Malware Analysis Report

2025-01-02 03:13

Sample ID 240405-q75epadg8s
Target 1712325246e9ef467ca10a8bb47cc22f360faab318b2059a09a5a7d0c76937a79cfb2a74b2831.dat-decoded.exe
SHA256 2d35feecb9b427d2f48f6fd0dd5ef71eb7ba75fe024d7c6f9067490bbabc3c17
Tags
remotehost remcos
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2d35feecb9b427d2f48f6fd0dd5ef71eb7ba75fe024d7c6f9067490bbabc3c17

Threat Level: Known bad

The file 1712325246e9ef467ca10a8bb47cc22f360faab318b2059a09a5a7d0c76937a79cfb2a74b2831.dat-decoded.exe was found to be: Known bad.

Malicious Activity Summary

remotehost remcos

Remcos family

Unsigned PE

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-05 13:55

Signatures

Remcos family

remcos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-05 13:55

Reported

2024-04-05 13:57

Platform

win7-20240221-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1712325246e9ef467ca10a8bb47cc22f360faab318b2059a09a5a7d0c76937a79cfb2a74b2831.dat-decoded.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\1712325246e9ef467ca10a8bb47cc22f360faab318b2059a09a5a7d0c76937a79cfb2a74b2831.dat-decoded.exe

"C:\Users\Admin\AppData\Local\Temp\1712325246e9ef467ca10a8bb47cc22f360faab318b2059a09a5a7d0c76937a79cfb2a74b2831.dat-decoded.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rxmz.duckdns.org udp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 8.8.8.8:53 rxmz.duckdns.org udp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 8.8.8.8:53 rxmz.duckdns.org udp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp

Files

C:\ProgramData\remcos\logs.dat

MD5 9675c2bef8d463e70db3d2a2d035d66d
SHA1 4f9dc7a15096d69754e2c01ab84600f1c20fa941
SHA256 192231d6bcb37d0ccd65a403c63c089d18475f190b453ecea28423f5759e099f
SHA512 648b9300d6b652b276949564fe186546f73764a93e03af997d9af4ffe7ef3315fcc4a264f43ca832ab75fe0a784594d9783dc6b6082ff69615f6d6ccd81be6fd

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-05 13:55

Reported

2024-04-05 13:57

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1712325246e9ef467ca10a8bb47cc22f360faab318b2059a09a5a7d0c76937a79cfb2a74b2831.dat-decoded.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\1712325246e9ef467ca10a8bb47cc22f360faab318b2059a09a5a7d0c76937a79cfb2a74b2831.dat-decoded.exe

"C:\Users\Admin\AppData\Local\Temp\1712325246e9ef467ca10a8bb47cc22f360faab318b2059a09a5a7d0c76937a79cfb2a74b2831.dat-decoded.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rxmz.duckdns.org udp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 139.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 8.8.8.8:53 rxmz.duckdns.org udp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 8.8.8.8:53 98.136.73.23.in-addr.arpa udp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 8.8.8.8:53 129.136.73.23.in-addr.arpa udp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 8.8.8.8:53 rxmz.duckdns.org udp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp
US 89.117.23.22:57833 tcp

Files

C:\ProgramData\remcos\logs.dat

MD5 8c437efedfec1dda97d90e21a381b2ec
SHA1 f92a6f9bdf3c2d3ed82627d7c38ca0b1381858e9
SHA256 f177ade3d6888bcbf06a576c55d1347fcb7b835f28246ce5b000e312d5bc2052
SHA512 a9b02b8b6ff7f021ae3b7c6b6f17a5f3ed0cce5f2a9b6cbc5bd14673fea97803588054f97f6285cc578885beec2055def08b19641403f4e933afa4a1d502fecc