Malware Analysis Report

2024-12-07 22:27

Sample ID 240406-byvrkagf31
Target bf19328d703ff4ad6b67c9cd584147ed69ce2e82932350334f1705aad63316b4.exe
SHA256 bf19328d703ff4ad6b67c9cd584147ed69ce2e82932350334f1705aad63316b4
Tags
remotehost remcos rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bf19328d703ff4ad6b67c9cd584147ed69ce2e82932350334f1705aad63316b4

Threat Level: Known bad

The file bf19328d703ff4ad6b67c9cd584147ed69ce2e82932350334f1705aad63316b4.exe was found to be: Known bad.

Malicious Activity Summary

remotehost remcos rat

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Remcos family

Remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-06 01:33

Signatures

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A

Remcos family

remcos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 01:33

Reported

2024-04-06 01:36

Platform

win7-20240221-en

Max time kernel

153s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf19328d703ff4ad6b67c9cd584147ed69ce2e82932350334f1705aad63316b4.exe"

Signatures

Remcos

rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2596 set thread context of 3056 N/A C:\Users\Admin\AppData\Local\Temp\bf19328d703ff4ad6b67c9cd584147ed69ce2e82932350334f1705aad63316b4.exe C:\Windows\SysWOW64\svchost.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf19328d703ff4ad6b67c9cd584147ed69ce2e82932350334f1705aad63316b4.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf19328d703ff4ad6b67c9cd584147ed69ce2e82932350334f1705aad63316b4.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bf19328d703ff4ad6b67c9cd584147ed69ce2e82932350334f1705aad63316b4.exe

"C:\Users\Admin\AppData\Local\Temp\bf19328d703ff4ad6b67c9cd584147ed69ce2e82932350334f1705aad63316b4.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\System32\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 rxms.duckdns.org udp
US 89.117.23.25:57832 rxms.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

memory/3056-0-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3056-2-0x00000000000D0000-0x0000000000152000-memory.dmp

memory/3056-4-0x00000000000D0000-0x0000000000152000-memory.dmp

memory/3056-6-0x00000000000D0000-0x0000000000152000-memory.dmp

memory/3056-5-0x00000000000D0000-0x0000000000152000-memory.dmp

memory/3056-8-0x00000000000D0000-0x0000000000152000-memory.dmp

memory/3056-9-0x00000000000D0000-0x0000000000152000-memory.dmp

memory/3056-10-0x00000000000D0000-0x0000000000152000-memory.dmp

memory/3056-11-0x00000000000D0000-0x0000000000152000-memory.dmp

memory/3056-12-0x00000000000D0000-0x0000000000152000-memory.dmp

memory/3056-13-0x00000000000D0000-0x0000000000152000-memory.dmp

memory/3056-19-0x00000000000D0000-0x0000000000152000-memory.dmp

memory/3056-20-0x00000000000D0000-0x0000000000152000-memory.dmp

memory/3056-22-0x00000000000D0000-0x0000000000152000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 544c6e04edc8d21a1d6f8ba848921943
SHA1 ab898b30340b4f5712fdc42046a8f0a1ac13ae3e
SHA256 1d73acd5d215395178660f67f85ae9e4ac8d69b7853611200977012d637083f8
SHA512 c8460cfce6d349ffe81966011bac21bedbbd2249a8cde7e6e8c78da79bbb3b5fd77f9350dbb7961374880b27b8598c3f102bb2488eada57fe32a3ed4c43094c8

memory/3056-28-0x00000000000D0000-0x0000000000152000-memory.dmp

memory/3056-29-0x00000000000D0000-0x0000000000152000-memory.dmp

memory/3056-36-0x00000000000D0000-0x0000000000152000-memory.dmp

memory/3056-37-0x00000000000D0000-0x0000000000152000-memory.dmp

memory/3056-44-0x00000000000D0000-0x0000000000152000-memory.dmp

memory/3056-52-0x00000000000D0000-0x0000000000152000-memory.dmp

memory/3056-53-0x00000000000D0000-0x0000000000152000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 01:33

Reported

2024-04-06 01:36

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf19328d703ff4ad6b67c9cd584147ed69ce2e82932350334f1705aad63316b4.exe"

Signatures

Remcos

rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4076 set thread context of 1276 N/A C:\Users\Admin\AppData\Local\Temp\bf19328d703ff4ad6b67c9cd584147ed69ce2e82932350334f1705aad63316b4.exe \??\c:\program files (x86)\internet explorer\iexplore.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf19328d703ff4ad6b67c9cd584147ed69ce2e82932350334f1705aad63316b4.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bf19328d703ff4ad6b67c9cd584147ed69ce2e82932350334f1705aad63316b4.exe

"C:\Users\Admin\AppData\Local\Temp\bf19328d703ff4ad6b67c9cd584147ed69ce2e82932350334f1705aad63316b4.exe"

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3844 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 rxms.duckdns.org udp
US 89.117.23.25:57832 rxms.duckdns.org tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 25.23.117.89.in-addr.arpa udp
US 8.8.8.8:53 96.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
DE 142.250.181.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 234.181.250.142.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp

Files

memory/1276-0-0x0000000000730000-0x00000000007B2000-memory.dmp

memory/1276-1-0x0000000000730000-0x00000000007B2000-memory.dmp

memory/1276-2-0x0000000000730000-0x00000000007B2000-memory.dmp

memory/1276-4-0x0000000000730000-0x00000000007B2000-memory.dmp

memory/1276-6-0x0000000000730000-0x00000000007B2000-memory.dmp

memory/1276-7-0x0000000000730000-0x00000000007B2000-memory.dmp

memory/1276-8-0x0000000000730000-0x00000000007B2000-memory.dmp

memory/1276-9-0x0000000000730000-0x00000000007B2000-memory.dmp

memory/1276-10-0x0000000000730000-0x00000000007B2000-memory.dmp

memory/1276-11-0x0000000000730000-0x00000000007B2000-memory.dmp

memory/1276-14-0x0000000000730000-0x00000000007B2000-memory.dmp

memory/1276-15-0x0000000000730000-0x00000000007B2000-memory.dmp

memory/1276-20-0x0000000000730000-0x00000000007B2000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 9f44aabd90d5e31633def1f5e094c83d
SHA1 1efc90c376ebe575904bb57ea34bc6741142d2b7
SHA256 e3aa7d7ec15ca05a011754ebabd6688f9bbc806c048ad94cb62bd3d1935ca99d
SHA512 3ca0564ffadcfbb3df660c08ed05b7d0dd20b66f6626c7601c81bec6af8569564d8dda0808566b747db170f73f6a8c70f1da9de366253658ae579c4035ae9717

memory/1276-23-0x0000000000730000-0x00000000007B2000-memory.dmp

memory/1276-24-0x0000000000730000-0x00000000007B2000-memory.dmp

memory/1276-31-0x0000000000730000-0x00000000007B2000-memory.dmp

memory/1276-39-0x0000000000730000-0x00000000007B2000-memory.dmp

memory/1276-40-0x0000000000730000-0x00000000007B2000-memory.dmp

memory/1276-47-0x0000000000730000-0x00000000007B2000-memory.dmp

memory/1276-48-0x0000000000730000-0x00000000007B2000-memory.dmp