ID: 280239 Sample Name: rclone.exe Cookbook: default.jbs Time: 17:01:58 Date: 31/08/2020 Version: 29.0.0 Ocean Jasper Table of Contents

Table of Contents 2 Analysis Report rclone.exe 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 5 Malware Configuration 5 Yara Overview 5 Sigma Overview 5 Signature Overview 6 Mitre Att&ck Matrix 6 Behavior Graph 6 Screenshots 7 Thumbnails 7 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 8 Domains and IPs 9 Contacted Domains 9 URLs from Memory and Binaries 9 Contacted IPs 12 General Information 12 Simulations 13 Behavior and APIs 13 Joe Sandbox View / Context 13 IPs 13 Domains 13 ASN 13 JA3 Fingerprints 13 Dropped Files 13 Created / dropped Files 13 Static File Info 13 General 13 File Icon 14 Static PE Info 14 General 14 Entrypoint Preview 14 Data Directories 15 Sections 16 Imports 17 Network Behavior 18 Code Manipulations 18 Statistics 18 Behavior 18 System Behavior 18 Analysis Process: rclone.exe PID: 6480 Parent PID: 5876 18 General 18 File Activities 19 File Created 19 Analysis Process: conhost.exe PID: 6916 Parent PID: 6480 19 General 19 Copyright null 2020 Page 2 of 19 Disassembly 19 Code Analysis 19

Copyright null 2020 Page 3 of 19 Analysis Report rclone.exe

Overview

General Information Detection Signatures Classification

Sample rclone.exe Name: PPEE fffiiilllee ccoonntttaaiiinnss aann iiinnvvaallliiidd cchheecckkssuum

Analysis ID: 280239 PPEE fffiiilllee ccoonntttaaiiinnss sasenec cittntiiioovnanslsi d ww ciiittthhe nncokonsn-u--ssm… MD5: 2a17c6da652cffd… SPSaEam fiplpellle ec eoexnxeteacciunuttstiiio osnne scstttoiooppnsss w whhitiiilhllee n pporrronoc-csee… SHA1: 2dd2b0caf193a21… SSaampplllee ffefiiillxleee iicissu ddtiiioiffffffnee rrrseetnonttpt ttsthh awannh ioloerrri iigpgiirinnoaacllel … SHA256: efbc7ccee3c7641… USUsasemessp clceoo dfdielee o oisbb fffduuisfsfcceaartettiiionontn t thtteeaccnhh noniiriqqiguuienesas l(( (… Most interesting Screenshot: Uses code obfuscation techniques (

Score: 2 Range: 0 - 100 Whitelisted: false Confidence: 80%

Copyright null 2020 Page 4 of 19 Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Startup

System is w10x64 rclone.exe (PID: 6480 cmdline: 'C:\Users\user\Desktop\rclone.exe' MD5: 2A17C6DA652CFFDF8E127FBFF8A2DBA4) conhost.exe (PID: 6916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Copyright null 2020 Page 5 of 19 Signature Overview

• Networking • System Summary • Data Obfuscation • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Language, Device and Operating System Detection

Click to jump to signature section

There are no malicious signatures, click here to show all signatures .

Mitre Att&ck Matrix

Remote Initial Privilege Defense Credential Lateral Command Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Impact Valid Command Path Process Masquerading 1 OS Security Remote Data from Exfiltration Data Eavesdrop on Remotely Modify Accounts and Scripting Interception Injection 1 Credential Software Services Local Over Other Obfuscation Insecure Track Device System Interpreter 2 Dumping Discovery 1 System Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or Boot or Process LSASS Process Remote Data from Exfiltration Junk Data Exploit SS7 to Remotely Device Accounts Task/Job Logon Logon Injection 1 Memory Discovery 1 Desktop Removable Over Redirect Phone Wipe Data Lockout Initialization Initialization Protocol Media Bluetooth Calls/SMS Without Scripts Scripts Authorization Domain At (Linux) Logon Script Logon Obfuscated Files Security System SMB/Windows Data from Automated Steganography Exploit SS7 to Obtain Delete Accounts (Windows) Script or Information 1 Account Information Admin Shares Network Exfiltration Track Device Device Device (Windows) Manager Discovery 2 Shared Location Cloud Data Drive Backups

Behavior Graph

Copyright null 2020 Page 6 of 19 Hide Legend Legend: Process Signature Created File Behavior Graph DNS/IP Info

ID: 280239 Is Dropped

Sample: rclone.exe Is Windows Process

Startdate: 31/08/2020 Number of created Registry Values Architecture: WINDOWS Number of created Files Score: 2 Visual Basic

Delphi started Java

.Net C# or VB.NET rclone.exe C, C++ or other language

Is malicious

3 Internet

started

conhost.exe

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright null 2020 Page 7 of 19 Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link rclone.exe 0% Virustotal Browse rclone.exe 2% ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link 127.0.0.1:53682/auth?state=https://api.hubic.com/oauth/token/https://oauth.yandex.com/authori 0% Avira URL Cloud safe https://api%s/1/oauth2/tokenhttps://upload.put.io/files/https://www.amazon.com/ap/oaiam.us-iso- 0% Avira URL Cloud safe east-

Copyright null 2020 Page 8 of 19 Source Detection Scanner Label Link ftp://.usr.uvu--AZ 0% Avira URL Cloud safe nextcloud.org/ns 0% Virustotal Browse nextcloud.org/ns 0% Avira URL Cloud safe https://meta.dropboxapi.com 0% Avira URL Cloud safe https://api.dropboxapi.com/1/oauth2/token 0% Virustotal Browse https://api.dropboxapi.com/1/oauth2/token 0% Avira URL Cloud safe https://meta.dropboxapi.com/1/oauth2/authorize 0% Avira URL Cloud safe https://restic.net/) 0% Avira URL Cloud safe www.secfs.net/winfsp/). 0% Avira URL Cloud safe 169.254.170.2if/with 0% Avira URL Cloud safe https://app.koofr.nethttps://cloud.mail.ruhttps://upload.put.ioifMetagenerationMatchin 0% Avira URL Cloud safe https://%s.%sif-none-matchignore-errorsimage/svg 0% Avira URL Cloud safe 0% Avira URL Cloud safe https://meta.dropboxapi.com/1/oauth2/authorizehttps://api.dropboxapi.com/1/oauth2/tokenfRS5vVLr2v6F b https://qingstor.com:443 4% Virustotal Browse https://qingstor.com:443 0% Avira URL Cloud safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation 127.0.0.1:53682/auth? rclone.exe, 00000001.00000000. false Avira URL Cloud: safe unknown state=https://api.hubic.com/oauth/token/https://oauth.yandex.c 224032685.0000000001534000.000 om/authori 00002.00020000.sdmp https://github.com/rclone/rclone/issues/2206)) rclone.exe, 00000001.00000000. false high 224032685.0000000001534000.000 00002.00020000.sdmp rclone.exe, 00000001.00000000. false Avira URL Cloud: safe low https://api%s/1/oauth2/tokenhttps://upload.put.io/files/https://w 224032685.0000000001534000.000 ww.amazon.com/ap/oaiam.us-iso-east- 00002.00020000.sdmp rclone.exe, 00000001.00000000. false high https://beta.rclone.org/https://g.api.mega.co.nzhttps://o2.mail.r 224032685.0000000001534000.000 u/tokeniam.us-gov.amazonaws.comidna 00002.00020000.sdmp https://github.com/billziss-gh/cgofuse). rclone.exe, 00000001.00000002. false high 272641782.000000C0005D2000.000 00004.00000001.sdmp https://1fichier.com/console/params.pl rclone.exe, 00000001.00000000. false high 224032685.0000000001534000.000 00002.00020000.sdmp https://docs.aws.amazon.com/AmazonS3/latest/dev/acl- rclone.exe, 00000001.00000000. false high overview.html#canned-acl 224032685.0000000001534000.000 00002.00020000.sdmp https://nssm.cc/usage). rclone.exe, 00000001.00000002. false high 272641782.000000C0005D2000.000 00004.00000001.sdmp schemas.xmlsoap.org/soap/envelope/ rclone.exe false high https://beta.rclone.org/v1.42-005-g56e1e820 rclone.exe, 00000001.00000000. false high 224032685.0000000001534000.000 00002.00020000.sdmp rclone.exe, 00000001.00000000. false high https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingBuc 224032685.0000000001534000.000 ket.html#access-bucket-intro) 00002.00020000.sdmp s3.amazonaws.com/doc/2006-03-01/ rclone.exe, 00000001.00000000. false high 224032685.0000000001534000.000 00002.00020000.sdmp schemas.xmlsoap.org/ws/2005/02/trust rclone.exe, 00000001.00000000. false high 224032685.0000000001534000.000 00002.00020000.sdmp rclone.exe, 00000001.00000000. false high https://auth.cloud.ovh.net/v3https://cloud.mail.ru/public/https:// 224032685.0000000001534000.000 downloads.rclone.org/https://user: 00002.00020000.sdmp rclone.exe, 00000001.00000000. false high https://docs.aws.amazon.com/AmazonS3/latest/dev/transfer- 224032685.0000000001534000.000 acceleration-examples.html)Don 00002.00020000.sdmp

Copyright null 2020 Page 9 of 19 Name Source Malicious Antivirus Detection Reputation https://golang.org/pkg/runtime/#MemStats rclone.exe, 00000001.00000000. false high 224032685.0000000001534000.000 00002.00020000.sdmp https://app.koofr.net/app/admin/preferences/password) rclone.exe, rclone.exe, 000000 false high 01.00000003.243787407.000000C0 003EE000.00000004.00000001.sdmp, rclone.exe, 00000001.000000 00.224032685.0000000001534000. 00000002.00020000.sdmp rclone.exe, 00000001.00000000. false high https://www.backblaze.com/b2/docs/integration_checklist.html) 224032685.0000000001534000.000 .Don 00002.00020000.sdmp rclone.exe, 00000001.00000000. false high https://oauth.yandex.com/tokenhttps://upload.box.com/api/2.0if 224032685.0000000001534000.000 SourceMetagenerationNotMatchillegal 00002.00020000.sdmp ftp://.usr.uvu--AZ rclone.exe, 00000001.00000002. false Avira URL Cloud: safe low 270793367.000000C0001A6000.000 00004.00000001.sdmp https://github.com/billziss-gh/winfsp/wiki/WinFsp- rclone.exe, 00000001.00000002. false high Service-Architecture)) 272641782.000000C0005D2000.000 00004.00000001.sdmp https://rclone.org/drive/#making-your-own-client-id rclone.exe, 00000001.00000000. false high 224032685.0000000001534000.000 00002.00020000.sdmp https://www.premiumize.me/apiignoring rclone.exe, 00000001.00000000. false high 224032685.0000000001534000.000 00002.00020000.sdmp https://forum.rclone.org/t/rclone-1-39-vs-1-40-mount- rclone.exe, 00000001.00000002. false high issue/5112) 272641782.000000C0005D2000.000 00004.00000001.sdmp https://www.jottacloud.com/web/secure rclone.exe, 00000001.00000000. false high 224032685.0000000001534000.000 00002.00020000.sdmp nextcloud.org/ns rclone.exe false 0%, Virustotal, Browse unknown Avira URL Cloud: safe https://www.dropbox.com/developers/reference/content- rclone.exe, 00000001.00000000. false high hash). 224032685.0000000001534000.000 00002.00020000.sdmp rclone.exe, 00000001.00000000. false high https://id.jottacloud.com/auth/realms/jottacloud/protocol/openid 224032685.0000000001534000.000 -connect/tokenoauth2/google: 00002.00020000.sdmp https://downloads.rclone.org/v1.42 rclone.exe, 00000001.00000000. false high 224032685.0000000001534000.000 00002.00020000.sdmp https://login.microsoftonline.com/extSTS.srf rclone.exe, 00000001.00000000. false high 224032685.0000000001534000.000 00002.00020000.sdmp https://meta.dropboxapi.com rclone.exe, rclone.exe, 000000 false Avira URL Cloud: safe unknown 01.00000003.241888685.000000C0 00454000.00000004.00000001.sdmp docs.oasis-open.org/wss/2004/01/oasis-200401-wss- rclone.exe, 00000001.00000000. false high wssecurity-utility-1.0.xsd 224032685.0000000001534000.000 00002.00020000.sdmp https://rclone.org/remote_setup/ rclone.exe, 00000001.00000000. false high 224032685.0000000001534000.000 00002.00020000.sdmp https://github.com/rclone/rclone/issues/3857 rclone.exe, 00000001.00000000. false high 224032685.0000000001534000.000 00002.00020000.sdmp https://api.dropboxapi.com/1/oauth2/token rclone.exe false 0%, Virustotal, Browse unknown Avira URL Cloud: safe https://app.koofr.net rclone.exe false high https://www.labnol.org/internet/direct-links-for-google- rclone.exe, 00000001.00000000. false high drive/28356/). 224032685.0000000001534000.000 00002.00020000.sdmp schemas.xmlsoap.org/ws/2004/09/policy rclone.exe, 00000001.00000000. false high 224032685.0000000001534000.000 00002.00020000.sdmp schemas.xmlsoap.org/soap/encoding/ rclone.exe, 00000001.00000000. false high 224032685.0000000001534000.000 00002.00020000.sdmp rclone.exe, 00000001.00000000. false high https://docs.aws.amazon.com/cli/latest/reference/s3/ls.html). 224032685.0000000001534000.000 00002.00020000.sdmp owncloud.org/ns rclone.exe false high https://api.github.com/repos/rclone/rclone-webui- rclone.exe, 00000001.00000000. false high react/releases/latestinvalid 224032685.0000000001534000.000 00002.00020000.sdmp

Copyright null 2020 Page 10 of 19 Name Source Malicious Antivirus Detection Reputation rclone.exe, 00000001.00000002. false high https://github.com/rclone/rclone/issues/2095#issuecomment- 272641782.000000C0005D2000.000 371141147). 00004.00000001.sdmp https://github.com/rclone/rclone/issues/2157) rclone.exe, 00000001.00000002. false high 272641782.000000C0005D2000.000 00004.00000001.sdmp rclone.exe, 00000001.00000000. false high https://1fichier.com/dir/https://api.sugarsync.comhttps://oauth.r 224032685.0000000001534000.000 clone.org/iam/security-credentials/ 00002.00020000.sdmp https://godoc.org/encoding/csv) rclone.exe, 00000001.00000000. false high 224032685.0000000001534000.000 00002.00020000.sdmp https://api.pcloud.com/oauth2_token rclone.exe, rclone.exe, 000000 false high 01.00000003.241867724.000000C0 00442000.00000004.00000001.sdmp https://dev.yorhel.nl/ncdu) rclone.exe, 00000001.00000000. false high 224032685.0000000001534000.000 00002.00020000.sdmp rclone.exe, 00000001.00000002. false high https://github.com/rclone/rclone/blob/master/test_proxy.py) 270107778.000000C00010E000.000 00004.00000001.sdmp rclone.exe, 00000001.00000000. false high https://login.microsoftonline.com/common/oauth2/v2.0/authoriz 224032685.0000000001534000.000 emetadata 00002.00020000.sdmp https://github.com/billziss-gh/winfsp) rclone.exe, 00000001.00000002. false high 272641782.000000C0005D2000.000 00004.00000001.sdmp schemas.xmlsoap.org/ws/2005/02/trust/Issue rclone.exe, 00000001.00000000. false high 224032685.0000000001534000.000 00002.00020000.sdmp https://meta.dropboxapi.com/1/oauth2/authorize rclone.exe false Avira URL Cloud: safe unknown https://restic.net/) rclone.exe, 00000001.00000000. false Avira URL Cloud: safe unknown 224032685.0000000001534000.000 00002.00020000.sdmp schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey rclone.exe, 00000001.00000000. false high 224032685.0000000001534000.000 00002.00020000.sdmp https://XXX.sharefile.com rclone.exe, 00000001.00000000. false high 224032685.0000000001534000.000 00002.00020000.sdmp rclone.exe, 00000001.00000000. false high https://app.box.com/api/oauth2/authorizehttps://auth.api.racks 224032685.0000000001534000.000 pacecloud.com/v1.0https://graph.micros 00002.00020000.sdmp https://rclone.org/%s/ rclone.exe, 00000001.00000000. false high 224032685.0000000001534000.000 00002.00020000.sdmp https://github.com/rclone/rclone/issues/3631 rclone.exe, 00000001.00000000. false high 224032685.0000000001534000.000 00002.00020000.sdmp rclone.exe, 00000001.00000000. false high restic.readthedocs.io/en/latest/030_preparing_a_new_repo.ht 224032685.0000000001534000.000 ml#rest-server) 00002.00020000.sdmp schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue rclone.exe, 00000001.00000000. false high 224032685.0000000001534000.000 00002.00020000.sdmp https://github.com/rclone/rclone/issues/2243) rclone.exe, 00000001.00000000. false high 224032685.0000000001534000.000 00002.00020000.sdmp www.secfs.net/winfsp/). rclone.exe, 00000001.00000002. false Avira URL Cloud: safe unknown 272641782.000000C0005D2000.000 00004.00000001.sdmp 169.254.170.2if/with rclone.exe, 00000001.00000000. false Avira URL Cloud: safe low 224032685.0000000001534000.000 00002.00020000.sdmp rclone.exe, 00000001.00000000. false Avira URL Cloud: safe unknown https://app.koofr.nethttps://cloud.mail.ruhttps://upload.put.ioifM 224032685.0000000001534000.000 etagenerationMatchin 00002.00020000.sdmp https://%s.%sif-none-matchignore-errorsimage/svg rclone.exe, 00000001.00000000. false Avira URL Cloud: safe low 224032685.0000000001534000.000 00002.00020000.sdmp https://rclone.org/) rclone.exe, 00000001.00000000. false high 224032685.0000000001534000.000 00002.00020000.sdmp rclone.exe, 00000001.00000003. false Avira URL Cloud: safe unknown https://meta.dropboxapi.com/1/oauth2/authorizehttps://api.dro 241867724.000000C000442000.000 pboxapi.com/1/oauth2/tokenfRS5vVLr2v6Fb 00004.00000001.sdmp rclone.exe, 00000001.00000000. false high https://api.1fichier.com/v1https://api.backblazeb2.comhttps://a 224032685.0000000001534000.000 pi.jottacloud.com/https://www.jottacl 00002.00020000.sdmp Copyright null 2020 Page 11 of 19 Name Source Malicious Antivirus Detection Reputation https://golang.org/pkg/time/#Time.Formatunable rclone.exe, 00000001.00000000. false high 224032685.0000000001534000.000 00002.00020000.sdmp https://qingstor.com:443 rclone.exe, 00000001.00000000. false 4%, Virustotal, Browse unknown 224032685.0000000001534000.000 Avira URL Cloud: safe 00002.00020000.sdmp docs.oasis-open.org/wss/2004/01/oasis-200401-wss- rclone.exe, 00000001.00000000. false high wssecurity-secext-1.0.xsd 224032685.0000000001534000.000 00002.00020000.sdmp

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version: 29.0.0 Ocean Jasper Analysis ID: 280239 Start date: 31.08.2020 Start time: 17:01:58 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 6m 43s Hypervisor based Inspection enabled: false Report type: light Sample file name: rclone.exe Cookbook file name: default.jbs Analysis system description: w10x64 Windows 10 64 bit v1803 with Office Professional Plus 2016, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 20 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean2.winEXE@2/0@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Warnings: Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Execution Graph export aborted for target rclone.exe, PID 6480 because there are no executed function Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Copyright null 2020 Page 12 of 19 Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General File type: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows Entropy (8bit): 5.895742706925864 TrID: Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04% File name: rclone.exe File size: 39116288 MD5: 2a17c6da652cffdf8e127fbff8a2dba4 SHA1: 2dd2b0caf193a21bd5588985a8c5e8a3a40c4790 SHA256: efbc7ccee3c764157c2cd7121d49047c597f45f7e6b9de0 f824c087bc07f00d7 SHA512: c3998d1698c4a43b1ad3bb0f2b86e05067569cd5ca70f51 151d2a402d4b9f76e275de03972ad747181e319734b7f92 c8aa932c65228951cb4660f181be120d7d SSDEEP: 196608:C35owyikge8imKy54WoOFOTpz5CcmoctkGY9 F9/5PVsk9GUs0SbilxOhnvcNuApR:gNIRI45ZFsX28Z File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... PE..d...d d._...... /...... n....T...... @...... Z...... U...... Copyright null 2020 Page 13 of 19 File Icon

Icon Hash: 00828e8e8686b000

Static PE Info

General Entrypoint: 0x4014e0 Entrypoint Section: .text Digitally signed: false Imagebase: 0x400000 Subsystem: windows cui Image File Characteristics: LOCAL_SYMS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED, LINE_NUMS_STRIPPED, RELOCS_STRIPPED DLL Characteristics: TERMINAL_SERVER_AWARE, NX_COMPAT Time Stamp: 0x5F2E6464 [Sat Aug 8 08:37:56 2020 UTC] TLS Callbacks: 0x14966f0 CLR (.Net) Version: OS Version Major: 6 OS Version Minor: 1 File Version Major: 6 File Version Minor: 1 Subsystem Version Major: 6 Subsystem Version Minor: 1 Import Hash: f92b8a691e76b8843c69dd59c9dac4dc

Entrypoint Preview

Instruction dec eax sub esp, 28h dec eax mov eax, dword ptr [0254BD65h] mov dword ptr [eax], 00000000h call 00007FB535A6E92Fh call 00007FB5349D95CAh nop nop dec eax add esp, 28h ret nop dword ptr [eax+00h] nop word ptr [eax+eax+00000000h] dec eax sub esp, 28h call 00007FB535A6FF2Ch dec eax test eax, eax sete al movzx eax, al neg eax dec eax add esp, 28h ret nop nop nop nop nop nop nop dec eax lea ecx, dword ptr [00000009h]

Copyright null 2020 Page 14 of 19 Instruction jmp 00007FB5349D9919h nop dword ptr [eax+00h] ret nop nop nop nop nop nop nop nop nop nop nop nop nop nop nop nop word ptr [eax+eax+00000000h] nop word ptr [eax+eax+00h] jmp dword ptr [eax] inc edi outsd and byte ptr [edx+75h], ah imul ebp, dword ptr [esp+20h], 203A4449h and dl, byte ptr [ecx+62h] push ebp popad popad inc ebx push eax jno 00007FB5349D99B5h xor byte ptr [eax+4Ch], dh pop eax xor dword ptr [eax+64h], ebp insb jns 00007FB5349D99A3h das push esi jo 00007FB5349D997Ah xor dword ptr fs:[esi+6Ah], esi xor eax, 4F677656h push ebp inc esp inc ebp bound edx, dword ptr [ecx+edi*2+54h] das push 0000004Fh xor bh, byte ptr [edx+66h] jc 00007FB5349D99B4h jp 00007FB5349D99B5h jno 00007FB5349D99A7h push edx arpl word ptr [edx+00h], bx

Data Directories

Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0x259d000 0xe10 .idata IMAGE_DIRECTORY_ENTRY_RESOURCE 0x0 0x0 IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x254e000 0x5ac .pdata IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x0 0x0

Copyright null 2020 Page 15 of 19 Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x254cc00 0x28 .rdata IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x259d340 0x2f0 .idata IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0x1096c90 0x1096e00 unknown unknown unknown unknown IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ .data 0x1098000 0x9b460 0x9b600 False 0.356108268805 data 5.19571215199 IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ .rdata 0x1134000 0x14194e0 0x1419600 unknown unknown unknown unknown IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ .pdata 0x254e000 0x5ac 0x600 False 0.4921875 data 5.23919882123 IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ

Copyright null 2020 Page 16 of 19 Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .xdata 0x254f000 0x51c 0x600 False 0.23046875 data 3.71817075701 IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ .bss 0x2550000 0x4cce0 0x0 False 0 empty 0.0 IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_CNT_UNINITIALIZED _DATA, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ .idata 0x259d000 0xe10 0x1000 False 0.303955078125 data 4.48555485425 IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ .CRT 0x259e000 0x68 0x200 False 0.076171875 data 0.332025024595 IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ .tls 0x259f000 0x10 0x200 False 0.02734375 data 0.0 IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ

Imports

DLL Import ADVAPI32.dll RegCloseKey, RegOpenKeyExW, RegQueryValueExW

Copyright null 2020 Page 17 of 19 DLL Import KERNEL32.dll AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateIoCompletionPort, CreateThread, CreateWaitableTimerA, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FreeEnvironmentStringsW, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetLastError, GetProcAddress, GetProcessAffinityMask, GetQueuedCompletionStatus, GetStartupInfoA, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetTickCount, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA, LoadLibraryW, PostQueuedCompletionStatus, QueryPerformanceCounter, ResumeThread, RtlAddFunctionTable, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetProcessPriorityBoost, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TerminateProcess, TlsGetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WriteConsoleW, WriteFile, __C_specific_handler, lstrlenA msvcrt.dll __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _beginthread, _cexit, _errno, _fmode, _initterm, _onexit, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, signal, strlen, strncmp, vfprintf

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

• rclone.exe • conhost.exe

Click to jump to process

System Behavior

Analysis Process: rclone.exe PID: 6480 Parent PID: 5876

General

Start time: 17:03:06 Start date: 31/08/2020 Path: C:\Users\user\Desktop\rclone.exe Wow64 process (32bit): false Commandline: 'C:\Users\user\Desktop\rclone.exe' Imagebase: 0x400000 File size: 39116288 bytes Copyright null 2020 Page 18 of 19 MD5 hash: 2A17C6DA652CFFDF8E127FBFF8A2DBA4 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: low

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\.config read data or list device directory file | success or wait 1 46C48E CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\.config\rclone read data or list device directory file | success or wait 1 46C48E CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point

Source File Path Offset Length Completion Count Address Symbol

Analysis Process: conhost.exe PID: 6916 Parent PID: 6480

General

Start time: 17:03:11 Start date: 31/08/2020 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff75c360000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: high

Disassembly

Code Analysis

Copyright null 2020 Page 19 of 19