Malware Analysis Report

2025-06-16 01:22

Sample ID 240410-jx9hbsha36
Target f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b
SHA256 f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b
Tags
remcos veintiocho persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b

Threat Level: Known bad

The file f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b was found to be: Known bad.

Malicious Activity Summary

remcos veintiocho persistence rat

Modifies WinLogon for persistence

Remcos

Suspicious use of SetThreadContext

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-10 08:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-10 08:04

Reported

2024-04-10 08:06

Platform

win7-20240221-en

Max time kernel

149s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe\"" C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe N/A

Remcos

rat remcos

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1848 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe
PID 1848 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe
PID 1848 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe
PID 1848 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe
PID 1848 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe
PID 1848 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe
PID 1848 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe
PID 1848 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe
PID 1848 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe
PID 1848 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe
PID 1848 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe

"C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe"

C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe

"C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 veintisieteremc.duckdns.org udp
CO 179.13.3.249:1011 veintisieteremc.duckdns.org tcp
US 8.8.8.8:53 veintiochoremc.duckdns.org udp
CO 179.13.3.249:1011 veintiochoremc.duckdns.org tcp
CO 179.13.3.249:1011 veintiochoremc.duckdns.org tcp
CO 179.13.3.249:1011 veintiochoremc.duckdns.org tcp
US 8.8.8.8:53 veintisieteremc.duckdns.org udp
CO 179.13.3.249:1011 veintisieteremc.duckdns.org tcp
US 8.8.8.8:53 veintiochoremc.duckdns.org udp
CO 179.13.3.249:1011 veintiochoremc.duckdns.org tcp
CO 179.13.3.249:1011 veintiochoremc.duckdns.org tcp

Files

memory/1848-0-0x0000000000BD0000-0x0000000000D4A000-memory.dmp

memory/1848-1-0x0000000074230000-0x000000007491E000-memory.dmp

memory/1848-2-0x0000000000230000-0x000000000025C000-memory.dmp

memory/1848-3-0x0000000004CF0000-0x0000000004D30000-memory.dmp

memory/1848-4-0x0000000000270000-0x0000000000296000-memory.dmp

memory/1984-5-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1984-6-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1984-7-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1984-8-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1984-9-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1984-10-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1984-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1984-13-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1848-15-0x0000000074230000-0x000000007491E000-memory.dmp

memory/1984-16-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1984-17-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1984-21-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1984-20-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1984-19-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1984-24-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Roaming\remcos\logs.dat

MD5 241b5f88af66fd809bff6b3bdd2eb825
SHA1 582f58cb62c8d9716b58a676dd5677c984f94727
SHA256 682e3f10247adc53b8b2267b15fe38370f9ad8d1aefa6b9affbd5fce7bf76f28
SHA512 34640eea4bd99365183ad89c2281254a0e6b56ce505bb9d7ca6a2f8335ad4a02043185d38edee5b0d18d090223f06f1d13ac9657fde2b373e19d818c6f790ca3

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-10 08:04

Reported

2024-04-10 08:06

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe\"" C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe N/A

Remcos

rat remcos

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3984 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe
PID 3984 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe
PID 3984 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe
PID 3984 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe
PID 3984 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe
PID 3984 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe
PID 3984 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe
PID 3984 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe
PID 3984 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe
PID 3984 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe

"C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe"

C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe

"C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 veintisieteremc.duckdns.org udp
CO 179.13.3.249:1011 veintisieteremc.duckdns.org tcp
US 8.8.8.8:53 veintiochoremc.duckdns.org udp
CO 179.13.3.249:1011 veintiochoremc.duckdns.org tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
CO 179.13.3.249:1011 veintiochoremc.duckdns.org tcp
CO 179.13.3.249:1011 veintiochoremc.duckdns.org tcp
US 8.8.8.8:53 veintisieteremc.duckdns.org udp
CO 179.13.3.249:1011 veintisieteremc.duckdns.org tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 veintiochoremc.duckdns.org udp
CO 179.13.3.249:1011 veintiochoremc.duckdns.org tcp
CO 179.13.3.249:1011 veintiochoremc.duckdns.org tcp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

memory/3984-0-0x00000000001F0000-0x000000000036A000-memory.dmp

memory/3984-1-0x00000000753D0000-0x0000000075B80000-memory.dmp

memory/3984-2-0x0000000007DC0000-0x0000000007E5C000-memory.dmp

memory/3984-3-0x0000000004AC0000-0x0000000004AEC000-memory.dmp

memory/3984-4-0x0000000004C30000-0x0000000004C40000-memory.dmp

memory/3984-5-0x00000000051F0000-0x0000000005794000-memory.dmp

memory/3984-6-0x0000000004BA0000-0x0000000004BC6000-memory.dmp

memory/3968-7-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3984-11-0x00000000753D0000-0x0000000075B80000-memory.dmp

memory/3968-10-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3968-12-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3968-15-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3968-14-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3968-18-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Roaming\remcos\logs.dat

MD5 9b73606660fcd7d493c5eda092ca8cab
SHA1 b6cefbdab7964eab88bcc0974b897772fc8c99c2
SHA256 f03e6f6295c8653ade43e06fa3b1af83effdcc7607feb35032af955b3a334434
SHA512 b81c54077a52c438aedf82a52a85dc8e808d2713028c93f8721134ea4aaa03fbbab3a192090d111ee1acc8a1f9bd467ba13f5f0c9d663ddebf47dda0ef2b290a