Once the function (k78er0sdfffff.o70sdaf45gfg()) is invoked, it finds “RegAsm.exe” from below locations on the victim’s device.
Actually, this Dll is used to perform the process hollowing that is injecting the Remcos payload into a newly-created “RegAsm.exe” process. Next, it decompresses the Remcos payload, which will be passed to a function called "k78er0sdfffff.o70sdaf45gfg(System.String, Byte)" that is from lime.dll at the time the function is called. According to my analysis, it first dynamically extracts another Dll from its resource section named lime.dll. The two passed parameters are shown in “Locals”. Net Dll is named GC.dll as you can see in Figure 6.
0 kommentar(er)
