Malware Analysis Report

2024-12-07 22:29

Sample ID 240406-bj7gtagg39
Target 3ae2a8fcc969ec131e6ea2387dbdbdc6dd9ef216fc4a04990a403b7a38494778.exe
SHA256 3ae2a8fcc969ec131e6ea2387dbdbdc6dd9ef216fc4a04990a403b7a38494778
Tags
remotehost remcos
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3ae2a8fcc969ec131e6ea2387dbdbdc6dd9ef216fc4a04990a403b7a38494778

Threat Level: Known bad

The file 3ae2a8fcc969ec131e6ea2387dbdbdc6dd9ef216fc4a04990a403b7a38494778.exe was found to be: Known bad.

Malicious Activity Summary

remotehost remcos

Remcos family

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Unsigned PE

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-06 01:11

Signatures

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A

Remcos family

remcos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 01:11

Reported

2024-04-06 01:14

Platform

win7-20240221-en

Max time kernel

147s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3ae2a8fcc969ec131e6ea2387dbdbdc6dd9ef216fc4a04990a403b7a38494778.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ae2a8fcc969ec131e6ea2387dbdbdc6dd9ef216fc4a04990a403b7a38494778.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3ae2a8fcc969ec131e6ea2387dbdbdc6dd9ef216fc4a04990a403b7a38494778.exe

"C:\Users\Admin\AppData\Local\Temp\3ae2a8fcc969ec131e6ea2387dbdbdc6dd9ef216fc4a04990a403b7a38494778.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rxms.duckdns.org udp
US 89.117.23.25:57832 rxms.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

C:\ProgramData\remcos\logs.dat

MD5 2fdb376e3535886d3f9787c93dde0ba1
SHA1 f1d92fd65b2f1c7632b90d22cbddb9396d3ec23e
SHA256 7f6d004889f69a450a16ed73ccbcad0fa0be673697002efd4ab18fafec249d08
SHA512 a49e9dfc5c303e9fa546f52d87a1859c1fb8d48834a198d9d50e988fd1c72c10704d1d6dd806ad087b5958d2fc4cc6f05087a1fdaf64ec48b55a22ec5aab3e5b

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 01:11

Reported

2024-04-06 01:14

Platform

win10v2004-20231215-en

Max time kernel

148s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3ae2a8fcc969ec131e6ea2387dbdbdc6dd9ef216fc4a04990a403b7a38494778.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ae2a8fcc969ec131e6ea2387dbdbdc6dd9ef216fc4a04990a403b7a38494778.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3ae2a8fcc969ec131e6ea2387dbdbdc6dd9ef216fc4a04990a403b7a38494778.exe

"C:\Users\Admin\AppData\Local\Temp\3ae2a8fcc969ec131e6ea2387dbdbdc6dd9ef216fc4a04990a403b7a38494778.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rxms.duckdns.org udp
US 89.117.23.25:57832 rxms.duckdns.org tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 25.23.117.89.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 114.136.73.23.in-addr.arpa udp

Files

C:\ProgramData\remcos\logs.dat

MD5 2fdb376e3535886d3f9787c93dde0ba1
SHA1 f1d92fd65b2f1c7632b90d22cbddb9396d3ec23e
SHA256 7f6d004889f69a450a16ed73ccbcad0fa0be673697002efd4ab18fafec249d08
SHA512 a49e9dfc5c303e9fa546f52d87a1859c1fb8d48834a198d9d50e988fd1c72c10704d1d6dd806ad087b5958d2fc4cc6f05087a1fdaf64ec48b55a22ec5aab3e5b