Malware Analysis Report

2024-12-07 22:30

Sample ID 240405-q74s6aec55
Target 1712325245dd14de5ce8bd608ab9ed54b1036ba8bc99d838c1ed6d3361c8ac2ed8ec3c75ba394.dat-decoded.exe
SHA256 0f1d1af792a1caad8e0dc9a9057d7a3b06ed85f34672cdfec64aab4785c97383
Tags
remotehost remcos
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0f1d1af792a1caad8e0dc9a9057d7a3b06ed85f34672cdfec64aab4785c97383

Threat Level: Known bad

The file 1712325245dd14de5ce8bd608ab9ed54b1036ba8bc99d838c1ed6d3361c8ac2ed8ec3c75ba394.dat-decoded.exe was found to be: Known bad.

Malicious Activity Summary

remotehost remcos

Remcos family

Unsigned PE

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-05 13:55

Signatures

Remcos family

remcos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-05 13:55

Reported

2024-04-05 13:57

Platform

win7-20240215-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1712325245dd14de5ce8bd608ab9ed54b1036ba8bc99d838c1ed6d3361c8ac2ed8ec3c75ba394.dat-decoded.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\1712325245dd14de5ce8bd608ab9ed54b1036ba8bc99d838c1ed6d3361c8ac2ed8ec3c75ba394.dat-decoded.exe

"C:\Users\Admin\AppData\Local\Temp\1712325245dd14de5ce8bd608ab9ed54b1036ba8bc99d838c1ed6d3361c8ac2ed8ec3c75ba394.dat-decoded.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rzaz.duckdns.org udp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 8.8.8.8:53 rzaz.duckdns.org udp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 8.8.8.8:53 rzaz.duckdns.org udp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp

Files

C:\ProgramData\remcos\logs.dat

MD5 0b05df77394e8c1978ae30454a572ae0
SHA1 dfdc67bfd98b065b0f8fddf51aeb1552fb90f643
SHA256 6ee31064a0153fa55e787aa97884c5c710a1358e0ab15c6b53879a81f73b3981
SHA512 a92c0307c9fbe777a85e7bbe3af045fb17548198034ad28456b8d2a69d36b9acc98ac2c8d58b72be09c5d98f5073a6a1ee9354f1ecbf4c354f81e565d04c34f3

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-05 13:55

Reported

2024-04-05 13:57

Platform

win10v2004-20240226-en

Max time kernel

157s

Max time network

168s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1712325245dd14de5ce8bd608ab9ed54b1036ba8bc99d838c1ed6d3361c8ac2ed8ec3c75ba394.dat-decoded.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\1712325245dd14de5ce8bd608ab9ed54b1036ba8bc99d838c1ed6d3361c8ac2ed8ec3c75ba394.dat-decoded.exe

"C:\Users\Admin\AppData\Local\Temp\1712325245dd14de5ce8bd608ab9ed54b1036ba8bc99d838c1ed6d3361c8ac2ed8ec3c75ba394.dat-decoded.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 96.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 rzaz.duckdns.org udp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 8.8.8.8:53 130.118.77.104.in-addr.arpa udp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 8.8.8.8:53 98.136.73.23.in-addr.arpa udp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 8.8.8.8:53 rzaz.duckdns.org udp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 8.8.8.8:53 90.136.73.23.in-addr.arpa udp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 8.8.8.8:53 rzaz.duckdns.org udp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp

Files

C:\ProgramData\remcos\logs.dat

MD5 ef3e2e3c1e49c9dcda7dfe0347f7e081
SHA1 a4f9388383fc5f83e9728c1ec8aa1c65f788dbf5
SHA256 236d788bd3ce7f13461934c652ff8e90646a34a76a3246e1bbaf748e56db44c6
SHA512 d38ad12571417ef6b14310d8a3c8b099fc00879e877db0c2650f0d5887b83cca6cae177a4b57abacdf6ebdf9b8586faee0b22f9fa4d9483c6941a61b3df8c781