Malware Analysis Report

2024-10-23 21:07

Sample ID 201109-v5x3szm94a
Target CONFIRMACION DEL PEDIDO CVE6535,PDF.exe
SHA256 329886b8af71b45a41f94d0d9a69761b6b6fe80d36b7f7a6201fd97dc33234d5
Tags
snakebot snakebot remcos coreentity rat rezer0
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

329886b8af71b45a41f94d0d9a69761b6b6fe80d36b7f7a6201fd97dc33234d5

Threat Level: Known bad

The file CONFIRMACION DEL PEDIDO CVE6535,PDF.exe was found to be: Known bad.

Malicious Activity Summary

snakebot snakebot remcos coreentity rat rezer0

Remcos

Snakebot family

CoreEntity .NET Packer

Contains SnakeBOT related strings

rezer0

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-11-09 19:37

Signatures

Snakebot family

snakebot

Contains SnakeBOT related strings

snakebot
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-11-09 19:37

Reported

2020-11-09 22:05

Platform

win7v20201028

Max time kernel

151s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe"

Signatures

CoreEntity .NET Packer

coreentity
Description Indicator Process Target
N/A N/A N/A N/A

Remcos

rat remcos

rezer0

rezer0
Description Indicator Process Target
N/A N/A N/A N/A

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1848 set thread context of 960 N/A C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1848 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe C:\Windows\SysWOW64\schtasks.exe
PID 1848 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe C:\Windows\SysWOW64\schtasks.exe
PID 1848 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe C:\Windows\SysWOW64\schtasks.exe
PID 1848 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe C:\Windows\SysWOW64\schtasks.exe
PID 1848 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1848 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1848 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1848 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1848 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1848 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1848 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1848 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1848 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1848 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1848 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe

"C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CfGuVGvIV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4A5B.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"{path}"

Network

Country Destination Domain Proto
N/A 72.21.91.29:80 tcp
N/A 8.8.8.8:53 www.google.com.br udp
N/A 172.217.19.195:443 www.google.com.br tcp
N/A 8.8.8.8:53 thankyoulord.ddns.net udp
N/A 204.79.197.200:443 tcp
N/A 8.8.8.8:53 crl.verisign.com udp

Files

memory/1848-0-0x00000000742C0000-0x00000000749AE000-memory.dmp

memory/1848-1-0x00000000008A0000-0x00000000008A1000-memory.dmp

memory/1984-3-0x000007FEF6680000-0x000007FEF68FA000-memory.dmp

memory/1848-4-0x0000000000230000-0x0000000000233000-memory.dmp

memory/1848-5-0x0000000007330000-0x0000000007357000-memory.dmp

memory/1448-6-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4A5B.tmp

MD5 6f034f247ff434fdf03cbe467d528312
SHA1 894bae0158a82ede3c4c8e48349d49f621cf9032
SHA256 68a695d53c232920102c555e384bcbc6efc6eac421011b4ceaf9b30c2ce6fd7d
SHA512 43d86aab0e7e4565dad4abddc9a1645030fa2ab9c6a26359f7ed0d1354212fcae11ca535299eaecad6998b9c7a8a9fd3be0e6cea01cc3e5e78ba9707464b3fe1

memory/960-8-0x0000000000400000-0x0000000000420000-memory.dmp

memory/960-9-0x0000000000413A84-mapping.dmp

memory/960-10-0x0000000000400000-0x0000000000420000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-11-09 19:37

Reported

2020-11-09 22:06

Platform

win10v20201028

Max time kernel

151s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe"

Signatures

CoreEntity .NET Packer

coreentity
Description Indicator Process Target
N/A N/A N/A N/A

Remcos

rat remcos

rezer0

rezer0
Description Indicator Process Target
N/A N/A N/A N/A

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2432 set thread context of 3124 N/A C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2432 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe C:\Windows\SysWOW64\schtasks.exe
PID 2432 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe C:\Windows\SysWOW64\schtasks.exe
PID 2432 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe C:\Windows\SysWOW64\schtasks.exe
PID 2432 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2432 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2432 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2432 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2432 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2432 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2432 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2432 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2432 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2432 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe

"C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CfGuVGvIV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC058.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"{path}"

Network

Country Destination Domain Proto
N/A 93.184.220.29:80 tcp
N/A 93.184.221.240:80 tcp
N/A 8.8.8.8:53 www.google.com.br udp
N/A 172.217.19.195:443 www.google.com.br tcp
N/A 8.8.8.8:53 thankyoulord.ddns.net udp
N/A 93.184.221.240:80 tcp
N/A 204.79.197.200:443 tcp
N/A 93.184.220.29:80 tcp
N/A 93.184.221.240:80 tcp
N/A 204.79.197.200:443 tcp
N/A 204.79.197.200:443 tcp
N/A 204.79.197.200:443 tcp

Files

memory/2432-0-0x0000000073970000-0x000000007405E000-memory.dmp

memory/2432-1-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/2432-3-0x00000000079C0000-0x00000000079C1000-memory.dmp

memory/2432-4-0x0000000007560000-0x0000000007561000-memory.dmp

memory/2432-5-0x0000000007520000-0x0000000007521000-memory.dmp

memory/2432-6-0x0000000002A80000-0x0000000002A83000-memory.dmp

memory/2432-7-0x000000000A9B0000-0x000000000A9D7000-memory.dmp

memory/2432-8-0x000000000AA80000-0x000000000AA81000-memory.dmp

memory/3948-9-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC058.tmp

MD5 e3b3df55dbac304978868a58e602b677
SHA1 42ba13f72c8cba8665b9ebf43468b95a12358bed
SHA256 1c92fbfb17d3a5ad0a27e600b9137015a4e06f59571feea3f07bdd1f6e1566fe
SHA512 6a394c04557cbe460af948178454af43c4d31d8e8b0216f9778c9a0be3a9130e500fc7102b6aaaab9147d60bc4d78f5a48625c9923b2c10a05d7b55543c68a55

memory/3124-11-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3124-12-0x0000000000413A84-mapping.dmp

memory/3124-13-0x0000000000400000-0x0000000000420000-memory.dmp