicious
Names Mal/Generic-S
Office Information
»
Creator Modexcomm
Last Modified By Modexcomm
Revision 7
Create Time 2023-03-27 22:13 (UTC)
Modify Time 2023-08-16 13:25 (UTC)
Application Microsoft Office Word
App Version 12.0000
Template Normal.dotm
Document Security NONE
Editing Time 19.0
Page Count 7
Line Count 150
Paragraph Count 42
Word Count 3177
Character Count 18113
Chars With Spaces 21248
ScaleCrop False
SharedDoc False
Document Content Snippet
» 
dMBCBESONDERHEDE BESONDERHEDE VIR HIERDIE MAANDDRAENDE NR. HOEV30208 NBC DRAAG 30 STK30308 NBC DRAAG 6 STK32007X NBC DRAAG 74 STK33005 NBC wat 5 stelle dra52799 / 800U (25877/21) NBC wat 30 PCS dra6001 NBC wat 100 stuks dra6004 NBC wat 180 stuks dra6006 NBC wat 30 PCS dra6011 C3 NBC wat 10 stuks dra6202 NBC wat 280 stuks dra6203 NBC DRAAG 330 STK6205 (Stel) NBC DRAER 224 STK6205ZZ NBC DRAAG 8 STELS6207 NBC DRAER 32 STK6207N NBC wat 10 stuks dra6207ZZ NBC DRAER 52 STK6209 NBC wat 24 stuks dra6209N NBC wat 10 stuks dra6211 NBC met 26 st6212 NBC met 24 st6213 C3 NBC wat 20 stuks dra6215 C3 NBC wat 10 stuks dra628RSS NBC wat 120 stuks dra6300 NBC wat 180 stuks dra6304 (Kit) NBC DRAER 4 STK6307ZZ NBC wat 10 stuks dra6308 C3 NBC DRAAG 40 STK6308ZZ NBC wat 10 stuks dra6311 NBC wat 10 stuks dra6312 NBC wat 10 stuks dra6312ZZ C3 NBC DRAER 6 STK6902 C3 NBC wat 20 stuks draLM48548 / 510 NBC DRAER 96 STKNJ309 NBC DRAER 6 STK1988/1922 (NSPP01) .NC 706304.BEARING SET (NPP02) 11230209 (NSPP01) .NC 20
Extracted URLs (1)
»
URL WHOIS Data Reputation Status Recursively Submitted Actions
https://dukeenergyltd.top/blese.doc
Show WHOIS
Malicious
-
...
C:\Users\kEecfMwgj\AppData\Roaming\AVqaIhslOeUA.exe Downloaded File Binary
Malicious
...
»
Also Known As C:\Users\kEecfMwgj\AppData\Roaming\blessed54321.scr (Accessed File, Downloaded File)
c:\users\keecfmwgj\appdata\local\microsoft\windows\temporary internet files\content.ie5\rijuql1c\blese[1].scr (Downloaded File, Extracted File)
MIME Type application/vnd.microsoft.portable-executable
File Size 0.97 MB
MD5 68b9a7476144a823820bf26789e52531 Copy to Clipboard
SHA1 d576a1de2e611dcd676d7e290160f5db2344d141 Copy to Clipboard
SHA256 4f7beadf99113432835f0ae286cc3ad01efc6d2745f5957236fd3965da055053 Copy to Clipboard
SSDeep 24576:THBS1wfC2QK4YYL1/w/Z0qFtIOit7OmH3hq0JWZk7mw:THY1yCggx4kthqwWZkx Copy to Clipboard
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004EFC62
Size Of Code 0x000EE000
Size Of Initialized Data 0x00008800
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2024-06-21 07:52 (UTC)
Version Information (11)
»
Comments Microsoft iSCSI Initiator Configuration Tool
CompanyName Microsoft Corporation
FileDescription iscsicpl
FileVersion 99.99.99.99
InternalName bbSG.exe
LegalCopyright © Microsoft Corporation. All rights reserved.
LegalTrademarks Microsoft iSCSI Initiator Configuration Tool
OriginalFilename bbSG.exe
ProductName Microsoft® Windows® Operating System
ProductVersion 99.99.99.99
Assembly Version 99.99.99.99
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00402000 0x000EDC68 0x000EE000 0x00000800 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 7.93
.rsrc 0x004F0000 0x00007E74 0x00008000 0x000EE800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.49
.reloc 0x004F8000 0x0000000C 0x00000800 0x000F6800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.03
Imports (1)
»
mscoree.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CorExeMain - 0x00402000 0x000EFC38 0x000EE438 0x00000000
Digital Signature Information
»
Verification Status Failed
Certificate: Simon Tatham
»
Issued by Simon Tatham
Parent Certificate COMODO RSA Code Signing CA
Country Name GB
Valid From 2018-11-13 00:00 (UTC)
Valid Until 2021-11-08 23:59 (UTC)
Algorithm sha256_rsa
Serial Number 7C 11 18 CB BA DC 95 DA 37 52 C4 6E 47 A2 74 38
Thumbprint 5B 9E 27 3C F1 19 41 FD 8C 6B E3 F0 38 C4 79 7B BE 88 42 68
Certificate: COMODO RSA Code Signing CA
»
Issued by COMODO RSA Code Signing CA
Parent Certificate COMODO RSA Certification Authority
Country Name GB
Valid From 2013-05-09 00:00 (UTC)
Valid Until 2028-05-08 23:59 (UTC)
Algorithm sha384_rsa
Serial Number 2E 7C 87 CC 0E 93 4A 52 FE 94 FD 1C B7 CD 34 AF
Thumbprint B6 9E 75 2B BE 88 B4 45 82 00 A7 C0 F4 F5 B3 CC E6 F3 5B 47
Certificate: COMODO RSA Certification Authority
»
Issued by COMODO RSA Certification Authority
Country Name GB
Valid From 2010-01-19 00:00 (UTC)
Valid Until 2038-01-18 23:59 (UTC)
Algorithm sha384_rsa
Serial Number 4C AA F9 CA DB 63 6F E0 1F F7 4E D8 5B 03 86 9D
Thumbprint AF E5 D2 44 A8 D1 19 42 30 FF 47 9F E2 F8 97 BB CD 7A 8C B4
Memory Dumps (94)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
blessed54321.scr 6 0x00EE0000 0x00FD9FFF Relevant Image False 32-bit - False
...
buffer 6 0x009B0000 0x009BCFFF Reflectively Loaded .NET Assembly False 32-bit - False
...
buffer 6 0x009D0000 0x009D3FFF Reflectively Loaded .NET Assembly False 32-bit - False
...
buffer 6 0x009E0000 0x009E5FFF Reflectively Loaded .NET Assembly False 32-bit - False
...
buffer 6 0x04C70000 0x04D2AFFF Reflectively Loaded .NET Assembly False 32-bit - False
...
blessed54321.scr 6 0x00EE0000 0x00FD9FFF Final Dump False 32-bit - False
...
buffer 9 0x00400000 0x00481FFF First Execution False 32-bit 0x004349EF False
...
blessed54321.scr 9 0x00EE0000 0x00FD9FFF Relevant Image False 32-bit - False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x004570FA False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x00438F31 False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x004106C1 False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x004440BF False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x00447F9F False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x00451249 False
...
blessed54321.scr 6 0x00EE0000 0x00FD9FFF Process Termination False 32-bit - False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x00446782 False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x00450183 False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x0044EF58 False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x0040E21C False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x004529A0 False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x004071AA False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x0043C0F0 False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x0044D135 False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x00456324 False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x00402218 False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x004046F7 False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x0041BDB0 False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x004051E3 False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x00409A53 False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x0040C9B5 False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x0044FAD5 False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x00414F1D False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x0041872A False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x0041CB50 False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x0040F3C3 False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x00406CB7 False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x0043FD00 False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x0040B9BD False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x004135A6 False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x0040A109 False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x00415000 False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x004242E3 False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x004283E8 False
...
buffer 9 0x0286E000 0x0286FFFF First Network Behavior False 32-bit - False
...
buffer 9 0x0269F000 0x0269FFFF First Network Behavior False 32-bit - False
...
buffer 9 0x00E6E000 0x00E6FFFF First Network Behavior False 32-bit - False
...
buffer 9 0x00CEE000 0x00CEFFFF First Network Behavior False 32-bit - False
...
buffer 9 0x0036D000 0x0036FFFF First Network Behavior False 32-bit - False
...
buffer 9 0x00400000 0x00481FFF First Network Behavior False 32-bit - False
...
buffer 9 0x0070E970 0x0070EB8F First Network Behavior False 32-bit - False
...
buffer 9 0x0070EC88 0x0070EFEB First Network Behavior False 32-bit - False
...
buffer 9 0x0070EFF8 0x0070FBF7 First Network Behavior False 32-bit - False
...
buffer 9 0x00710E78 0x00711677 First Network Behavior False 32-bit - False
...
buffer 9 0x00711AC8 0x00711BC7 First Network Behavior False 32-bit - False
...
buffer 9 0x00711D58 0x00711DF3 First Network Behavior False 32-bit - False
...
buffer 9 0x00711E38 0x00711ED3 First Network Behavior False 32-bit - False
...
buffer 9 0x00711F00 0x00711FCD First Network Behavior False 32-bit - False
...
buffer 9 0x00712FC8 0x00713047 First Network Behavior False 32-bit - False
...
buffer 9 0x007130E0 0x007131EF First Network Behavior False 32-bit - False
...
buffer 9 0x00713310 0x0071341F First Network Behavior False 32-bit - False
...
buffer 9 0x00713448 0x007138C7 First Network Behavior False 32-bit - False
...
buffer 9 0x007139E8 0x00713B83 First Network Behavior False 32-bit - False
...
buffer 9 0x00713C58 0x00713CE9 First Network Behavior False 32-bit - False
...
buffer 9 0x00714558 0x00714B3F First Network Behavior False 32-bit - False
...
buffer 9 0x00714BA8 0x00714C7D First Network Behavior False 32-bit - False
...
buffer 9 0x00714D48 0x00714DD3 First Network Behavior False 32-bit - False
...
buffer 9 0x00714DE0 0x00714E7B First Network Behavior False 32-bit - False
...
buffer 9 0x00714FE8 0x00715079 First Network Behavior False 32-bit - False
...
buffer 9 0x00715088 0x0071515D First Network Behavior False 32-bit - False
...
buffer 9 0x007163C8 0x00716453 First Network Behavior False 32-bit - False
...
buffer 9 0x00717678 0x00717813 First Network Behavior False 32-bit - False
...
buffer 9 0x0071AF60 0x0071B00B First Network Behavior False 32-bit - False
...
buffer 9 0x0071EF58 0x0071F06D First Network Behavior False 32-bit - False
...
buffer 9 0x0071F078 0x0071F104 First Network Behavior False 32-bit - False
...
blessed54321.scr 9 0x00EE0000 0x00FD9FFF First Network Behavior False 32-bit - False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x0040B904 False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x00407805 False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x0040F861 False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x00446137 False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x00420CA0 False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x0043F85C False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x00414EE9 False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x00402246 False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x0040AD49 False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x0040C9B5 False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x00409044 False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x00415ADD False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x0040B904 False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x00446137 False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x00420CA0 False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x0043F85C False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x0040F861 False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x00414EE9 False
...
buffer 9 0x00400000 0x00481FFF Content Changed False 32-bit 0x0040AD49 False
...
c:\users\keecfmwgj\appdata\local\gdipfontcachev1.dat Dropped File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 108.52 KB
MD5 3f36ee857f1362dbb4d1c2c418805838 Copy to Clipboard
SHA1 13ff3205691b91edb9aa3b5e5d5e65a0cd1b1e55 Copy to Clipboard
SHA256 66810ca6f48e8669b5b0924267205104a3e04e40a347ad9b629c687531b56aab Copy to Clipboard
SSDeep 768:ZU3VHXvjI3HgTl5u9TRX7Sww+VOMfHBBpWkJJ4iKAEIa0pWDiAl4eBXoov4:mXvs3HgTl5uhOMfckJJ4iKAGCAtZv Copy to Clipboard
ImpHash -
c:\users\keecfmwgj\appdata\local\gdipfontcachev1.dat Dropped File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 8.03 KB
MD5 72fb647b2d0483e680783b144fe9cc8a Copy to Clipboard
SHA1 a91a706ae2b1d6070e2d68c42dfa487baa906731 Copy to Clipboard
SHA256 2be64981c880589971a44f69e41bd016120f06a6475e3ba3aed629edeaecc8a9 Copy to Clipboard
SSDeep 3:5tmlNlv08s:5tmi8s Copy to Clipboard
ImpHash -
C:\Users\kEecfMwgj\AppData\Local\Temp\tmp8BA1.tmp Dropped File Text
Clean
...
»
MIME Type text/xml
File Size 1.56 KB
MD5 5948038d60caacfb498e74e0a31e36f4 Copy to Clipboard
SHA1 1de6b6ad394134c61db682585be5040b76b9f99b Copy to Clipboard
SHA256 0ad8bb70d5ba997c245794a789be6b274afd2285c7c2184d0eeda4c3bec25017 Copy to Clipboard
SSDeep 48:cgeD1N14YrFdOFzOzN33ODOiDdKrsuT1v:HeD1gYrFdOFzOz6dKrsux Copy to Clipboard
ImpHash -
C:\ProgramData\remcos\logs.dat Dropped File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 742 Bytes
MD5 b75f2703c2cebbce99fc7633b3e09232 Copy to Clipboard
SHA1 a4fcb6d3126718487074d0593505d22ab15559de Copy to Clipboard
SHA256 7709aacb5b1d54f10d07ce01a4a2fc28b7e04905350da581afdb0027a9d64dba Copy to Clipboard
SSDeep 12:6l68v1ec+WZtzsmxYZv666AWY7eSJAZpqegn:6/QcxZtzsmxEwY7eSJcc Copy to Clipboard
ImpHash -
241b8f2741464cca021c482bc709267a4bc838238254f480da2b67de82a633de Downloaded File RTF
Clean
...
»
MIME Type text/rtf
File Size 429.13 KB
MD5 2b9e9e8f1504705fe9a46d331289b258 Copy to Clipboard
SHA1 1a39a656bc4364104b68e61d336cbd496ede0e52 Copy to Clipboard
SHA256 241b8f2741464cca021c482bc709267a4bc838238254f480da2b67de82a633de Copy to Clipboard
SSDeep 6144:OwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAGa5GSFv:QY Copy to Clipboard
ImpHash -
Static Analysis Parser Error invalid control word value pattern
Office Information
»
Document Content Snippet
» 
Sc66RPjWcsXdnvw6fmHgVvBG7C9B5FMjA6lr16OG82zb5Wj2ydSz2ppAl44pyDeGHdVcsACqOCf393xvcfIY5USRcaJjK0imiVTsROnIJdmXOIGoXBxu1ih4a03PYPBIL0rC7XqendRZE3JjcTbZHFD8ZeRQ4Dir5No5IP0ukTpg26kilmN4FsfdTlcHHBzVrwS5Plv95R5QFCFmtPRxKPibCekXa7dGZyyjpPGMgoNJF9Sytexkxb14fZzhPnJ96jWYz6gbUr85995073please click Enable editing from the yellow bar above.The independent auditors’ opinion says the financial statements are fairly stated in accordance with the basis of accounting used by your organization. So why are the auditors giving you that other letter In an audit of financial statements, professional standards require that auditors obtain an understanding of internal controls to the extent necessary to plan the audit. Auditors use this understanding of internal controls to assess the risk of material misstatement of the financial statements and to design appropriate audit procedures to minimize that risk.The definition of good internal controls is that they allow errors and other misstatements to be prevented
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    

     Exit-Icon
    

    

     

      WHOIS Domain Information
     

     

      

       
        Domain Name
       
       
       
      

      

       
        WHOIS Response
       
       
        

       		
      

     

    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image