Malware Analysis Report

2025-01-02 03:14

Sample ID 240405-q8nhkaec72
Target 1712325245dd14de5ce8bd608ab9ed54b1036ba8bc99d838c1ed6d3361c8ac2ed8ec3c75ba394.dat-decoded
SHA256 0f1d1af792a1caad8e0dc9a9057d7a3b06ed85f34672cdfec64aab4785c97383
Tags
remotehost remcos
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0f1d1af792a1caad8e0dc9a9057d7a3b06ed85f34672cdfec64aab4785c97383

Threat Level: Known bad

The file 1712325245dd14de5ce8bd608ab9ed54b1036ba8bc99d838c1ed6d3361c8ac2ed8ec3c75ba394.dat-decoded was found to be: Known bad.

Malicious Activity Summary

remotehost remcos

Remcos family

Unsigned PE

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-05 13:56

Signatures

Remcos family

remcos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-05 13:56

Reported

2024-04-05 13:58

Platform

win7-20240221-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1712325245dd14de5ce8bd608ab9ed54b1036ba8bc99d838c1ed6d3361c8ac2ed8ec3c75ba394.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1712325245dd14de5ce8bd608ab9ed54b1036ba8bc99d838c1ed6d3361c8ac2ed8ec3c75ba394.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1712325245dd14de5ce8bd608ab9ed54b1036ba8bc99d838c1ed6d3361c8ac2ed8ec3c75ba394.exe

"C:\Users\Admin\AppData\Local\Temp\1712325245dd14de5ce8bd608ab9ed54b1036ba8bc99d838c1ed6d3361c8ac2ed8ec3c75ba394.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rzaz.duckdns.org udp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 8.8.8.8:53 rzaz.duckdns.org udp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 8.8.8.8:53 rzaz.duckdns.org udp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 8.8.8.8:53 rzaz.duckdns.org udp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp

Files

C:\ProgramData\remcos\logs.dat

MD5 d06c586eaf5bb38e106486bc44b49314
SHA1 f480e3cc56f4ad229a7a30c115460fdeb5501db9
SHA256 4652d9ab99cf37b86227945640511f19c32f636147f6477c1d63c2fe67804aee
SHA512 64224a3d6f3f818a287076cc5405acf73eed0d530fd08a1fdb7f130b00360f4de65e53a6888b01bb902eba922ddf070e9bfa4db31c6d499833839d6a72aacc32

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-05 13:56

Reported

2024-04-05 13:58

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1712325245dd14de5ce8bd608ab9ed54b1036ba8bc99d838c1ed6d3361c8ac2ed8ec3c75ba394.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1712325245dd14de5ce8bd608ab9ed54b1036ba8bc99d838c1ed6d3361c8ac2ed8ec3c75ba394.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1712325245dd14de5ce8bd608ab9ed54b1036ba8bc99d838c1ed6d3361c8ac2ed8ec3c75ba394.exe

"C:\Users\Admin\AppData\Local\Temp\1712325245dd14de5ce8bd608ab9ed54b1036ba8bc99d838c1ed6d3361c8ac2ed8ec3c75ba394.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rzaz.duckdns.org udp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 120.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 8.8.8.8:53 rzaz.duckdns.org udp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 8.8.8.8:53 112.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 rzaz.duckdns.org udp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 8.8.8.8:53 131.136.73.23.in-addr.arpa udp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 8.8.8.8:53 rzaz.duckdns.org udp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 89.117.23.22:57834 rzaz.duckdns.org tcp

Files

C:\ProgramData\remcos\logs.dat

MD5 2e0f95002a7d0148220369d171c11eb0
SHA1 bcc38574b9deb43630ba90a1eff7836bc3af2548
SHA256 76eb95eb65e6b09fc76e59db10b5f02acaa1076058418200a06885e32491b50c
SHA512 b393bd90dbf56e3bff273adf29d9bf020e516f05239e29bf3beb5fa58d2a1b27b7ce9ae17a9722b40b8376430d5babb9f937be0c6fa6b7914c59fd76f1da8395