Malware Analysis Report

2024-12-07 22:31

Sample ID 240405-q74s6adg7x
Target 1712325245744004f5902f018d98f993f0a4fa06e5ebff0611e82b883bf6f5430dc03cd13b963.dat-decoded.exe
SHA256 bf19328d703ff4ad6b67c9cd584147ed69ce2e82932350334f1705aad63316b4
Tags
remotehost remcos rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bf19328d703ff4ad6b67c9cd584147ed69ce2e82932350334f1705aad63316b4

Threat Level: Known bad

The file 1712325245744004f5902f018d98f993f0a4fa06e5ebff0611e82b883bf6f5430dc03cd13b963.dat-decoded.exe was found to be: Known bad.

Malicious Activity Summary

remotehost remcos rat

Remcos

Remcos family

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-05 13:55

Signatures

Remcos family

remcos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-05 13:55

Reported

2024-04-05 13:57

Platform

win7-20240215-en

Max time kernel

147s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1712325245744004f5902f018d98f993f0a4fa06e5ebff0611e82b883bf6f5430dc03cd13b963.dat-decoded.exe"

Signatures

Remcos

rat remcos

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2240 set thread context of 3012 N/A C:\Users\Admin\AppData\Local\Temp\1712325245744004f5902f018d98f993f0a4fa06e5ebff0611e82b883bf6f5430dc03cd13b963.dat-decoded.exe C:\Windows\SysWOW64\svchost.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1712325245744004f5902f018d98f993f0a4fa06e5ebff0611e82b883bf6f5430dc03cd13b963.dat-decoded.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1712325245744004f5902f018d98f993f0a4fa06e5ebff0611e82b883bf6f5430dc03cd13b963.dat-decoded.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1712325245744004f5902f018d98f993f0a4fa06e5ebff0611e82b883bf6f5430dc03cd13b963.dat-decoded.exe

"C:\Users\Admin\AppData\Local\Temp\1712325245744004f5902f018d98f993f0a4fa06e5ebff0611e82b883bf6f5430dc03cd13b963.dat-decoded.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\System32\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 rxms.duckdns.org udp
US 89.117.23.25:57832 rxms.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

memory/3012-0-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3012-2-0x0000000000150000-0x00000000001D2000-memory.dmp

memory/3012-4-0x0000000000150000-0x00000000001D2000-memory.dmp

memory/3012-5-0x0000000000150000-0x00000000001D2000-memory.dmp

memory/3012-7-0x0000000000150000-0x00000000001D2000-memory.dmp

memory/3012-8-0x0000000000150000-0x00000000001D2000-memory.dmp

memory/3012-9-0x0000000000150000-0x00000000001D2000-memory.dmp

memory/3012-10-0x0000000000150000-0x00000000001D2000-memory.dmp

memory/3012-11-0x0000000000150000-0x00000000001D2000-memory.dmp

memory/3012-12-0x0000000000150000-0x00000000001D2000-memory.dmp

memory/3012-16-0x0000000000150000-0x00000000001D2000-memory.dmp

memory/3012-17-0x0000000000150000-0x00000000001D2000-memory.dmp

memory/3012-21-0x0000000000150000-0x00000000001D2000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 2a1efddc929c9fd966b0c9854872b89b
SHA1 7d1e29e1d181f56ef679879c2743d6f8821746d0
SHA256 0b4b6e516eecdd94f0fcea2b8bfd669a71301ebc63ed6410aaf234c1d2102550
SHA512 4d5b1638b8933b2b2ebff8f9f92f24115c8db4d7e3e5724f05a5b7d470877a2bf294eb253105ffda716934894e5acbdadfff10730fcaf5ab5153c1e37c8f8175

memory/3012-25-0x0000000000150000-0x00000000001D2000-memory.dmp

memory/3012-26-0x0000000000150000-0x00000000001D2000-memory.dmp

memory/3012-33-0x0000000000150000-0x00000000001D2000-memory.dmp

memory/3012-34-0x0000000000150000-0x00000000001D2000-memory.dmp

memory/3012-41-0x0000000000150000-0x00000000001D2000-memory.dmp

memory/3012-49-0x0000000000150000-0x00000000001D2000-memory.dmp

memory/3012-50-0x0000000000150000-0x00000000001D2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-05 13:55

Reported

2024-04-05 13:57

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1712325245744004f5902f018d98f993f0a4fa06e5ebff0611e82b883bf6f5430dc03cd13b963.dat-decoded.exe"

Signatures

Remcos

rat remcos

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1712325245744004f5902f018d98f993f0a4fa06e5ebff0611e82b883bf6f5430dc03cd13b963.dat-decoded.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1712325245744004f5902f018d98f993f0a4fa06e5ebff0611e82b883bf6f5430dc03cd13b963.dat-decoded.exe

"C:\Users\Admin\AppData\Local\Temp\1712325245744004f5902f018d98f993f0a4fa06e5ebff0611e82b883bf6f5430dc03cd13b963.dat-decoded.exe"

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 rxms.duckdns.org udp
US 89.117.23.25:57832 rxms.duckdns.org tcp
US 8.8.8.8:53 152.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 25.23.117.89.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 130.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 98.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp

Files

memory/4624-0-0x0000000000D40000-0x0000000000DC2000-memory.dmp

memory/4624-1-0x0000000000D40000-0x0000000000DC2000-memory.dmp

memory/4624-2-0x0000000000D40000-0x0000000000DC2000-memory.dmp

memory/4624-4-0x0000000000D40000-0x0000000000DC2000-memory.dmp

memory/4624-6-0x0000000000D40000-0x0000000000DC2000-memory.dmp

memory/4624-7-0x0000000000D40000-0x0000000000DC2000-memory.dmp

memory/4624-8-0x0000000000D40000-0x0000000000DC2000-memory.dmp

memory/4624-9-0x0000000000D40000-0x0000000000DC2000-memory.dmp

memory/4624-10-0x0000000000D40000-0x0000000000DC2000-memory.dmp

memory/4624-11-0x0000000000D40000-0x0000000000DC2000-memory.dmp

memory/4624-15-0x0000000000D40000-0x0000000000DC2000-memory.dmp

memory/4624-16-0x0000000000D40000-0x0000000000DC2000-memory.dmp

memory/4624-20-0x0000000000D40000-0x0000000000DC2000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 2419cdf9e257b34b8f021929ab31fb20
SHA1 37d8f6cb76083292f611e4f42c37db6eade442d3
SHA256 52f38af681bc1baf3cfb5c06cd4e08e6a5088f2f806f7431b6a8b00f40bf15f0
SHA512 4b06b652fce10051cb6b196eb8fce3bd2fce75caa81c3f51ccfcdc1e455283d0efcfc8d9628cbeb128289246f43ffe3d7e3098629849355422dca929266a23b4

memory/4624-24-0x0000000000D40000-0x0000000000DC2000-memory.dmp

memory/4624-25-0x0000000000D40000-0x0000000000DC2000-memory.dmp

memory/4624-32-0x0000000000D40000-0x0000000000DC2000-memory.dmp

memory/4624-33-0x0000000000D40000-0x0000000000DC2000-memory.dmp

memory/4624-40-0x0000000000D40000-0x0000000000DC2000-memory.dmp

memory/4624-41-0x0000000000D40000-0x0000000000DC2000-memory.dmp