Analysis Overview
SHA256
0f1d1af792a1caad8e0dc9a9057d7a3b06ed85f34672cdfec64aab4785c97383
Threat Level: Known bad
The file 1712325245dd14de5ce8bd608ab9ed54b1036ba8bc99d838c1ed6d3361c8ac2ed8ec3c75ba394.dat-decoded.exe was found to be: Known bad.
Malicious Activity Summary
Remcos family
Unsigned PE
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-04-05 13:55
Signatures
Remcos family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-05 13:55
Reported
2024-04-05 13:57
Platform
win7-20240215-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1712325245dd14de5ce8bd608ab9ed54b1036ba8bc99d838c1ed6d3361c8ac2ed8ec3c75ba394.dat-decoded.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1712325245dd14de5ce8bd608ab9ed54b1036ba8bc99d838c1ed6d3361c8ac2ed8ec3c75ba394.dat-decoded.exe
"C:\Users\Admin\AppData\Local\Temp\1712325245dd14de5ce8bd608ab9ed54b1036ba8bc99d838c1ed6d3361c8ac2ed8ec3c75ba394.dat-decoded.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rzaz.duckdns.org | udp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 8.8.8.8:53 | rzaz.duckdns.org | udp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 8.8.8.8:53 | rzaz.duckdns.org | udp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
Files
C:\ProgramData\remcos\logs.dat
| MD5 | 0b05df77394e8c1978ae30454a572ae0 |
| SHA1 | dfdc67bfd98b065b0f8fddf51aeb1552fb90f643 |
| SHA256 | 6ee31064a0153fa55e787aa97884c5c710a1358e0ab15c6b53879a81f73b3981 |
| SHA512 | a92c0307c9fbe777a85e7bbe3af045fb17548198034ad28456b8d2a69d36b9acc98ac2c8d58b72be09c5d98f5073a6a1ee9354f1ecbf4c354f81e565d04c34f3 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-05 13:55
Reported
2024-04-05 13:57
Platform
win10v2004-20240226-en
Max time kernel
157s
Max time network
168s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1712325245dd14de5ce8bd608ab9ed54b1036ba8bc99d838c1ed6d3361c8ac2ed8ec3c75ba394.dat-decoded.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1712325245dd14de5ce8bd608ab9ed54b1036ba8bc99d838c1ed6d3361c8ac2ed8ec3c75ba394.dat-decoded.exe
"C:\Users\Admin\AppData\Local\Temp\1712325245dd14de5ce8bd608ab9ed54b1036ba8bc99d838c1ed6d3361c8ac2ed8ec3c75ba394.dat-decoded.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rzaz.duckdns.org | udp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 8.8.8.8:53 | 98.136.73.23.in-addr.arpa | udp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 8.8.8.8:53 | rzaz.duckdns.org | udp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 8.8.8.8:53 | 90.136.73.23.in-addr.arpa | udp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 8.8.8.8:53 | rzaz.duckdns.org | udp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
Files
C:\ProgramData\remcos\logs.dat
| MD5 | ef3e2e3c1e49c9dcda7dfe0347f7e081 |
| SHA1 | a4f9388383fc5f83e9728c1ec8aa1c65f788dbf5 |
| SHA256 | 236d788bd3ce7f13461934c652ff8e90646a34a76a3246e1bbaf748e56db44c6 |
| SHA512 | d38ad12571417ef6b14310d8a3c8b099fc00879e877db0c2650f0d5887b83cca6cae177a4b57abacdf6ebdf9b8586faee0b22f9fa4d9483c6941a61b3df8c781 |