Malware Analysis Report

2024-10-19 08:25

Sample ID 220521-bvyztacee4
Target 455f6d53160cb90e6f2b2c021f362260ebf90eee056fd8cf1315b67b8a74996f
SHA256 455f6d53160cb90e6f2b2c021f362260ebf90eee056fd8cf1315b67b8a74996f
Tags
snakebot snakebot remcos host rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

455f6d53160cb90e6f2b2c021f362260ebf90eee056fd8cf1315b67b8a74996f

Threat Level: Known bad

The file 455f6d53160cb90e6f2b2c021f362260ebf90eee056fd8cf1315b67b8a74996f was found to be: Known bad.

Malicious Activity Summary

snakebot snakebot remcos host rat

Snakebot family

Remcos

Contains SnakeBOT related strings

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 01:28

Signatures

Snakebot family

snakebot

Contains SnakeBOT related strings

snakebot
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 01:28

Reported

2022-05-21 02:17

Platform

win7-20220414-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe"

Signatures

Remcos

rat remcos

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1900 set thread context of 568 N/A C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1900 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe C:\Windows\SysWOW64\schtasks.exe
PID 1900 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe C:\Windows\SysWOW64\schtasks.exe
PID 1900 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe C:\Windows\SysWOW64\schtasks.exe
PID 1900 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe C:\Windows\SysWOW64\schtasks.exe
PID 1900 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1900 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1900 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1900 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1900 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1900 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1900 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1900 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1900 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1900 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe

"C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HXAjzs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp23B7.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 kmt.duckdns.org udp
US 192.169.69.25:3039 kmt.duckdns.org tcp
US 8.8.8.8:53 www.google.com.br udp
NL 142.250.179.131:443 www.google.com.br tcp
US 8.8.8.8:53 kmt-2.duckdns.org udp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 8.8.8.8:53 kmt.duckdns.org udp
US 192.169.69.25:3039 kmt.duckdns.org tcp
US 8.8.8.8:53 kmt-2.duckdns.org udp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 8.8.8.8:53 kmt.duckdns.org udp
US 192.169.69.25:3039 kmt.duckdns.org tcp
US 8.8.8.8:53 kmt-2.duckdns.org udp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp

Files

memory/1900-54-0x0000000076011000-0x0000000076013000-memory.dmp

memory/1900-55-0x0000000074B90000-0x000000007513B000-memory.dmp

memory/836-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp23B7.tmp

MD5 64b84d558f2513df22c5d9d2e1999121
SHA1 2d38ab08ec3e97d1f3a5439f25293daeff7cdc64
SHA256 11dd7830034cbba2928401b42a50e6cead6cad114aca337bfb88e456ec60a01a
SHA512 8cac1092d788a7aed6a0e1e0a425e15179b727a91838da66532568ae26395400b81bdf8a96924e949266e9404a02074c1fd5a8eda43cb6e38a746a7c5995b5a6

memory/1900-58-0x0000000000B39000-0x0000000000B4A000-memory.dmp

memory/568-59-0x0000000000400000-0x0000000000417000-memory.dmp

memory/568-60-0x0000000000400000-0x0000000000417000-memory.dmp

memory/568-62-0x0000000000400000-0x0000000000417000-memory.dmp

memory/568-65-0x0000000000400000-0x0000000000417000-memory.dmp

memory/568-64-0x0000000000400000-0x0000000000417000-memory.dmp

memory/568-66-0x0000000000400000-0x0000000000417000-memory.dmp

memory/568-67-0x000000000040FD88-mapping.dmp

memory/568-70-0x0000000000400000-0x0000000000417000-memory.dmp

memory/568-71-0x0000000000400000-0x0000000000417000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 01:28

Reported

2022-05-21 02:17

Platform

win10v2004-20220414-en

Max time kernel

165s

Max time network

168s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe"

Signatures

Remcos

rat remcos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3284 set thread context of 3244 N/A C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3284 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe C:\Windows\SysWOW64\schtasks.exe
PID 3284 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe C:\Windows\SysWOW64\schtasks.exe
PID 3284 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe C:\Windows\SysWOW64\schtasks.exe
PID 3284 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 3284 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 3284 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 3284 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 3284 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 3284 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 3284 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 3284 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 3284 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe

"C:\Users\Admin\AppData\Local\Temp\FDA_CERT.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HXAjzs" /XML "C:\Users\Admin\AppData\Local\Temp\tmpADAA.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com.br udp
NL 142.250.179.131:443 www.google.com.br tcp
US 8.8.8.8:53 consent.google.com.br udp
NL 142.251.39.110:443 consent.google.com.br tcp
US 8.8.8.8:53 kmt.duckdns.org udp
US 192.169.69.25:3039 kmt.duckdns.org tcp
US 8.8.8.8:53 kmt-2.duckdns.org udp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
NL 8.238.24.126:80 tcp
NL 8.238.24.126:80 tcp
GB 51.104.15.252:443 tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
NL 8.238.24.126:80 tcp
NL 8.238.24.126:80 tcp
NL 8.238.24.126:80 tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 8.8.8.8:53 14.110.152.52.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 204.79.197.203:80 tcp
US 8.252.118.254:80 tcp
US 8.8.8.8:53 kmt.duckdns.org udp
US 192.169.69.25:3039 kmt.duckdns.org tcp
US 8.8.8.8:53 kmt-2.duckdns.org udp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 8.248.21.254:80 tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
NL 104.110.191.140:80 tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 8.8.8.8:53 kmt.duckdns.org udp
US 192.169.69.25:3039 kmt.duckdns.org tcp
US 8.8.8.8:53 kmt-2.duckdns.org udp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp
US 192.169.69.25:3039 kmt-2.duckdns.org tcp

Files

memory/3284-130-0x0000000074F50000-0x0000000075501000-memory.dmp

memory/4612-131-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpADAA.tmp

MD5 07fde2b53a26272360c348010614dbb3
SHA1 5a11dc719476704b2cc35321793b7ce168d53828
SHA256 8fbf8dbb8fd8c94643db96d4dd16a1048416dbea92d8ecaf077b2120492169f2
SHA512 ee9b925ed30f075514f60e5c1aa370cd7f2087949a0f220ba46ec2d23de6a271a4de7c9d9c9bd79dfb810536fdc03d4b4cbf24ace01872bae95465ef87c9f13b

memory/3244-133-0x0000000000000000-mapping.dmp

memory/3244-134-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3244-136-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3244-137-0x0000000000400000-0x0000000000417000-memory.dmp