Analysis Overview
SHA256
2d35feecb9b427d2f48f6fd0dd5ef71eb7ba75fe024d7c6f9067490bbabc3c17
Threat Level: Known bad
The file 1712325246e9ef467ca10a8bb47cc22f360faab318b2059a09a5a7d0c76937a79cfb2a74b2831.dat-decoded.exe was found to be: Known bad.
Malicious Activity Summary
Remcos family
Unsigned PE
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-04-05 13:55
Signatures
Remcos family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-05 13:55
Reported
2024-04-05 13:57
Platform
win7-20240221-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1712325246e9ef467ca10a8bb47cc22f360faab318b2059a09a5a7d0c76937a79cfb2a74b2831.dat-decoded.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1712325246e9ef467ca10a8bb47cc22f360faab318b2059a09a5a7d0c76937a79cfb2a74b2831.dat-decoded.exe
"C:\Users\Admin\AppData\Local\Temp\1712325246e9ef467ca10a8bb47cc22f360faab318b2059a09a5a7d0c76937a79cfb2a74b2831.dat-decoded.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rxmz.duckdns.org | udp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 8.8.8.8:53 | rxmz.duckdns.org | udp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 8.8.8.8:53 | rxmz.duckdns.org | udp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
Files
C:\ProgramData\remcos\logs.dat
| MD5 | 9675c2bef8d463e70db3d2a2d035d66d |
| SHA1 | 4f9dc7a15096d69754e2c01ab84600f1c20fa941 |
| SHA256 | 192231d6bcb37d0ccd65a403c63c089d18475f190b453ecea28423f5759e099f |
| SHA512 | 648b9300d6b652b276949564fe186546f73764a93e03af997d9af4ffe7ef3315fcc4a264f43ca832ab75fe0a784594d9783dc6b6082ff69615f6d6ccd81be6fd |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-05 13:55
Reported
2024-04-05 13:57
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1712325246e9ef467ca10a8bb47cc22f360faab318b2059a09a5a7d0c76937a79cfb2a74b2831.dat-decoded.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1712325246e9ef467ca10a8bb47cc22f360faab318b2059a09a5a7d0c76937a79cfb2a74b2831.dat-decoded.exe
"C:\Users\Admin\AppData\Local\Temp\1712325246e9ef467ca10a8bb47cc22f360faab318b2059a09a5a7d0c76937a79cfb2a74b2831.dat-decoded.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rxmz.duckdns.org | udp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 8.8.8.8:53 | 121.118.77.104.in-addr.arpa | udp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 8.8.8.8:53 | rxmz.duckdns.org | udp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 8.8.8.8:53 | 98.136.73.23.in-addr.arpa | udp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 8.8.8.8:53 | 129.136.73.23.in-addr.arpa | udp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 8.8.8.8:53 | rxmz.duckdns.org | udp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 8.8.8.8:53 | 92.16.208.104.in-addr.arpa | udp |
| US | 89.117.23.22:57833 | tcp |
Files
C:\ProgramData\remcos\logs.dat
| MD5 | 8c437efedfec1dda97d90e21a381b2ec |
| SHA1 | f92a6f9bdf3c2d3ed82627d7c38ca0b1381858e9 |
| SHA256 | f177ade3d6888bcbf06a576c55d1347fcb7b835f28246ce5b000e312d5bc2052 |
| SHA512 | a9b02b8b6ff7f021ae3b7c6b6f17a5f3ed0cce5f2a9b6cbc5bd14673fea97803588054f97f6285cc578885beec2055def08b19641403f4e933afa4a1d502fecc |