Malware Analysis Report

2025-01-02 03:14

Sample ID 240405-qlmyhsdb5s
Target 669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe
SHA256 669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e
Tags
remcos remotehost rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e

Threat Level: Known bad

The file 669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe was found to be: Known bad.

Malicious Activity Summary

remcos remotehost rat

Remcos

Drops startup file

Executes dropped EXE

AutoIT Executable

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-05 13:21

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-05 13:21

Reported

2024-04-05 13:23

Platform

win7-20231129-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe

"C:\Users\Admin\AppData\Local\Temp\669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe"

Network

N/A

Files

memory/2948-10-0x0000000000790000-0x0000000000794000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-05 13:21

Reported

2024-04-05 13:23

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe"

Signatures

Remcos

rat remcos

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs C:\Users\Admin\AppData\Local\directory\name.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe

"C:\Users\Admin\AppData\Local\Temp\669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\Temp\669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe"

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 122.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
NL 193.222.96.75:8823 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp
NL 193.222.96.75:8823 tcp
US 8.8.8.8:53 130.136.73.23.in-addr.arpa udp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
US 8.8.8.8:53 200.64.52.20.in-addr.arpa udp

Files

memory/968-10-0x0000000004050000-0x0000000004054000-memory.dmp

C:\Users\Admin\AppData\Local\directory\name.exe

MD5 6bc085f01b9d2ad107bcd26eb213452f
SHA1 4bd66c0e667e2ae0246ea14ba2820cda4f2a47ea
SHA256 0a02e24506da301d164396cd47cefcea284f886d211d769888e4ca62ee2df9ba
SHA512 43e0b2e92e7e600bf6750919d662deb459851ce3b0aef0b706dc3682052f79e400c13efb782da78dfaeb07078cba968d1cf39befb437a111290cf541e59a7b3c

C:\Users\Admin\AppData\Local\Temp\ageless

MD5 ffa2e5ab3b36f5f9ae74cff2a038c1d4
SHA1 8ed7f9cf5089d8361dac06205f5d4567dd8006f9
SHA256 afb5de202275b56fd3f692015b0ce44536db0db7659d392f9dc94d58da87c8f7
SHA512 4775cfe9550daa79fae22c204b118bffc293059110250456b69b6539594d0d3dbe7dedec6cc53aea1890d88340489a993312f0d887453d3702f8a12c7cbb2492

C:\Users\Admin\AppData\Local\Temp\scroll

MD5 d0d973e17f4f9faff0bd11e10be35a45
SHA1 8f6f95ff9d4d5ec970e1ce58902122bd682d8828
SHA256 bc16cad3c5fcd0da9deb63a3ac44b660c6a979b1be970d526feff7cdae679f52
SHA512 2e34d179a064b44043350b80a44601a5732d5ee79b201ab517af64bd806a535550288f2d13c2e961e4ca58ef63a0009a5073233619f3e912e3643434e0520367

memory/1240-28-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1240-29-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1240-31-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1240-33-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1240-34-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1240-39-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1240-40-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1240-41-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 97004072dc603fb8911c18d0d81e1ecc
SHA1 585427098a26e860c9e3fd96f48f6289ed69b49e
SHA256 e0967f2731fdae9e6a101443d526e052b468ebf4e507da7b0a74bedf77d71e72
SHA512 477cc3b8945a92c47d6343e658584ce9c91b149124d8ddb3bf2c0bb57e454ba73b2c0e93e8521227777f1ba1568091c1f9fa1476c91b7d662f16aae02ec1f4e2

memory/1240-46-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1240-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1240-53-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1240-54-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1240-59-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1240-60-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1240-65-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1240-67-0x0000000000400000-0x0000000000482000-memory.dmp