Malware Analysis Report

2024-12-07 22:32

Sample ID 240410-dlnhtsfg4y
Target c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe
SHA256 c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929
Tags
remcos remotehost rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929

Threat Level: Known bad

The file c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe was found to be: Known bad.

Malicious Activity Summary

remcos remotehost rat

Remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Executes dropped EXE

Loads dropped DLL

Drops startup file

AutoIT Executable

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-10 03:05

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-10 03:05

Reported

2024-04-10 03:08

Platform

win7-20240319-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe"

Signatures

Remcos

rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\excel.vbs C:\Users\Admin\AppData\Local\directory\excel.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\excel.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2224 set thread context of 1740 N/A C:\Users\Admin\AppData\Local\directory\excel.exe C:\Windows\SysWOW64\svchost.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\excel.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe C:\Users\Admin\AppData\Local\directory\excel.exe
PID 2348 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe C:\Users\Admin\AppData\Local\directory\excel.exe
PID 2348 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe C:\Users\Admin\AppData\Local\directory\excel.exe
PID 2348 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe C:\Users\Admin\AppData\Local\directory\excel.exe
PID 2348 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe C:\Users\Admin\AppData\Local\directory\excel.exe
PID 2348 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe C:\Users\Admin\AppData\Local\directory\excel.exe
PID 2348 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe C:\Users\Admin\AppData\Local\directory\excel.exe
PID 2224 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\directory\excel.exe C:\Windows\SysWOW64\svchost.exe
PID 2224 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\directory\excel.exe C:\Windows\SysWOW64\svchost.exe
PID 2224 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\directory\excel.exe C:\Windows\SysWOW64\svchost.exe
PID 2224 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\directory\excel.exe C:\Windows\SysWOW64\svchost.exe
PID 2224 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\directory\excel.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe

"C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe"

C:\Users\Admin\AppData\Local\directory\excel.exe

"C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 shgoini.com udp
US 107.175.229.143:30902 shgoini.com tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

memory/2348-10-0x0000000000260000-0x0000000000264000-memory.dmp

\Users\Admin\AppData\Local\directory\excel.exe

MD5 969e7125ce8c552f9d7899df54b54336
SHA1 9596f483d654b10af236c4d0968049600a8b9d55
SHA256 f9c8d0f80cefe182b3f56d1fbb45226cb61aef3c47f664bee2016c90259f6e4b
SHA512 6b16cd04346062176356199c10c4d55f2323d64e79b835e477e6a060bfe9210dd8981e9debc6e9232301effb65c09d07dd6997bb8e325eb70c44dc5c0c207c91

C:\Users\Admin\AppData\Local\Temp\Thebit

MD5 a04675531940882479c988422f627c21
SHA1 48bb45a49c1600e8f16ffe612170787f841cd969
SHA256 011bee0b69f6d996fd2ddced3a417739375f6a3909ff46d23bcca2f0d14680d5
SHA512 f8f2e1c49d7a7153a8522488a259ff37927c6c133b2030fdf70728aa034b02f2fd704d2bba7ad6660eb0f6b3696108a26df1c479723330f49ea0e462c13ba24c

C:\Users\Admin\AppData\Local\Temp\saccule

MD5 7b4ee3164750a624febb01f867bdb208
SHA1 2c68f3bc9f02ef7229da72935b33053885ad19e0
SHA256 fc648d1008816e63cb562eec07b7ae56ab4c5be06da13282a213f9c9e6f3c2a5
SHA512 aa088d535f08520ba2299da40c2e5c6ee1375eb67ac9f2438f431bda1312d024e38793c1b074f08b0accf8bf89db630b46de5b9883036b84ab50b473bbc1dc41

memory/1740-30-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1740-32-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1740-33-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1740-34-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1740-35-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1740-36-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1740-37-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1740-38-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1740-40-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1740-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1740-42-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1740-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1740-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1740-45-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1740-46-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1740-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1740-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1740-49-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-10 03:05

Reported

2024-04-10 03:08

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe

"C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

memory/3792-10-0x0000000003F70000-0x0000000003F74000-memory.dmp