Malware Analysis Report

2024-12-07 22:25

Sample ID 240407-b5t4lsab46
Target d64eaf4fdb118d765221f465c095ac33.bin
SHA256 5122b9436dceb9faafd1d16c5087684ee43ee76a4d4e6f2428fc708e73ffe116
Tags
remotehost remcos
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5122b9436dceb9faafd1d16c5087684ee43ee76a4d4e6f2428fc708e73ffe116

Threat Level: Known bad

The file d64eaf4fdb118d765221f465c095ac33.bin was found to be: Known bad.

Malicious Activity Summary

remotehost remcos

Remcos family

Unsigned PE

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-07 01:44

Signatures

Remcos family

remcos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 01:44

Reported

2024-04-07 01:46

Platform

win7-20240221-en

Max time kernel

147s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0f1d1af792a1caad8e0dc9a9057d7a3b06ed85f34672cdfec64aab4785c97383.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f1d1af792a1caad8e0dc9a9057d7a3b06ed85f34672cdfec64aab4785c97383.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0f1d1af792a1caad8e0dc9a9057d7a3b06ed85f34672cdfec64aab4785c97383.exe

"C:\Users\Admin\AppData\Local\Temp\0f1d1af792a1caad8e0dc9a9057d7a3b06ed85f34672cdfec64aab4785c97383.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rzaz.duckdns.org udp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

C:\ProgramData\remcos\logs.dat

MD5 03eb106b1dc6bddd7212aa8e5e0bdfda
SHA1 a69d2788fd2123a94715d8c8242e12aaf335fd22
SHA256 ee2da1a29dc7b674fb343693787eafaaa0a132ca76d082eef02c0962f9a46c98
SHA512 17021fe742f896a320c1fabdccb749562eac02db76be1b7a67a1cba6005f741bf8e97a44a4b1d52ca9764a473950f05c35fede28973ab195bfa6ba3d20f857a3

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 01:44

Reported

2024-04-07 01:46

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0f1d1af792a1caad8e0dc9a9057d7a3b06ed85f34672cdfec64aab4785c97383.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f1d1af792a1caad8e0dc9a9057d7a3b06ed85f34672cdfec64aab4785c97383.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0f1d1af792a1caad8e0dc9a9057d7a3b06ed85f34672cdfec64aab4785c97383.exe

"C:\Users\Admin\AppData\Local\Temp\0f1d1af792a1caad8e0dc9a9057d7a3b06ed85f34672cdfec64aab4785c97383.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rzaz.duckdns.org udp
US 89.117.23.22:57834 rzaz.duckdns.org tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 22.23.117.89.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\ProgramData\remcos\logs.dat

MD5 ab7ad444afa6edf0096e9cc4cd74747e
SHA1 2e056787d6e8e7a45e92bdf886e3f44ff104964d
SHA256 08b98ff3715744c959f9249781939aae8d43501df4c1039a86475430154473a1
SHA512 606c09443339a68344469036e11e0a79da0b64d10b3582ff0d394b259023f4efc5317ce1a16166ddf8ef1f89183de4654cebd4f09ae347f05c9412d3ee2d8d68