Malware Analysis Report

2024-12-07 22:25

Sample ID 240406-b4gf5agg2x
Target d32356d6005e4b696a0145ec295b706c008c42f48beba21f6203094faf060229.exe
SHA256 d32356d6005e4b696a0145ec295b706c008c42f48beba21f6203094faf060229
Tags
remotehost remcos
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d32356d6005e4b696a0145ec295b706c008c42f48beba21f6203094faf060229

Threat Level: Known bad

The file d32356d6005e4b696a0145ec295b706c008c42f48beba21f6203094faf060229.exe was found to be: Known bad.

Malicious Activity Summary

remotehost remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Remcos family

Unsigned PE

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-06 01:41

Signatures

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A

Remcos family

remcos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 01:41

Reported

2024-04-06 01:44

Platform

win7-20240319-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d32356d6005e4b696a0145ec295b706c008c42f48beba21f6203094faf060229.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d32356d6005e4b696a0145ec295b706c008c42f48beba21f6203094faf060229.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d32356d6005e4b696a0145ec295b706c008c42f48beba21f6203094faf060229.exe

"C:\Users\Admin\AppData\Local\Temp\d32356d6005e4b696a0145ec295b706c008c42f48beba21f6203094faf060229.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rxms.duckdns.org udp
US 89.117.23.25:57832 rxms.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

C:\ProgramData\remcos\logs.dat

MD5 4db50aea32779f50c14d12721ba024e6
SHA1 e8db90f99fa825424b713da183419a0cc045bd86
SHA256 50b3e408b398ea6e38e63153aafc2e5e3bf9b83546e4db41203cb240e259dc4c
SHA512 335a1903873c218daba44930815a6ec6a3faf47a8dd76b3261b4fca82e0e178df206b13db4afe3fece4750ba01c52e5f13d73b3b3a56afc2b848c0acb9c1e7d0

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 01:41

Reported

2024-04-06 01:44

Platform

win10v2004-20240226-en

Max time kernel

159s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d32356d6005e4b696a0145ec295b706c008c42f48beba21f6203094faf060229.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d32356d6005e4b696a0145ec295b706c008c42f48beba21f6203094faf060229.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d32356d6005e4b696a0145ec295b706c008c42f48beba21f6203094faf060229.exe

"C:\Users\Admin\AppData\Local\Temp\d32356d6005e4b696a0145ec295b706c008c42f48beba21f6203094faf060229.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rxms.duckdns.org udp
US 89.117.23.25:57832 rxms.duckdns.org tcp
US 8.8.8.8:53 25.23.117.89.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 34.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

C:\ProgramData\remcos\logs.dat

MD5 63069d3d36053cfec1fc68f51a26e26f
SHA1 44fd4a3056a71674d9ee46aca3b298b9c14ced68
SHA256 60a1d1d331864be70a0d010ea2505883c6a194e8c9e13759728d770cc1e50157
SHA512 3cb9dd4f6df4dc05e8ca01544e868c400f98ee7f40e549218d3b75d01e68ca41c86785f89382adc033853fd3e05116678b320387356e56ffa25c96603911b044