Malware Analysis Report

2024-12-07 22:30

Sample ID 240406-bee7rsge95
Target 0f1d1af792a1caad8e0dc9a9057d7a3b06ed85f34672cdfec64aab4785c97383.exe
SHA256 0f1d1af792a1caad8e0dc9a9057d7a3b06ed85f34672cdfec64aab4785c97383
Tags
remotehost remcos
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0f1d1af792a1caad8e0dc9a9057d7a3b06ed85f34672cdfec64aab4785c97383

Threat Level: Known bad

The file 0f1d1af792a1caad8e0dc9a9057d7a3b06ed85f34672cdfec64aab4785c97383.exe was found to be: Known bad.

Malicious Activity Summary

remotehost remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Remcos family

Unsigned PE

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-06 01:03

Signatures

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A

Remcos family

remcos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 01:03

Reported

2024-04-06 01:05

Platform

win7-20240221-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0f1d1af792a1caad8e0dc9a9057d7a3b06ed85f34672cdfec64aab4785c97383.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f1d1af792a1caad8e0dc9a9057d7a3b06ed85f34672cdfec64aab4785c97383.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0f1d1af792a1caad8e0dc9a9057d7a3b06ed85f34672cdfec64aab4785c97383.exe

"C:\Users\Admin\AppData\Local\Temp\0f1d1af792a1caad8e0dc9a9057d7a3b06ed85f34672cdfec64aab4785c97383.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rzaz.duckdns.org udp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

C:\ProgramData\remcos\logs.dat

MD5 ceb6e07aa15ff2aeb1a637c5e935b618
SHA1 e322003300ea5c0c7500bc4c1f2125b93952f34a
SHA256 03d0d7eb1a1b81dfc25556d0bcbc8764eca443c0afa081f9045da042ef81298d
SHA512 c372350896afcd3b899a07369c4949874ecf453573e2b5ec73e3e2e35545ed0cf6b0af9384858c5c9c0bb7b357573b1fe62dd6e89e70d5c86a51b6059b23b58f

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 01:03

Reported

2024-04-06 01:05

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0f1d1af792a1caad8e0dc9a9057d7a3b06ed85f34672cdfec64aab4785c97383.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f1d1af792a1caad8e0dc9a9057d7a3b06ed85f34672cdfec64aab4785c97383.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0f1d1af792a1caad8e0dc9a9057d7a3b06ed85f34672cdfec64aab4785c97383.exe

"C:\Users\Admin\AppData\Local\Temp\0f1d1af792a1caad8e0dc9a9057d7a3b06ed85f34672cdfec64aab4785c97383.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rzaz.duckdns.org udp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 22.23.117.89.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

C:\ProgramData\remcos\logs.dat

MD5 686adedd45b8e3e10492c91035bae251
SHA1 f90461c3a23e244a568dc0437308fb40dc6c43b7
SHA256 e07b44df4b082aed9692ab753678033a49f191a84a8355655745c4a37881230b
SHA512 4662623e6880cae30ea5255ffe0711cd87e1a3c42334cfbac9f9b045592bf1eb4282933d15756f9d332af11354982251c9486c68f11dcecae2b5d6ccdb5527f9