Malware Analysis Report

2025-01-02 03:15

Sample ID 240402-qtstqsbg45
Target 145f990406000a1e944fef609e608edd4f6a347d4038e880599bcc1fb6c709b7.zip
SHA256 04c8c64580324331a7c2c86d8191c20abac992ffc8b81f5b432e6f6bb5974a2c
Tags
remcos remotehost rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

04c8c64580324331a7c2c86d8191c20abac992ffc8b81f5b432e6f6bb5974a2c

Threat Level: Known bad

The file 145f990406000a1e944fef609e608edd4f6a347d4038e880599bcc1fb6c709b7.zip was found to be: Known bad.

Malicious Activity Summary

remcos remotehost rat

Remcos

Drops startup file

Executes dropped EXE

Suspicious use of SetThreadContext

AutoIT Executable

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-02 13:33

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 13:33

Reported

2024-04-02 13:36

Platform

win7-20231129-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"

Signatures

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Quotation.exe

"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"

Network

N/A

Files

memory/2392-10-0x00000000003D0000-0x00000000003D4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-02 13:33

Reported

2024-04-02 13:37

Platform

win10v2004-20240226-en

Max time kernel

183s

Max time network

180s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"

Signatures

Remcos

rat remcos

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\excel.vbs C:\Users\Admin\AppData\Local\directory\excel.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\excel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\excel.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 956 set thread context of 440 N/A C:\Users\Admin\AppData\Local\directory\excel.exe C:\Windows\SysWOW64\svchost.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\excel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\excel.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3956 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Users\Admin\AppData\Local\directory\excel.exe
PID 3956 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Users\Admin\AppData\Local\directory\excel.exe
PID 3956 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\Users\Admin\AppData\Local\directory\excel.exe
PID 1776 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\directory\excel.exe C:\Windows\SysWOW64\svchost.exe
PID 1776 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\directory\excel.exe C:\Windows\SysWOW64\svchost.exe
PID 1776 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\directory\excel.exe C:\Windows\SysWOW64\svchost.exe
PID 1776 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\directory\excel.exe C:\Users\Admin\AppData\Local\directory\excel.exe
PID 1776 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\directory\excel.exe C:\Users\Admin\AppData\Local\directory\excel.exe
PID 1776 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\directory\excel.exe C:\Users\Admin\AppData\Local\directory\excel.exe
PID 956 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\directory\excel.exe C:\Windows\SysWOW64\svchost.exe
PID 956 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\directory\excel.exe C:\Windows\SysWOW64\svchost.exe
PID 956 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\directory\excel.exe C:\Windows\SysWOW64\svchost.exe
PID 956 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\directory\excel.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Quotation.exe

"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"

C:\Users\Admin\AppData\Local\directory\excel.exe

"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"

C:\Users\Admin\AppData\Local\directory\excel.exe

"C:\Users\Admin\AppData\Local\directory\excel.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\directory\excel.exe"

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 19.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 24.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 18.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 shgoini.com udp
US 107.175.229.143:30902 shgoini.com tcp
US 8.8.8.8:53 143.229.175.107.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 219.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp

Files

memory/3956-10-0x0000000003AF0000-0x0000000003AF4000-memory.dmp

C:\Users\Admin\AppData\Local\directory\excel.exe

MD5 0f3d2c4ea88d4642a53ad36dd393141e
SHA1 0a36a0acc8586a5f4e60195b8491da35b73367d3
SHA256 35724ab95db9c562617c22641138f080e8a3d46304b3afa956a21e689f88fc21
SHA512 7a798697fab124bc7ea27933db28d0fe3f04b3a1e1cdba9683eea07ddcd53efaff263176d573473fa5942028b70da67971884645683aefe6800c61e60e1e2035

C:\Users\Admin\AppData\Local\Temp\ambiparous

MD5 5836e6fb1198f5826ca8facdba529e79
SHA1 cc17afcef2c435265036b8520728963b91ae652c
SHA256 f59b9e90acdbe2a0cc3e5e66bb3214adb7506fc775b8264e36e408a21decfba0
SHA512 f66d5d9e96911ffe7228d2db7b305ee404ba59d25fcde778d00a590417e3606b72dac0a91b7edb4e5d42f7a5a14990eaf4b5058e16ca5e12b49701c6168e3045

C:\Users\Admin\AppData\Local\Temp\intersentimental

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\intersentimental

MD5 33b3a37e1729538227a84e8aec307e27
SHA1 d888cf3906a4bc58ccc74cba9fe6f314d3be29dd
SHA256 61616629bc83442de66185fb8a8b3ed37d4fc690d473e28cf570527a5db7d456
SHA512 7d1f025b2c18f6b1e7d1793897a17bc36f95a417d1764efc109144b0ffbb8c0a43ea216cab1e3d16935565bcd309ac8845e9df1805f99a1ac8d1f687ad52ef80

C:\Users\Admin\AppData\Local\Temp\aut823C.tmp

MD5 4b2fdf0a8c6c482408eefdf707f502de
SHA1 4873e42b6576980be696af1540e6e546600d48c2
SHA256 c1812737b6c166b63bc12a406b1227bc536d954bb8d986defed0f7468d73f4af
SHA512 cf4f95e4346886bd29bb87fa21aa3503491d50089e5492719642ea6adc1c5df52f72f20f13512513e7923cd57ed808f26c6e3322f0e7ba6e0e77d65e28af83e7

C:\Users\Admin\AppData\Local\Temp\aut820C.tmp

MD5 ee36aa87dc445775e3bb981279766e33
SHA1 77e9cf67e60020f6957e826be88b1fb74c6f8903
SHA256 3e5fc13dccb76f873514e7296fa5f739cc8f49fe46a0f464fe96f0573ea4c625
SHA512 47f76b25b13f8f70cfdc8565a3ecf3569c968776e241e77f075045de7ebb06adb899e9bfe8b9ada1f40bb0b175ba8cf626f1d9862e86a5e293c3229362698ad6

memory/440-42-0x0000000000400000-0x0000000000482000-memory.dmp

memory/440-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/440-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/440-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/440-45-0x0000000000400000-0x0000000000482000-memory.dmp

memory/440-46-0x0000000000400000-0x0000000000482000-memory.dmp

memory/440-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/440-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/440-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/440-51-0x0000000000400000-0x0000000000482000-memory.dmp

memory/440-52-0x0000000000400000-0x0000000000482000-memory.dmp

memory/440-53-0x0000000000400000-0x0000000000482000-memory.dmp

memory/440-54-0x0000000000400000-0x0000000000482000-memory.dmp

memory/440-55-0x0000000000400000-0x0000000000482000-memory.dmp

memory/440-56-0x0000000000400000-0x0000000000482000-memory.dmp

memory/440-57-0x0000000000400000-0x0000000000482000-memory.dmp