Malware Analysis Report

2024-12-07 22:25

Sample ID 240408-pf2daacb9w
Target 3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe
SHA256 3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811
Tags
remcos remotehost rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811

Threat Level: Known bad

The file 3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe was found to be: Known bad.

Malicious Activity Summary

remcos remotehost rat

Remcos

Executes dropped EXE

Loads dropped DLL

Drops startup file

AutoIT Executable

Unsigned PE

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-08 12:17

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-08 12:17

Reported

2024-04-08 12:19

Platform

win7-20240221-en

Max time kernel

149s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\antholite.vbs C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2240 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2240 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2240 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 3012 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 3012 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 3012 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 3012 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2680 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2680 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2680 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2680 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2536 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2536 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2536 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2536 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 584 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 584 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 584 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 584 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2640 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2640 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2640 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2640 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 624 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 624 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 624 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 624 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 1596 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 1596 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 1596 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 1596 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 1824 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 1824 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 1824 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 1824 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 1724 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 1724 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 1724 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 1724 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2800 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2800 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2800 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2800 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2880 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2880 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2880 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2880 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 3004 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 3004 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 3004 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 3004 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 840 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 840 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 840 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 840 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 932 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 932 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 932 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 932 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 608 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 608 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 608 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 608 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe

"C:\Users\Admin\AppData\Local\Temp\3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Temp\3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

Network

N/A

Files

memory/2240-10-0x00000000000B0000-0x00000000000B4000-memory.dmp

\Users\Admin\AppData\Local\Archimago\antholite.exe

MD5 7bfe31b6c816c141615af2264b53289a
SHA1 3eac86735396e6efa9bb5acf6eba800201c36b41
SHA256 f060e0438738c21a2ce289d750841f2fe6368a9dddf5d4bdb8f4df1608fc8644
SHA512 a6ca51a450083480a3b3dc5ea6c4afafd1db92b3f417368d4480a4ceed57201a14f4b7d76dc509d561d38f33cc823e9f58724e9973e520117392a70d1906ea31

C:\Users\Admin\AppData\Local\Temp\Bactris

MD5 7116dd94279c33e80b987344d27b53e4
SHA1 78c3aa04a477f17b2e9c157663ceb99765690986
SHA256 b747286ea89931d724a30cbc007400f956a76bedc1b61c4213b97d1fa4dc29e0
SHA512 64698773a5961c70e74dfe432a569c756d6c4868080ea95c0dd14f3c90878643626439d6dc411de879fab84dd2ee0a415666143fb1c3b0cb7f9281b161dc5773

C:\Users\Admin\AppData\Local\Temp\Archimago

MD5 6ab1c336cc31c275489f031d8d48e74b
SHA1 fd0a211434df571099c5e6387f446f87b9e71a9d
SHA256 ac04026bf644efd9ad1d3c939624d3a0394a22726a730e3c3250d0d10cda5898
SHA512 ce19f57c86b62955f7049d8479f43584fecea46bfbd7e554d502dbf89a51b9676376e1678292c1aa4eec1bcb555670f34b34dfa20b63ebb9b80a918cdbc55861

C:\Users\Admin\AppData\Local\Temp\autA62F.tmp

MD5 8d36b56c267c27772ce6a15b42b90350
SHA1 5a987d525639f4db6ce5d0b634381010dd7b8d74
SHA256 0ac2294060c8dd64ae6d64030ae38f69aaa59127a6b2ad6b7f3e18fe053e4ae1
SHA512 95e84f3acdc07f28c07e947b6c3ebc604cbe8dd5f061e6c86a61dff972e9d31892ff12ff52dd49570f7af65b87bda6af65f4da44ef16b8ebb07ed30033307bd8

C:\Users\Admin\AppData\Local\Temp\autA5FF.tmp

MD5 448647e1e62fa723b9d510d77dd1ea69
SHA1 0928f5cd7d5a33885fea044fbb226ef7f9b69e52
SHA256 c6b28b9c9398c5a6ffccd11f35c13f53ba3fec610ab67f42f1af322f60ee9052
SHA512 b059a3300542c145894591340d99cc3c5f0301a2fd88ccc2b759b794891fb4fc56e7a3b9b83ab202b9d988f30a473c573c20904f99e4d7fa227e6158e05baf45

C:\Users\Admin\AppData\Local\Temp\Bactris

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

MD5 5e9ef25c39a7771c5abc4176456c185f
SHA1 994d4a28d053c8f2392328ff24e68a16c8c51a78
SHA256 2b5a8fb6767fd9388e3ff964fab9c80a9605f09788c1c4998e6716b2eee6daab
SHA512 4fedfa32095c1a47baeec731621643f2313edd8679659194704f5c88d867478c4f062bcff705d0ed09176b70a1cedcde2d1c33cb3d97d26e3b956796506c1a1a

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

MD5 24bd52c92412cef9d7f862d419de5a5b
SHA1 7eeab8a87c19c00afb90dce855ee88f44fb06ccd
SHA256 c427bbee44762d17c274375044e267f4a001071763e897f8dd5fc196d85cecc4
SHA512 f022fa4d8d0bde9ba7322eeda1651a236d99f49b468182266838c944d2e78e25128275b902c611cc645429ea1223586e3339820b27cd68d2a0ceb8be099bad72

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-08 12:17

Reported

2024-04-08 12:19

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe"

Signatures

Remcos

rat remcos

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\antholite.vbs C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe

"C:\Users\Admin\AppData\Local\Temp\3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Temp\3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=2240,i,16875000905773190493,11379096115878622792,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
NL 193.222.96.75:8823 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
NL 193.222.96.75:8823 tcp
GB 216.58.212.202:443 tcp
NL 193.222.96.75:8823 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
NL 193.222.96.75:8823 tcp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp

Files

memory/3296-10-0x0000000001540000-0x0000000001544000-memory.dmp

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

MD5 02d5429f3a650200e86c2d31575ef4f4
SHA1 95376106938578a148aff2d88c7c37ecae069deb
SHA256 e318569663f67661884567de91aed1f650ceae7bfa325958ed7121e338c96357
SHA512 4ef3d65f0831c8c683ef0649f362d607872fa9aa769ed28347ce3fe87bd4d6f11a6d0c8e8fe87219f33111dd4ce2fbe9ed7cefebaabf7060daa6d0889744b7b2

C:\Users\Admin\AppData\Local\Temp\Archimago

MD5 6ab1c336cc31c275489f031d8d48e74b
SHA1 fd0a211434df571099c5e6387f446f87b9e71a9d
SHA256 ac04026bf644efd9ad1d3c939624d3a0394a22726a730e3c3250d0d10cda5898
SHA512 ce19f57c86b62955f7049d8479f43584fecea46bfbd7e554d502dbf89a51b9676376e1678292c1aa4eec1bcb555670f34b34dfa20b63ebb9b80a918cdbc55861

C:\Users\Admin\AppData\Local\Temp\Bactris

MD5 7116dd94279c33e80b987344d27b53e4
SHA1 78c3aa04a477f17b2e9c157663ceb99765690986
SHA256 b747286ea89931d724a30cbc007400f956a76bedc1b61c4213b97d1fa4dc29e0
SHA512 64698773a5961c70e74dfe432a569c756d6c4868080ea95c0dd14f3c90878643626439d6dc411de879fab84dd2ee0a415666143fb1c3b0cb7f9281b161dc5773

memory/3540-28-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-29-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-31-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-33-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-34-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-35-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-36-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-38-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-39-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-40-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-49-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 4512a980db75f3ec2ffce0f67cbc3706
SHA1 ae31693339221dc217aff05d7407642b9257de08
SHA256 4a65de426959a6d57b3db017c190d8a3c53aef4ff92d74199141d49939c98389
SHA512 b4a86b751cb5d1b90a34a18cb0ebbbed864591ea6fec1c1049d5469a5c464c7e2faa7cf4475b979b2ad8330b301b7924299de054c8a449d41a086e496f9a75e6

memory/3540-51-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-52-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-53-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-55-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-56-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-57-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-59-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-60-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-61-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-62-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-64-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-65-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-67-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-68-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-69-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-70-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-72-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-73-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-74-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-76-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-77-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-78-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-80-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-81-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-82-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-84-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-85-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-86-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-88-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-89-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-90-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-91-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-94-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-96-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-97-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-98-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-100-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-101-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-102-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-104-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-105-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-106-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-108-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-109-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-110-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-111-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-113-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3540-114-0x0000000000400000-0x0000000000482000-memory.dmp