Malware Analysis Report

2024-12-07 22:23

Sample ID 240409-rk8n9shc34
Target c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929
SHA256 c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929
Tags
remcos remotehost rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929

Threat Level: Known bad

The file c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929 was found to be: Known bad.

Malicious Activity Summary

remcos remotehost rat

Remcos

Drops startup file

Executes dropped EXE

AutoIT Executable

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-09 14:16

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-09 14:16

Reported

2024-04-09 14:18

Platform

win11-20240221-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe"

Signatures

Remcos

rat remcos

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\excel.vbs C:\Users\Admin\AppData\Local\directory\excel.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\excel.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1948 set thread context of 2732 N/A C:\Users\Admin\AppData\Local\directory\excel.exe C:\Windows\SysWOW64\svchost.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\excel.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe

"C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe"

C:\Users\Admin\AppData\Local\directory\excel.exe

"C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 107.175.229.143:30902 shgoini.com tcp
NL 178.237.33.50:80 geoplugin.net tcp

Files

memory/2276-10-0x00000000027B0000-0x00000000027B4000-memory.dmp

C:\Users\Admin\AppData\Local\directory\excel.exe

MD5 6e785bef0bc6d9d27b632a95c167f95e
SHA1 be154cc572ba9fcc5e9d562106172e63ce49ef8c
SHA256 8e572214b3f185499a292d3b0720b4641a2f519195703d5462c64682decd4e96
SHA512 7f13e223683b5aad76f8c337f8b5c9ee24666384b82077af03ece6c04b6d4a8a3879b5ce9ee5d4d4724cb9f27a2144a39f086b00114b7df11bd4b2b0dab21940

C:\Users\Admin\AppData\Local\Temp\saccule

MD5 7b4ee3164750a624febb01f867bdb208
SHA1 2c68f3bc9f02ef7229da72935b33053885ad19e0
SHA256 fc648d1008816e63cb562eec07b7ae56ab4c5be06da13282a213f9c9e6f3c2a5
SHA512 aa088d535f08520ba2299da40c2e5c6ee1375eb67ac9f2438f431bda1312d024e38793c1b074f08b0accf8bf89db630b46de5b9883036b84ab50b473bbc1dc41

C:\Users\Admin\AppData\Local\Temp\Thebit

MD5 a04675531940882479c988422f627c21
SHA1 48bb45a49c1600e8f16ffe612170787f841cd969
SHA256 011bee0b69f6d996fd2ddced3a417739375f6a3909ff46d23bcca2f0d14680d5
SHA512 f8f2e1c49d7a7153a8522488a259ff37927c6c133b2030fdf70728aa034b02f2fd704d2bba7ad6660eb0f6b3696108a26df1c479723330f49ea0e462c13ba24c

memory/2732-28-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2732-29-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2732-30-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2732-31-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2732-32-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2732-33-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2732-34-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2732-35-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2732-36-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2732-38-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2732-39-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2732-40-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2732-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2732-42-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2732-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2732-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2732-45-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2732-46-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2732-47-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-09 14:16

Reported

2024-04-09 14:18

Platform

win10v2004-20240226-en

Max time kernel

93s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe

"C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/1156-10-0x0000000000C20000-0x0000000000C24000-memory.dmp