Malware Analysis Report

2025-01-02 03:13

Sample ID 240406-bhyhhsgc2y
Target 2d35feecb9b427d2f48f6fd0dd5ef71eb7ba75fe024d7c6f9067490bbabc3c17.exe
SHA256 2d35feecb9b427d2f48f6fd0dd5ef71eb7ba75fe024d7c6f9067490bbabc3c17
Tags
remotehost remcos
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2d35feecb9b427d2f48f6fd0dd5ef71eb7ba75fe024d7c6f9067490bbabc3c17

Threat Level: Known bad

The file 2d35feecb9b427d2f48f6fd0dd5ef71eb7ba75fe024d7c6f9067490bbabc3c17.exe was found to be: Known bad.

Malicious Activity Summary

remotehost remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Remcos family

Unsigned PE

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-06 01:09

Signatures

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A

Remcos family

remcos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 01:09

Reported

2024-04-06 01:11

Platform

win7-20240319-en

Max time kernel

148s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2d35feecb9b427d2f48f6fd0dd5ef71eb7ba75fe024d7c6f9067490bbabc3c17.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d35feecb9b427d2f48f6fd0dd5ef71eb7ba75fe024d7c6f9067490bbabc3c17.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2d35feecb9b427d2f48f6fd0dd5ef71eb7ba75fe024d7c6f9067490bbabc3c17.exe

"C:\Users\Admin\AppData\Local\Temp\2d35feecb9b427d2f48f6fd0dd5ef71eb7ba75fe024d7c6f9067490bbabc3c17.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rxmz.duckdns.org udp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

C:\ProgramData\remcos\logs.dat

MD5 cf54b4317eb351fdb7042bfc6c0f47c7
SHA1 f9247ec81c3a30c210b919b02b069ce5a9a190b6
SHA256 2e1a12bd61147a60468c32d19e32c49039e1e436f024a884530278509da755a2
SHA512 217291bfff991f152ecf592f5809be73ff3602213eb99ac52ec5ea09f0d82be1a45dcb7c0ebaf775ecfad2ec39c6a71fb2c7944fb148169a82e35ac0b9729bcc

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 01:09

Reported

2024-04-06 01:11

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2d35feecb9b427d2f48f6fd0dd5ef71eb7ba75fe024d7c6f9067490bbabc3c17.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d35feecb9b427d2f48f6fd0dd5ef71eb7ba75fe024d7c6f9067490bbabc3c17.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2d35feecb9b427d2f48f6fd0dd5ef71eb7ba75fe024d7c6f9067490bbabc3c17.exe

"C:\Users\Admin\AppData\Local\Temp\2d35feecb9b427d2f48f6fd0dd5ef71eb7ba75fe024d7c6f9067490bbabc3c17.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1032 --field-trial-handle=2700,i,14629483171127516024,12350888228055326066,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 106.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 rxmz.duckdns.org udp
US 89.117.23.22:57833 rxmz.duckdns.org tcp
US 8.8.8.8:53 22.23.117.89.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 130.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 98.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 144.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
DE 142.250.186.106:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 106.186.250.142.in-addr.arpa udp

Files

C:\ProgramData\remcos\logs.dat

MD5 62fb6a1604d0951925351710f8923e4b
SHA1 07185e2521bef234e616e51c6143a5a16cedd0d1
SHA256 c4fd5788bb1fea9cc73fda38f35faf7f29b02a1df64320ed1c788789b38b8b0a
SHA512 095895f6ef4d70c96b54796bdb691e2c842e79b9035e0610f0dcf62c5043c33a089a8d828b32f22deb7daf94b20af132ce97ff0180ff89b90f8a581808105c3a