Malware Analysis Report

2025-01-02 03:21

Sample ID 240402-j8fpdscb73
Target Quotation.pdf.gz
SHA256 145f990406000a1e944fef609e608edd4f6a347d4038e880599bcc1fb6c709b7
Tags
remcos remotehost rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

145f990406000a1e944fef609e608edd4f6a347d4038e880599bcc1fb6c709b7

Threat Level: Known bad

The file Quotation.pdf.gz was found to be: Known bad.

Malicious Activity Summary

remcos remotehost rat

Remcos

Drops startup file

Loads dropped DLL

Executes dropped EXE

AutoIT Executable

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-02 08:20

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 08:20

Reported

2024-04-02 08:22

Platform

win7-20240221-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"

Signatures

Remcos

rat remcos

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\excel.vbs C:\Users\Admin\AppData\Local\directory\excel.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\excel.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2928 set thread context of 1144 N/A C:\Users\Admin\AppData\Local\directory\excel.exe C:\Windows\SysWOW64\svchost.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\excel.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Users\Admin\AppData\Local\directory\excel.exe
PID 2236 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Users\Admin\AppData\Local\directory\excel.exe
PID 2236 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Users\Admin\AppData\Local\directory\excel.exe
PID 2236 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Users\Admin\AppData\Local\directory\excel.exe
PID 2236 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Users\Admin\AppData\Local\directory\excel.exe
PID 2236 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Users\Admin\AppData\Local\directory\excel.exe
PID 2236 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Users\Admin\AppData\Local\directory\excel.exe
PID 2928 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\directory\excel.exe C:\Windows\SysWOW64\svchost.exe
PID 2928 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\directory\excel.exe C:\Windows\SysWOW64\svchost.exe
PID 2928 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\directory\excel.exe C:\Windows\SysWOW64\svchost.exe
PID 2928 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\directory\excel.exe C:\Windows\SysWOW64\svchost.exe
PID 2928 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\directory\excel.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Quotation.exe

"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"

C:\Users\Admin\AppData\Local\directory\excel.exe

"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 shgoini.com udp
US 107.175.229.143:30902 shgoini.com tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

memory/2236-10-0x00000000001A0000-0x00000000001A4000-memory.dmp

\Users\Admin\AppData\Local\directory\excel.exe

MD5 e6228228f20b7069720bb08b1d52ba7b
SHA1 d55e4ee12e71394dc8007f3cbc096117a06ab474
SHA256 74722750c670e03335a42e44963375399f46ab2ae78383a4cacc136fc943bc63
SHA512 0176266cf55ff7c236e5936b682ed8486dc6bdc4f4f567bcd9e7d60fd68c421452b3da9f163c9a63659ed750e36c29ffa6f2da1553b09e62c0fd579e8e6ada5e

C:\Users\Admin\AppData\Local\Temp\intersentimental

MD5 33b3a37e1729538227a84e8aec307e27
SHA1 d888cf3906a4bc58ccc74cba9fe6f314d3be29dd
SHA256 61616629bc83442de66185fb8a8b3ed37d4fc690d473e28cf570527a5db7d456
SHA512 7d1f025b2c18f6b1e7d1793897a17bc36f95a417d1764efc109144b0ffbb8c0a43ea216cab1e3d16935565bcd309ac8845e9df1805f99a1ac8d1f687ad52ef80

C:\Users\Admin\AppData\Local\Temp\ambiparous

MD5 5836e6fb1198f5826ca8facdba529e79
SHA1 cc17afcef2c435265036b8520728963b91ae652c
SHA256 f59b9e90acdbe2a0cc3e5e66bb3214adb7506fc775b8264e36e408a21decfba0
SHA512 f66d5d9e96911ffe7228d2db7b305ee404ba59d25fcde778d00a590417e3606b72dac0a91b7edb4e5d42f7a5a14990eaf4b5058e16ca5e12b49701c6168e3045

memory/1144-30-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1144-32-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1144-33-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1144-34-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1144-35-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1144-36-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1144-37-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1144-38-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1144-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1144-42-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1144-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1144-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1144-46-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1144-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1144-48-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-02 08:20

Reported

2024-04-02 08:22

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"

Signatures

Remcos

rat remcos

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\excel.vbs C:\Users\Admin\AppData\Local\directory\excel.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\excel.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1084 set thread context of 4164 N/A C:\Users\Admin\AppData\Local\directory\excel.exe C:\Windows\SysWOW64\svchost.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\excel.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Quotation.exe

"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"

C:\Users\Admin\AppData\Local\directory\excel.exe

"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1304 --field-trial-handle=2256,i,18272763564106695635,11201593968620719822,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 40.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 shgoini.com udp
US 107.175.229.143:30902 shgoini.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 143.229.175.107.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 66.134.221.88.in-addr.arpa udp

Files

memory/2776-10-0x00000000020F0000-0x00000000020F4000-memory.dmp

C:\Users\Admin\AppData\Local\directory\excel.exe

MD5 eca43f94ca4669d37f24e5977d217791
SHA1 1082e8add1f75eb71e280a5d2adc659c85ecb2d7
SHA256 18a02d041dba1591ebf60550033fb7d38b8e0ed699b9941e6da868baed145235
SHA512 69bf1cc274105ffaaf102ce221667c91de4e7958da70ba4622d8a16385da8fd93b4f479f81504d8bb57081f2e201df01c1054f06824e19cfa9c7226d4ce144dc

C:\Users\Admin\AppData\Local\Temp\ambiparous

MD5 5836e6fb1198f5826ca8facdba529e79
SHA1 cc17afcef2c435265036b8520728963b91ae652c
SHA256 f59b9e90acdbe2a0cc3e5e66bb3214adb7506fc775b8264e36e408a21decfba0
SHA512 f66d5d9e96911ffe7228d2db7b305ee404ba59d25fcde778d00a590417e3606b72dac0a91b7edb4e5d42f7a5a14990eaf4b5058e16ca5e12b49701c6168e3045

C:\Users\Admin\AppData\Local\Temp\intersentimental

MD5 33b3a37e1729538227a84e8aec307e27
SHA1 d888cf3906a4bc58ccc74cba9fe6f314d3be29dd
SHA256 61616629bc83442de66185fb8a8b3ed37d4fc690d473e28cf570527a5db7d456
SHA512 7d1f025b2c18f6b1e7d1793897a17bc36f95a417d1764efc109144b0ffbb8c0a43ea216cab1e3d16935565bcd309ac8845e9df1805f99a1ac8d1f687ad52ef80

memory/4164-28-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4164-29-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4164-30-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4164-31-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4164-32-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4164-33-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4164-34-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4164-35-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4164-36-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4164-39-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4164-40-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4164-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4164-42-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4164-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4164-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4164-46-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4164-47-0x0000000000400000-0x0000000000482000-memory.dmp