Malware Analysis Report

2024-11-13 18:49

Sample ID 240423-vvtjwaab99
Target Tax_Document.zip
SHA256 30c92411897d709b710f248d4460739edce37e03d88c75e7f61064eaa138b767
Tags
remcos remotehost rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

30c92411897d709b710f248d4460739edce37e03d88c75e7f61064eaa138b767

Threat Level: Known bad

The file Tax_Document.zip was found to be: Known bad.

Malicious Activity Summary

remcos remotehost rat

Remcos

Unsigned PE

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-23 17:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-23 17:19

Reported

2024-04-23 17:39

Platform

win10-20240404-en

Max time kernel

1198s

Max time network

1192s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Tax Document\TAX DOCUMENTS.pdf.exe"

Signatures

Remcos

rat remcos

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tax Document\TAX DOCUMENTS.pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Tax Document\TAX DOCUMENTS.pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Tax Document\TAX DOCUMENTS.pdf.exe"

Network

Country Destination Domain Proto
NL 78.142.18.109:2401 tcp
US 8.8.8.8:53 109.18.142.78.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 59.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/4920-0-0x0000000000120000-0x00000000001A0000-memory.dmp

memory/4920-1-0x0000000000060000-0x00000000000D6000-memory.dmp

memory/4920-3-0x0000000000120000-0x00000000001A0000-memory.dmp

memory/4920-4-0x0000000000120000-0x00000000001A0000-memory.dmp

memory/4920-6-0x0000000000120000-0x00000000001A0000-memory.dmp

memory/4920-7-0x0000000000120000-0x00000000001A0000-memory.dmp

memory/4920-8-0x0000000000120000-0x00000000001A0000-memory.dmp

memory/4920-9-0x0000000000120000-0x00000000001A0000-memory.dmp

memory/4920-10-0x0000000000120000-0x00000000001A0000-memory.dmp

memory/4920-11-0x0000000000120000-0x00000000001A0000-memory.dmp

memory/4920-13-0x0000000000120000-0x00000000001A0000-memory.dmp

memory/4920-16-0x00000000025D0000-0x0000000002627000-memory.dmp

memory/4920-20-0x0000000000120000-0x00000000001A0000-memory.dmp

C:\ProgramData\taxinfor\logs.dat

MD5 1e3ffa1ef4c535056a23585c5c96b4ec
SHA1 b3a07778c4224635fd494a6b95579d0d1730e16c
SHA256 23efc42bd18a49a9978edacdf78dc90b3c0ed180fc0af40032c2bf575d48decd
SHA512 dd6c567180a13850cdc1204b8a8647a50a5657402021f1a1e73d653223a5be25402fee8d0ab29d6b527a4448c7c1ee1310e96a99e05bfad85e0fbb675f74563c

memory/4920-23-0x0000000000120000-0x00000000001A0000-memory.dmp

memory/4920-24-0x0000000000120000-0x00000000001A0000-memory.dmp

memory/4920-34-0x0000000000120000-0x00000000001A0000-memory.dmp

memory/4920-35-0x0000000000120000-0x00000000001A0000-memory.dmp

memory/4920-45-0x0000000000120000-0x00000000001A0000-memory.dmp

memory/4920-46-0x0000000000120000-0x00000000001A0000-memory.dmp

memory/4920-57-0x0000000000120000-0x00000000001A0000-memory.dmp

memory/4920-58-0x0000000000120000-0x00000000001A0000-memory.dmp

memory/4920-68-0x0000000000120000-0x00000000001A0000-memory.dmp

memory/4920-69-0x0000000000120000-0x00000000001A0000-memory.dmp

memory/4920-112-0x0000000000120000-0x00000000001A0000-memory.dmp

memory/4920-123-0x0000000000120000-0x00000000001A0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-23 17:19

Reported

2024-04-23 17:39

Platform

win10v2004-20240412-en

Max time kernel

1199s

Max time network

1201s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Tax Document\TAX DOCUMENTS.pdf.exe"

Signatures

Remcos

rat remcos

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tax Document\TAX DOCUMENTS.pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Tax Document\TAX DOCUMENTS.pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Tax Document\TAX DOCUMENTS.pdf.exe"

Network

Country Destination Domain Proto
NL 78.142.18.109:2401 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 109.18.142.78.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 17.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 156.33.209.4.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 154.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 67.32.209.4.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 130.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 19.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 131.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/2356-0-0x0000000000060000-0x00000000000E0000-memory.dmp

memory/2356-1-0x0000000000550000-0x00000000005C6000-memory.dmp

memory/2356-2-0x0000000000060000-0x00000000000E0000-memory.dmp

memory/2356-3-0x0000000000060000-0x00000000000E0000-memory.dmp

memory/2356-4-0x0000000000060000-0x00000000000E0000-memory.dmp

memory/2356-6-0x0000000000060000-0x00000000000E0000-memory.dmp

memory/2356-7-0x0000000000060000-0x00000000000E0000-memory.dmp

memory/2356-8-0x0000000000060000-0x00000000000E0000-memory.dmp

memory/2356-9-0x0000000000060000-0x00000000000E0000-memory.dmp

memory/2356-10-0x0000000000060000-0x00000000000E0000-memory.dmp

memory/2356-14-0x0000000000060000-0x00000000000E0000-memory.dmp

memory/2356-16-0x00000000005D0000-0x0000000000666000-memory.dmp

memory/2356-20-0x0000000000060000-0x00000000000E0000-memory.dmp

C:\ProgramData\taxinfor\logs.dat

MD5 e95d16d5ff109f8662bec8c497f67824
SHA1 a4bdb6c227cdd7851d3e96796c1616b0b0098abb
SHA256 8d3f71044b9781207b07b87fbb60dfe7bd9381ed6bd8ebd79998648ca7bab40c
SHA512 97abc52679cf7d9997dfadc6caa2b8e4f1c831b4e06c2d0a1e0c63a69ca8fdbe307f755461f456c27aa75062bd30da3da6686e79c688f878401614a9b1047d68

memory/2356-22-0x0000000000060000-0x00000000000E0000-memory.dmp

memory/2356-23-0x0000000000060000-0x00000000000E0000-memory.dmp

memory/2356-33-0x0000000000060000-0x00000000000E0000-memory.dmp

memory/2356-34-0x0000000000060000-0x00000000000E0000-memory.dmp

memory/2356-44-0x0000000000060000-0x00000000000E0000-memory.dmp

memory/2356-45-0x0000000000060000-0x00000000000E0000-memory.dmp

memory/2356-55-0x0000000000060000-0x00000000000E0000-memory.dmp

memory/2356-67-0x0000000000060000-0x00000000000E0000-memory.dmp

memory/2356-68-0x0000000000060000-0x00000000000E0000-memory.dmp

memory/2356-77-0x0000000000060000-0x00000000000E0000-memory.dmp

memory/2356-78-0x0000000000060000-0x00000000000E0000-memory.dmp

memory/2356-88-0x0000000000060000-0x00000000000E0000-memory.dmp

memory/2356-89-0x0000000000060000-0x00000000000E0000-memory.dmp

memory/2356-99-0x0000000000060000-0x00000000000E0000-memory.dmp

memory/2356-100-0x0000000000060000-0x00000000000E0000-memory.dmp

memory/2356-110-0x0000000000060000-0x00000000000E0000-memory.dmp

memory/2356-111-0x0000000000060000-0x00000000000E0000-memory.dmp

memory/2356-122-0x0000000000060000-0x00000000000E0000-memory.dmp

memory/2356-123-0x0000000000060000-0x00000000000E0000-memory.dmp

memory/2356-132-0x0000000000060000-0x00000000000E0000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-23 17:19

Reported

2024-04-23 17:39

Platform

win11-20240412-en

Max time kernel

1199s

Max time network

1192s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Tax Document\TAX DOCUMENTS.pdf.exe"

Signatures

Remcos

rat remcos

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tax Document\TAX DOCUMENTS.pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Tax Document\TAX DOCUMENTS.pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Tax Document\TAX DOCUMENTS.pdf.exe"

Network

Country Destination Domain Proto
NL 78.142.18.109:2401 tcp
US 8.8.8.8:53 109.18.142.78.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 52.111.227.13:443 tcp

Files

memory/4032-0-0x0000000002760000-0x00000000027E0000-memory.dmp

memory/4032-1-0x00000000024A0000-0x0000000002516000-memory.dmp

memory/4032-2-0x0000000002760000-0x00000000027E0000-memory.dmp

memory/4032-3-0x0000000002760000-0x00000000027E0000-memory.dmp

memory/4032-4-0x0000000002760000-0x00000000027E0000-memory.dmp

memory/4032-6-0x0000000002760000-0x00000000027E0000-memory.dmp

memory/4032-7-0x0000000002760000-0x00000000027E0000-memory.dmp

memory/4032-8-0x0000000002760000-0x00000000027E0000-memory.dmp

memory/4032-9-0x0000000002760000-0x00000000027E0000-memory.dmp

memory/4032-10-0x0000000002760000-0x00000000027E0000-memory.dmp

memory/4032-11-0x0000000002760000-0x00000000027E0000-memory.dmp

memory/4032-13-0x0000000002760000-0x00000000027E0000-memory.dmp

memory/4032-16-0x00000000005F0000-0x00000000006B2000-memory.dmp

memory/4032-20-0x0000000002760000-0x00000000027E0000-memory.dmp

C:\ProgramData\taxinfor\logs.dat

MD5 1e3ffa1ef4c535056a23585c5c96b4ec
SHA1 b3a07778c4224635fd494a6b95579d0d1730e16c
SHA256 23efc42bd18a49a9978edacdf78dc90b3c0ed180fc0af40032c2bf575d48decd
SHA512 dd6c567180a13850cdc1204b8a8647a50a5657402021f1a1e73d653223a5be25402fee8d0ab29d6b527a4448c7c1ee1310e96a99e05bfad85e0fbb675f74563c

memory/4032-23-0x0000000002760000-0x00000000027E0000-memory.dmp

memory/4032-24-0x0000000002760000-0x00000000027E0000-memory.dmp

memory/4032-33-0x0000000002760000-0x00000000027E0000-memory.dmp

memory/4032-34-0x0000000002760000-0x00000000027E0000-memory.dmp

memory/4032-45-0x0000000002760000-0x00000000027E0000-memory.dmp

memory/4032-46-0x0000000002760000-0x00000000027E0000-memory.dmp

memory/4032-57-0x0000000002760000-0x00000000027E0000-memory.dmp

memory/4032-58-0x0000000002760000-0x00000000027E0000-memory.dmp

memory/4032-61-0x00000000005F0000-0x00000000006B2000-memory.dmp

memory/4032-64-0x00000000005F0000-0x00000000006B2000-memory.dmp

memory/4032-68-0x0000000002760000-0x00000000027E0000-memory.dmp

memory/4032-69-0x0000000002760000-0x00000000027E0000-memory.dmp

memory/4032-79-0x0000000002760000-0x00000000027E0000-memory.dmp

memory/4032-80-0x0000000002760000-0x00000000027E0000-memory.dmp

memory/4032-86-0x00000000005F0000-0x00000000006B2000-memory.dmp

memory/4032-90-0x0000000002760000-0x00000000027E0000-memory.dmp

memory/4032-91-0x0000000002760000-0x00000000027E0000-memory.dmp

memory/4032-100-0x0000000002760000-0x00000000027E0000-memory.dmp

memory/4032-101-0x0000000002760000-0x00000000027E0000-memory.dmp

memory/4032-112-0x0000000002760000-0x00000000027E0000-memory.dmp

memory/4032-113-0x0000000002760000-0x00000000027E0000-memory.dmp