Malware Analysis Report

2024-12-07 22:31

Sample ID 240408-phlqlscc4w
Target 3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811
SHA256 3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811
Tags
remcos remotehost rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811

Threat Level: Known bad

The file 3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811 was found to be: Known bad.

Malicious Activity Summary

remcos remotehost rat

Remcos

Drops startup file

Executes dropped EXE

Loads dropped DLL

AutoIT Executable

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-08 12:19

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-08 12:19

Reported

2024-04-08 12:22

Platform

win7-20240221-en

Max time kernel

107s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\antholite.vbs C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2972 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2972 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2972 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2520 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2520 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2520 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2520 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2676 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2676 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2676 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2676 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2452 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2452 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2452 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2452 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2448 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2448 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2448 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2448 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2412 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2412 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2412 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2412 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2688 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2688 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2688 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2688 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2872 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2872 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2872 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2872 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 364 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 364 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 364 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 364 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2112 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2112 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2112 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2112 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 1776 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 1776 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 1776 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 1776 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2876 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2876 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2876 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2876 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 1660 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 1660 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 1660 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 1660 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2024 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2024 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2024 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2024 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2084 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2084 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2084 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 2084 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 1980 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 1980 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 1980 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe
PID 1980 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe C:\Users\Admin\AppData\Local\Archimago\antholite.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe

"C:\Users\Admin\AppData\Local\Temp\3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Temp\3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Archimago\antholite.exe"

Network

N/A

Files

memory/2972-10-0x0000000000130000-0x0000000000134000-memory.dmp

\Users\Admin\AppData\Local\Archimago\antholite.exe

MD5 a60701346345cf46d583d9e509c59afa
SHA1 e46ce22eaa363adac4526e25a514da8837bc3756
SHA256 fd88007076ae324968aa11033f24d5b281b03415925f286454752669bff95a9f
SHA512 8eb647c5d9dc7b44b3209c3b69124257674f43a6520bbdb0e0f4c3a9df1e53380d750b234ceb7893fdc597680e7f3418621c069135ae2e307c78c0a7857fe96f

C:\Users\Admin\AppData\Local\Temp\Archimago

MD5 6ab1c336cc31c275489f031d8d48e74b
SHA1 fd0a211434df571099c5e6387f446f87b9e71a9d
SHA256 ac04026bf644efd9ad1d3c939624d3a0394a22726a730e3c3250d0d10cda5898
SHA512 ce19f57c86b62955f7049d8479f43584fecea46bfbd7e554d502dbf89a51b9676376e1678292c1aa4eec1bcb555670f34b34dfa20b63ebb9b80a918cdbc55861

C:\Users\Admin\AppData\Local\Temp\Bactris

MD5 7116dd94279c33e80b987344d27b53e4
SHA1 78c3aa04a477f17b2e9c157663ceb99765690986
SHA256 b747286ea89931d724a30cbc007400f956a76bedc1b61c4213b97d1fa4dc29e0
SHA512 64698773a5961c70e74dfe432a569c756d6c4868080ea95c0dd14f3c90878643626439d6dc411de879fab84dd2ee0a415666143fb1c3b0cb7f9281b161dc5773

C:\Users\Admin\AppData\Local\Temp\Bactris

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\aut7465.tmp

MD5 448647e1e62fa723b9d510d77dd1ea69
SHA1 0928f5cd7d5a33885fea044fbb226ef7f9b69e52
SHA256 c6b28b9c9398c5a6ffccd11f35c13f53ba3fec610ab67f42f1af322f60ee9052
SHA512 b059a3300542c145894591340d99cc3c5f0301a2fd88ccc2b759b794891fb4fc56e7a3b9b83ab202b9d988f30a473c573c20904f99e4d7fa227e6158e05baf45

C:\Users\Admin\AppData\Local\Temp\aut77EF.tmp

MD5 8d36b56c267c27772ce6a15b42b90350
SHA1 5a987d525639f4db6ce5d0b634381010dd7b8d74
SHA256 0ac2294060c8dd64ae6d64030ae38f69aaa59127a6b2ad6b7f3e18fe053e4ae1
SHA512 95e84f3acdc07f28c07e947b6c3ebc604cbe8dd5f061e6c86a61dff972e9d31892ff12ff52dd49570f7af65b87bda6af65f4da44ef16b8ebb07ed30033307bd8

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

MD5 d48fc06ed5e1701362ab1d7f3fa4d1c1
SHA1 394039a7fa639831977c1a2e05e82435a41b05d2
SHA256 69e9bf22c68ad005e0e771e2546b4f1bce2111ebfef5a71159683d090ce1d621
SHA512 90791e51c6128d8ebbef5f7ad933dc6d0cae23e8a2a8741fe4597655b90f0ada65e86c5140b2f6491a27a0fee276d2ce7ac68c0ae6b74f60675250eb6a8ac0fc

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

MD5 4ef06b8f4db249963c8c5361072d1fe6
SHA1 b5bca41fec5bbc03c1b6e50af74f610ca7606b4a
SHA256 cf7474f7e2aca7d79dc15dc3a1bad868a7bd4997707d399d8ba8f70a931dc00b
SHA512 7bee3d3a49cf6d56f1627519937c93ca00b661f2e734b9df30a4758ffb6c8127895a250f18cac7fb8769fe0a506f5b9badd788ebbf037150f461be5252e3be4a

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

MD5 9f894d60c072a5ef0e3e69837eb52e3c
SHA1 e4e8a5ab871adb7bc37c1a7d4adbe8bb5fb4e512
SHA256 2b1da68739c7215d40bdc313dc11a9b2e204a55917a15e14af1570dc2e2b6526
SHA512 5f65745c0965adaa86d789372464f8e831ff9fbe269d53e00f3775d9abd63c9e6be25335e361ee12097252124b2d2dc11cb2d1a3818ba86eba2a86380da28511

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

MD5 0ffaf337be822bdb476ee5dcf23ca47a
SHA1 43df0f8da6d6fa69a5e8d5a38bccbc8f5daf82aa
SHA256 2ef91b80eb1262e21537db252cc7b4487bd621c7c77527f39de1920e487d86e9
SHA512 d74f5b630b57831bb1d5da6f9c9284940b73de48f596da39a88e58f78acb348f2729fc8ba55e47cd33f1aa9afad39aef912e18b7e071997a0933abd451546e52

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

MD5 06a8deaccfebc18b2566a9cc444d3db7
SHA1 82b06107f096e90ba22e19995d8b6a8d87dee65a
SHA256 5aa33a068332a3652ebd527bc0f850c6e1a7cdc6a3d911f91dd590a1a6569984
SHA512 2409add0f8248ce0bbd1213b835cce0f993a93fe91dfa2e8068a864025194492b73fc003730a734bb555bb7bb2c4a4faa09632ac9ccecd5f958eaab058b7a7df

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

MD5 b99b1138e034e120b334324fefb7658b
SHA1 512012d6e23268275e91cff04447406dcac4dc4e
SHA256 412a25e0da673d707607499fa102861b28d1976aa2cd3501a074a179751259e4
SHA512 9d9a89c1ff60d4ccadc9052f94fd6ec0d1a450111e94ad80d220c1327298b08811c27829487e4effe0d33454450f6062925bbe067723c03e76afba940eae5b2d

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-08 12:19

Reported

2024-04-08 12:22

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe"

Signatures

Remcos

rat remcos

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\antholite.vbs C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Archimago\antholite.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe

"C:\Users\Admin\AppData\Local\Temp\3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe"

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

"C:\Users\Admin\AppData\Local\Temp\3c9065a948387b76124f035b405d3644ac960b18d8ca7b0437c02d8c98b8b811.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
NL 193.222.96.75:8823 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp
NL 193.222.96.75:8823 tcp

Files

memory/3228-10-0x0000000000DC0000-0x0000000000DC4000-memory.dmp

C:\Users\Admin\AppData\Local\Archimago\antholite.exe

MD5 9855059c02e864d44ce01783aa823e4b
SHA1 77ac3e90425bfbbc9553a7c91abe70b06d928afd
SHA256 70b114ef436a2d8bc8f76ff0a9ebf9348a6b4fe7df2180d1536952c087ceb91f
SHA512 752a35e3f96ee0803a56eb640c12ac09ef3ac4ea928e2014043d62e4d93575012755cfd4a4ef34a79ffef762a37b114d4ba25ff1cb13437175fcd09ad8e0a584

C:\Users\Admin\AppData\Local\Temp\Bactris

MD5 7116dd94279c33e80b987344d27b53e4
SHA1 78c3aa04a477f17b2e9c157663ceb99765690986
SHA256 b747286ea89931d724a30cbc007400f956a76bedc1b61c4213b97d1fa4dc29e0
SHA512 64698773a5961c70e74dfe432a569c756d6c4868080ea95c0dd14f3c90878643626439d6dc411de879fab84dd2ee0a415666143fb1c3b0cb7f9281b161dc5773

C:\Users\Admin\AppData\Local\Temp\Archimago

MD5 6ab1c336cc31c275489f031d8d48e74b
SHA1 fd0a211434df571099c5e6387f446f87b9e71a9d
SHA256 ac04026bf644efd9ad1d3c939624d3a0394a22726a730e3c3250d0d10cda5898
SHA512 ce19f57c86b62955f7049d8479f43584fecea46bfbd7e554d502dbf89a51b9676376e1678292c1aa4eec1bcb555670f34b34dfa20b63ebb9b80a918cdbc55861

memory/2532-28-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-29-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-31-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-33-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-34-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-35-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-36-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-38-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-39-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-40-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-42-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-46-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-50-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-51-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-52-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-53-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 a6551f70f5e73e1ff746a2162cd0ecae
SHA1 0cf40aa39f8782d74b76f19f87f674d71b272f53
SHA256 baa791e8ebfcf63886a1904e65e8ebb520d99e4e82d6545337098e95e7307686
SHA512 fff3fd5615afa8a547504ffc0bd9cedd2664fd7138f8c6358bc1e1c8f79f21810669dfee23abf47a339a39f735fbd97330c69280a38842bb3148cac83565198b

memory/2532-55-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-56-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-57-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-58-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-60-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-61-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-63-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-64-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-66-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-68-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-69-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-70-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-72-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-73-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-74-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-76-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-77-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-78-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-80-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-81-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-82-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-84-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-85-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-86-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-88-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-89-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-90-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-92-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-93-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-94-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-96-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-97-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-99-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-100-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-101-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-103-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-104-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-105-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-109-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-111-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-112-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-113-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-115-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-116-0x0000000000400000-0x0000000000482000-memory.dmp