Malware Analysis Report

2024-11-13 18:50

Sample ID 240714-cp5qvashmm
Target 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe
SHA256 5aef1b0e1673044cc7a46a3ea02e4caf2ec853acdf50e3d9a72aa9ac0fb1f88f
Tags
spacolombia2707raptor remcos
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5aef1b0e1673044cc7a46a3ea02e4caf2ec853acdf50e3d9a72aa9ac0fb1f88f

Threat Level: Known bad

The file 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe was found to be: Known bad.

Malicious Activity Summary

spacolombia2707raptor remcos

Remcos family

Unsigned PE

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-14 02:16

Signatures

Remcos family

remcos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-14 02:16

Reported

2024-07-14 02:18

Platform

win7-20240708-en

Max time kernel

147s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe

"C:\Users\Admin\AppData\Local\Temp\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 areaseguras.con-ip.com udp
US 86.104.72.183:2707 areaseguras.con-ip.com tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

C:\Users\Admin\AppData\Roaming\loggsdSSC\logs.dat

MD5 d3cfc3d176b7fd8582fc4191636430b3
SHA1 a74916f7a6335dcf940c6eb97976092925b6ef4a
SHA256 a60f0d3ce8f8af53576bc1ff0b7c7330a01993adce8c65a2bf43dd8401ea47aa
SHA512 967e80dd403fd55a9699fe2739053842f9b3534c11edef5a2c1486e079389c3dfd3f70b44e0afceb9c7d9efd496b3af370b7a6cdf755d248fda955064966149d

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-14 02:16

Reported

2024-07-14 02:18

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe

"C:\Users\Admin\AppData\Local\Temp\5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 areaseguras.con-ip.com udp
US 86.104.72.183:2707 areaseguras.con-ip.com tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 183.72.104.86.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Roaming\loggsdSSC\logs.dat

MD5 5482ab4a63113dbff867793ffc0a241e
SHA1 3ff5f6d2c05c359970789a93e83506e2ae002687
SHA256 6e1c9eee2d72220bf1e1d562011e834d33c06f2331ff677f44713dea45aa84f4
SHA512 1481ca45a286a86a99d557023c55c971bdf160ae86e8a8d72b035240b50edeab936442493f6ebb4b3f7f89b82a00b063089c960af4905f288de3230d656100cc