Malware Analysis Report

2025-01-02 03:13

Sample ID 240405-q74s6aec54
Target 1712325245cc226d51885ef77b1cc5f09859aff0054330432691c1328fbdf88199018a7f16240.dat-decoded.exe
SHA256 d32356d6005e4b696a0145ec295b706c008c42f48beba21f6203094faf060229
Tags
remotehost remcos
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d32356d6005e4b696a0145ec295b706c008c42f48beba21f6203094faf060229

Threat Level: Known bad

The file 1712325245cc226d51885ef77b1cc5f09859aff0054330432691c1328fbdf88199018a7f16240.dat-decoded.exe was found to be: Known bad.

Malicious Activity Summary

remotehost remcos

Remcos family

Unsigned PE

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-05 13:55

Signatures

Remcos family

remcos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-05 13:55

Reported

2024-04-05 13:57

Platform

win7-20240221-en

Max time kernel

148s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1712325245cc226d51885ef77b1cc5f09859aff0054330432691c1328fbdf88199018a7f16240.dat-decoded.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\1712325245cc226d51885ef77b1cc5f09859aff0054330432691c1328fbdf88199018a7f16240.dat-decoded.exe

"C:\Users\Admin\AppData\Local\Temp\1712325245cc226d51885ef77b1cc5f09859aff0054330432691c1328fbdf88199018a7f16240.dat-decoded.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rxms.duckdns.org udp
US 89.117.23.25:57832 rxms.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

C:\ProgramData\remcos\logs.dat

MD5 084d0ee288eed222cc0c296be9a98bd9
SHA1 c120f098dfe7edb3807a3278a0d5441a213627ce
SHA256 fd6beeb6a473a8793c5206f7f9a2afb137bab75515f417f8898a0105d6199b8d
SHA512 23d4b6f62d5451cdf9cfe04b5711eac478f09759a98c7709b86d63c8db67075a9ca564e2704468fc9bd3020a8751a3fbe256196832fd1a899d7201045708f7f1

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-05 13:55

Reported

2024-04-05 13:57

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1712325245cc226d51885ef77b1cc5f09859aff0054330432691c1328fbdf88199018a7f16240.dat-decoded.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\1712325245cc226d51885ef77b1cc5f09859aff0054330432691c1328fbdf88199018a7f16240.dat-decoded.exe

"C:\Users\Admin\AppData\Local\Temp\1712325245cc226d51885ef77b1cc5f09859aff0054330432691c1328fbdf88199018a7f16240.dat-decoded.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rxms.duckdns.org udp
US 89.117.23.25:57832 rxms.duckdns.org tcp
US 8.8.8.8:53 25.23.117.89.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 122.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 130.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 120.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

C:\ProgramData\remcos\logs.dat

MD5 2a1efddc929c9fd966b0c9854872b89b
SHA1 7d1e29e1d181f56ef679879c2743d6f8821746d0
SHA256 0b4b6e516eecdd94f0fcea2b8bfd669a71301ebc63ed6410aaf234c1d2102550
SHA512 4d5b1638b8933b2b2ebff8f9f92f24115c8db4d7e3e5724f05a5b7d470877a2bf294eb253105ffda716934894e5acbdadfff10730fcaf5ab5153c1e37c8f8175