Edit tour
Windows
Analysis Report
Over Prime.exe
Overview
General Information
Detection
GuLoader, Remcos
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected GuLoader
Installs a global keyboard hook
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality for execution timing, often used to detect debuggers
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
PE file contains more sections than normal
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality for read data from the clipboard
Classification
- System is w10x64native
- Over Prime.exe (PID: 8260 cmdline:
"C:\Users\ user\Deskt op\Over Pr ime.exe" MD5: 96F33F92C952C6D74C07974F375F81EE) - Over Prime.exe (PID: 396 cmdline:
"C:\Users\ user\Deskt op\Over Pr ime.exe" MD5: 96F33F92C952C6D74C07974F375F81EE) - wscript.exe (PID: 4848 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Loc al\Temp\in stall.vbs" MD5: 4D780D8F77047EE1C65F747D9F63A1FE) - cmd.exe (PID: 1660 cmdline:
C:\Windows \System32\ cmd.exe" / c "C:\User s\user\App Data\Roami ng\wqs.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 1704 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - wqs.exe (PID: 1752 cmdline:
C:\Users\u ser\AppDat a\Roaming\ wqs.exe MD5: 96F33F92C952C6D74C07974F375F81EE) - WerFault.exe (PID: 9084 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 1 752 -s 102 8 MD5: 40A149513D721F096DDF50C04DA2F01F)
- wqs.exe (PID: 4356 cmdline:
"C:\Users\ user\AppDa ta\Roaming \wqs.exe" MD5: 96F33F92C952C6D74C07974F375F81EE) - wqs.exe (PID: 2540 cmdline:
"C:\Users\ user\AppDa ta\Roaming \wqs.exe" MD5: 96F33F92C952C6D74C07974F375F81EE)
- cleanup
{"Payload URL": "https://drive.google.com/uc?export=download&id=1rTDvne0SIi78eB9wV1iwwAGXz7RS5mjx"}
{"Host:Port:Password": "entralent200.sytes.net:2321:1", "Assigned name": "Entralent_user 3", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "wqs.exe", "Startup value": "ws", "Hide file": "Enable", "Mutex": "Remcos-G5O10D", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "", "Keylog folder": "", "Keylog file max size": "0"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_WER_Suspicious_Crash_Directory | Detects a crashed application executed in a suspicious directory | Florian Roth |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
Click to see the 4 entries |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Avira: |
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_00405C49 | |
Source: | Code function: | 0_2_00406873 | |
Source: | Code function: | 0_2_0040290B | |
Source: | Code function: | 11_2_00405C49 | |
Source: | Code function: | 11_2_00406873 | |
Source: | Code function: | 11_2_0040290B | |
Source: | Code function: | 20_2_00405C49 | |
Source: | Code function: | 20_2_00406873 | |
Source: | Code function: | 20_2_0040290B |
Networking |
---|
Source: | URLs: | ||
Source: | URLs: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | TCP traffic: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTP traffic detected: |