Malware Analysis Report

2025-01-02 03:14

Sample ID 240403-q4nmrsdh7y
Target da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75.exe
SHA256 da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75
Tags
remcos remotehost rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75

Threat Level: Known bad

The file da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75.exe was found to be: Known bad.

Malicious Activity Summary

remcos remotehost rat

Remcos

Drops startup file

Executes dropped EXE

AutoIT Executable

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-03 13:49

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 13:49

Reported

2024-04-03 13:51

Platform

win7-20240221-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75.exe

"C:\Users\Admin\AppData\Local\Temp\da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75.exe"

Network

N/A

Files

memory/2492-10-0x0000000000220000-0x0000000000224000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 13:49

Reported

2024-04-03 13:51

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75.exe"

Signatures

Remcos

rat remcos

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Laddonia.vbs C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75.exe

"C:\Users\Admin\AppData\Local\Temp\da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75.exe"

C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exe

"C:\Users\Admin\AppData\Local\Temp\da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 202.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 107.175.229.139:8087 tcp
US 107.175.229.139:8087 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 107.175.229.139:8087 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 107.175.229.139:8087 tcp
US 107.175.229.139:8087 tcp
US 107.175.229.139:8087 tcp
US 107.175.229.139:8087 tcp
US 107.175.229.139:8087 tcp
US 107.175.229.139:8087 tcp
US 107.175.229.139:8087 tcp
US 107.175.229.139:8087 tcp
US 107.175.229.139:8087 tcp
US 8.8.8.8:53 218.110.86.104.in-addr.arpa udp
US 107.175.229.139:8087 tcp
US 107.175.229.139:8087 tcp
US 107.175.229.139:8087 tcp
US 107.175.229.139:8087 tcp
US 107.175.229.139:8087 tcp
US 107.175.229.139:8087 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 107.175.229.139:8087 tcp
US 107.175.229.139:8087 tcp
US 107.175.229.139:8087 tcp
US 107.175.229.139:8087 tcp
US 107.175.229.139:8087 tcp
US 107.175.229.139:8087 tcp
US 107.175.229.139:8087 tcp
US 107.175.229.139:8087 tcp
US 107.175.229.139:8087 tcp
US 107.175.229.139:8087 tcp
US 107.175.229.139:8087 tcp
US 107.175.229.139:8087 tcp
US 107.175.229.139:8087 tcp
US 107.175.229.139:8087 tcp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp
US 107.175.229.139:8087 tcp

Files

memory/4872-10-0x00000000027F0000-0x00000000027F4000-memory.dmp

C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exe

MD5 38f3c76a53fc5c38e864d22114d3681e
SHA1 77cd891a1faa7c61258b51c79e9035ba41d7fa3d
SHA256 54a47c85cc67aebc790c14ba70a96cf668148fb8dbd9b57cbfa87fa02596aa00
SHA512 c2bf831d47ca4b2686dca1155a69246d0193d8db33f4feb5e3099d5c1e92c1d40a42e8ea8f3364496945c2d3344d72752dccd3f3962f7ae48134e0360754447a

C:\Users\Admin\AppData\Local\Temp\uncolorable

MD5 3ea15c6ae80a4381148d6d754aa5bef0
SHA1 f7bb1d88b47edd40d1b6b6306c360afe188802ff
SHA256 f49ee0a3104ae84b4f0c02dec84a126c5b9602b55eae52fe9d80efbcf4e6aa7c
SHA512 52124d9f68afd4fb25e6eb7cad03c5ea147e0bbafec84c2ae1c8d7b71142b74399e594ae9a6e5ffb60e741b760f198f05808bb331d6ec977f0ea584cbd829866

C:\Users\Admin\AppData\Local\Temp\acceptancy

MD5 dc89e41ce316d7ceb23763dbcd54ba9a
SHA1 6f26cc5f16de21e427bd003ff38cce2a1784a87d
SHA256 a2762a36dece9e211a90b2a3bded0def88401206f04e895d6cc8947c51ccc36c
SHA512 488fb772a6dde9b48819dc29ba169271d736787631550c8a64f7ba6c9d52e0e4901305f9ef9822c843d4ffab1c0176397bea6e119de1739bc82bb4120e6625e9

memory/4008-29-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-28-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-31-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-33-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-34-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-35-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-36-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-38-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-39-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-42-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-45-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-46-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-50-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-51-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 3f72758f80b004d6c99f2c3d4e50d2e8
SHA1 c306ae7a830400f70ff562dac759f4c77097d04d
SHA256 b5fb7fa2f187c851b0198843901d9652a379a27ce183a4a5fa624b8d6a8d7283
SHA512 818fa57ec618ce44296caca947a8ea35d69ec8feee87358831c63a684c12195de252128c9b7f7aa683e1419f7f163f5d2ada6e67988c338bf3cac349d205bd00

memory/4008-53-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-54-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-55-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-57-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-58-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-59-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-61-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-62-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-64-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-65-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-67-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-68-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-69-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-70-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-72-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-73-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-75-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-76-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-78-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-79-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-80-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-82-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-83-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-84-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-86-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-87-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-89-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-90-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-91-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-93-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-94-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-95-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-97-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-98-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-100-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-101-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-102-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-104-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-105-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-106-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-108-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-109-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-111-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-112-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-114-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4008-115-0x0000000000400000-0x0000000000482000-memory.dmp