Analysis Overview
SHA256
898ac001d0f6c52c1001c640d9860287fdf30a648d580e9f5dd15e2ef84ab18e
Threat Level: Known bad
The file Remcos Professional Cracked By Alcatraz3222.exe was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
Modifies Windows Firewall
Executes dropped EXE
Checks computer location settings
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-01 17:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-01 17:14
Reported
2024-03-01 17:18
Platform
win10-20240221-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\taskhost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3320 set thread context of 2472 | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | C:\Users\Admin\AppData\Local\Temp\taskhost.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/Remcos Professional Cracked By Alcatraz3222.exe" "%temp%\Profile Remcos\Update_Lock_Remcos.exe" /Y
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\Profile Remcos\Update_Lock_Remcos.exe:Zone.Identifier
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\taskhost.exe" "taskhost.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dllsys.duckdns.org | udp |
| IT | 84.220.8.178:3202 | dllsys.duckdns.org | tcp |
| US | 20.231.121.79:80 | tcp | |
| IT | 84.220.8.178:3202 | dllsys.duckdns.org | tcp |
| IT | 84.220.8.178:3202 | dllsys.duckdns.org | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dllsys.duckdns.org | udp |
| IT | 84.220.8.178:3202 | dllsys.duckdns.org | tcp |
| IT | 84.220.8.178:3202 | dllsys.duckdns.org | tcp |
| US | 8.8.8.8:53 | 201.64.52.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.178.17.96.in-addr.arpa | udp |
| IT | 84.220.8.178:3202 | dllsys.duckdns.org | tcp |
Files
memory/3320-0-0x00000000739B0000-0x000000007409E000-memory.dmp
memory/3320-1-0x0000000000330000-0x00000000014DE000-memory.dmp
memory/3320-2-0x0000000005D70000-0x0000000005E0C000-memory.dmp
memory/3320-3-0x0000000005D60000-0x0000000005D70000-memory.dmp
memory/3320-4-0x000000000D430000-0x000000000E5B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe
| MD5 | a3fb16f9d600a1fc4a3012c8b292c357 |
| SHA1 | bad0b990fc1f595def5b1fd96da551d72ab3a5f4 |
| SHA256 | 0b4969ac87ddfe5e4ec6c67f22a088098e2b149f974ee8cc6cde555803fc0073 |
| SHA512 | 194623889d5e07ee93df7f96df3276dae72f188a0f8f4b08a1a3c5d6421805fc9145d6922999a8d10c11d11ba400f6faaaa7a2d08b7da17957c42664279d7b39 |
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
| MD5 | 9af17c8393f0970ee5136bd3ffa27001 |
| SHA1 | 4b285b72c1a11285a25f31f2597e090da6bbc049 |
| SHA256 | 71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019 |
| SHA512 | b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3 |
memory/2472-12-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2472-17-0x00000000739B0000-0x000000007409E000-memory.dmp
memory/2472-18-0x00000000056B0000-0x0000000005BAE000-memory.dmp
memory/2472-19-0x00000000052C0000-0x00000000052D0000-memory.dmp
memory/2472-20-0x0000000005370000-0x0000000005402000-memory.dmp
memory/3320-22-0x00000000739B0000-0x000000007409E000-memory.dmp
memory/2472-23-0x0000000005280000-0x000000000528A000-memory.dmp
memory/2472-24-0x00000000739B0000-0x000000007409E000-memory.dmp
memory/2472-25-0x00000000052C0000-0x00000000052D0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-01 17:14
Reported
2024-03-01 17:18
Platform
win10v2004-20240226-en
Max time kernel
152s
Max time network
159s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\taskhost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4876 set thread context of 3624 | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | C:\Users\Admin\AppData\Local\Temp\taskhost.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/Remcos Professional Cracked By Alcatraz3222.exe" "%temp%\Profile Remcos\Update_Lock_Remcos.exe" /Y
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\Profile Remcos\Update_Lock_Remcos.exe:Zone.Identifier
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\taskhost.exe" "taskhost.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dllsys.duckdns.org | udp |
| IT | 84.220.8.178:3202 | dllsys.duckdns.org | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| IT | 84.220.8.178:3202 | dllsys.duckdns.org | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| IT | 84.220.8.178:3202 | dllsys.duckdns.org | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dllsys.duckdns.org | udp |
| IT | 84.220.8.178:3202 | dllsys.duckdns.org | tcp |
| IT | 84.220.8.178:3202 | dllsys.duckdns.org | tcp |
| IT | 84.220.8.178:3202 | dllsys.duckdns.org | tcp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
Files
memory/4876-0-0x0000000074CE0000-0x0000000075490000-memory.dmp
memory/4876-1-0x0000000000B50000-0x0000000001CFE000-memory.dmp
memory/4876-2-0x0000000006630000-0x00000000066CC000-memory.dmp
memory/4876-3-0x0000000006620000-0x0000000006630000-memory.dmp
memory/4876-4-0x000000000DCF0000-0x000000000EE72000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe
| MD5 | efc159c7cf75545997f8c6af52d3e802 |
| SHA1 | b85bd368c91a13db1c5de2326deb25ad666c24c1 |
| SHA256 | 898ac001d0f6c52c1001c640d9860287fdf30a648d580e9f5dd15e2ef84ab18e |
| SHA512 | d06a432233dceb731defd53238971699fef201d0f9144ee50e5dd7d6620dfdd6c298d52618bf2c9feb0519574f4565fb0177b00fd8292768fbd8b85dd11e650d |
memory/3624-12-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
| MD5 | 8fdf47e0ff70c40ed3a17014aeea4232 |
| SHA1 | e6256a0159688f0560b015da4d967f41cbf8c9bd |
| SHA256 | ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82 |
| SHA512 | bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be |
memory/3624-16-0x0000000074CE0000-0x0000000075490000-memory.dmp
memory/3624-18-0x0000000005490000-0x0000000005A34000-memory.dmp
memory/3624-19-0x00000000050B0000-0x0000000005142000-memory.dmp
memory/4876-20-0x0000000074CE0000-0x0000000075490000-memory.dmp
memory/3624-21-0x00000000050A0000-0x00000000050B0000-memory.dmp
memory/3624-22-0x0000000005030000-0x000000000503A000-memory.dmp
memory/4876-24-0x0000000074CE0000-0x0000000075490000-memory.dmp
memory/3624-25-0x0000000074CE0000-0x0000000075490000-memory.dmp
memory/3624-26-0x00000000050A0000-0x00000000050B0000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-01 17:14
Reported
2024-03-01 17:18
Platform
win11-20240221-en
Max time kernel
148s
Max time network
156s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\taskhost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1188 set thread context of 4048 | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | C:\Users\Admin\AppData\Local\Temp\taskhost.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/Remcos Professional Cracked By Alcatraz3222.exe" "%temp%\Profile Remcos\Update_Lock_Remcos.exe" /Y
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\Profile Remcos\Update_Lock_Remcos.exe:Zone.Identifier
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\taskhost.exe" "taskhost.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| IT | 84.220.8.178:3202 | dllsys.duckdns.org | tcp |
| IT | 84.220.8.178:3202 | dllsys.duckdns.org | tcp |
| IT | 84.220.8.178:3202 | dllsys.duckdns.org | tcp |
| IT | 84.220.8.178:3202 | dllsys.duckdns.org | tcp |
| IT | 84.220.8.178:3202 | dllsys.duckdns.org | tcp |
| IT | 84.220.8.178:3202 | dllsys.duckdns.org | tcp |
Files
memory/1188-0-0x0000000074700000-0x0000000074EB1000-memory.dmp
memory/1188-1-0x0000000000F30000-0x00000000020DE000-memory.dmp
memory/1188-2-0x0000000006C30000-0x0000000006CCC000-memory.dmp
memory/1188-3-0x0000000006AE0000-0x0000000006AF0000-memory.dmp
memory/1188-4-0x000000000E2E0000-0x000000000F462000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe
| MD5 | 022d5bc9c0180680a20696c0c02b2cc5 |
| SHA1 | 219b5590e083711b86c1cdc35482fe872eaf6cba |
| SHA256 | b599aa3abace72d5bfdaff2e63c0093f94ad73de98f50c35f2b3f1eabc3f35b8 |
| SHA512 | baebe1db6247ede1547646f89901c0e97600f6381c4fa11cd9b80d3ea8f0dec6c7bef8ad3c4b9b97265a5e7e45a8a492522cd09837c227e1210af56f5e838e66 |
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
| MD5 | d10a3cfcc08aae3a7234498f213cf89e |
| SHA1 | ccae4469a3a05fcb6e7af33019ca5357e5406dda |
| SHA256 | 0da56bd07a486818b7735761001cc1d3ca5af645f369a3c206bcb6719fefff06 |
| SHA512 | 90a4a68b45113360d732ccac7698c74aa550c05d9883d287b808982800fce1a24abf69cf06b0f017babd647cafd3ca10aa894c59e6dab8ba1ff34c639bdf6427 |
memory/4048-17-0x00000000001E0000-0x00000000001EE000-memory.dmp
memory/4048-18-0x0000000074700000-0x0000000074EB1000-memory.dmp
memory/4048-19-0x00000000050E0000-0x0000000005686000-memory.dmp
memory/4048-21-0x0000000004C60000-0x0000000004C70000-memory.dmp
memory/1188-23-0x0000000074700000-0x0000000074EB1000-memory.dmp
memory/4048-22-0x0000000004D10000-0x0000000004DA2000-memory.dmp
memory/4048-24-0x0000000004C40000-0x0000000004C4A000-memory.dmp
memory/4048-25-0x0000000074700000-0x0000000074EB1000-memory.dmp
memory/4048-26-0x0000000004C60000-0x0000000004C70000-memory.dmp