Malware Analysis Report

2024-12-07 22:31

Sample ID 240409-bq33zadd51
Target 45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe
SHA256 45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85
Tags
remcos remotehost collection rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85

Threat Level: Known bad

The file 45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe was found to be: Known bad.

Malicious Activity Summary

remcos remotehost collection rat

Remcos

Nirsoft

NirSoft WebBrowserPassView

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

NirSoft MailPassView

Detects executables referencing many email and collaboration clients. Observed in information stealers

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Detects executables built or packed with MPress PE compressor

Drops startup file

Executes dropped EXE

Accesses Microsoft Outlook accounts

AutoIT Executable

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-09 01:21

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-09 01:21

Reported

2024-04-09 01:24

Platform

win7-20240221-en

Max time kernel

121s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe

"C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe"

Network

N/A

Files

memory/2768-10-0x0000000000120000-0x0000000000124000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-09 01:21

Reported

2024-04-09 01:24

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe"

Signatures

Remcos

rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many email and collaboration clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\brawlis.vbs C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\SysWOW64\svchost.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 372 set thread context of 1276 N/A C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe C:\Windows\SysWOW64\svchost.exe
PID 1276 set thread context of 1960 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1276 set thread context of 4112 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1276 set thread context of 4304 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 740 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe
PID 740 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe
PID 740 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe
PID 372 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe C:\Windows\SysWOW64\svchost.exe
PID 372 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe C:\Windows\SysWOW64\svchost.exe
PID 372 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe C:\Windows\SysWOW64\svchost.exe
PID 372 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe C:\Windows\SysWOW64\svchost.exe
PID 1276 wrote to memory of 1960 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1276 wrote to memory of 1960 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1276 wrote to memory of 1960 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1276 wrote to memory of 1960 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1276 wrote to memory of 4112 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1276 wrote to memory of 4112 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1276 wrote to memory of 4112 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1276 wrote to memory of 4112 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1276 wrote to memory of 4304 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1276 wrote to memory of 4304 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1276 wrote to memory of 4304 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1276 wrote to memory of 4304 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe

"C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe"

C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe

"C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\dgcrtrgwdgqtteucsixwvtlp"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\nbpkukryroiyekigjtkpggggqjb"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\qvuuvccrfwalgqektdxrjlsxzqsclt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 107.175.229.139:8087 tcp
US 107.175.229.139:8087 tcp
US 8.8.8.8:53 139.229.175.107.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp

Files

memory/740-10-0x0000000001260000-0x0000000001264000-memory.dmp

C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe

MD5 f087017470a46c265fbeb26b312179f6
SHA1 56cfbb3a2d47efbb9681fcc0f759625637b1fe80
SHA256 368510b9ebaa1d5f76d67683d2636f29dd1a56d91daae008c1d2ebcf318d4601
SHA512 770d2d4325be02c5bf2d6bf0c78c2ffc95bb6831dd94649a88bc20678c4dfe4e99e698b068fb3e1ffbadb91873303d80a19667f3c5320fbc69e8973fca2ad11c

C:\Users\Admin\AppData\Local\Temp\orographically

MD5 17db3ee54b8207f5415603d856255c9d
SHA1 a480c3d3f948e61b258b18732b99732f62fe93e5
SHA256 e138b8344f3c0b7d400d452da5662e5625365f71ca955034f8b6ddf05b4a3c37
SHA512 7a4fc990c68c73f9729e2b56d337a8888094bad6766ad9c9f0cc3faaa89fa289189660bed466adca97039431f9d4ff179227b9f8e1dce2ea6b42b1ea09d50cef

C:\Users\Admin\AppData\Local\Temp\vitraillist

MD5 7e652071f4c1e8a16bbcc9fe126774f0
SHA1 e6eed67590573d8427f648e2952e88005fba1efd
SHA256 132f9d86d77df4cc036a745abc0a419412a35b9977005bb0a19258d8a629bbf2
SHA512 469fd55d6f2ffe4f2d2117db33e68f879878013958677d72f27eeaf953611e504bfb8ff89a44558308c10f3f2e204157f5cb50fb78c94b674e410bf84c741ddb

memory/1276-28-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1276-29-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1276-30-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1276-32-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1276-31-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1276-34-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1276-35-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1276-36-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1276-37-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1276-38-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1276-39-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1276-40-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1276-42-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1276-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1276-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1960-45-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4112-46-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4112-50-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1960-49-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1960-54-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4304-52-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4304-57-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4112-59-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4304-58-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4112-55-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1960-51-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4304-63-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1960-65-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1276-67-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1276-71-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1276-72-0x0000000010000000-0x0000000010019000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dgcrtrgwdgqtteucsixwvtlp

MD5 32a7b06ba8a0426235849b55b563b06b
SHA1 47157e4608ac7375544e6a59c7353f5bea8167f5
SHA256 14bb01cde2127abdc8cbef51092d1327d4fc63d40b47ca4621947c0dd8475e52
SHA512 0a610acf3ee1abcbb198d0d52de567d8c40d3460897ad9cb53d1a9cc463935b13c13e880b23716a429d8680794d24e1d1ecfce2f386e3861798bd03bbf1f8cf6

memory/1276-73-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1276-74-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1276-78-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 e74b066793e3af8e4c57c8754e02ebc0
SHA1 5f84cdf56cf1fd1401b04c5e15cdeef686a87997
SHA256 0720417adf2d52aa80b560e2929884fcb9de41ae5e9e7dfb887b0fbecad5bf53
SHA512 26a217742e0430623a0085720dcdec22f56ec4d195425e5189e3b84fcac010b5fa445f29d6627d086430c4529430401470ce191b52aa739f07b1f6f30caa5f82

memory/1276-80-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1276-82-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1276-83-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1276-90-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1276-91-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1276-98-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1276-99-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1276-106-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1276-107-0x0000000000400000-0x0000000000482000-memory.dmp