Malware Analysis Report

2024-12-07 22:35

Sample ID 240722-c5wg4sxgrr
Target f3dcd81603a7b53421fcedce515a7c80N.exe
SHA256 fdd56eff190fb7974b5432cafd9f0071049c37c853f229ffb69400e9687f49ab
Tags
remcos ranko7 rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fdd56eff190fb7974b5432cafd9f0071049c37c853f229ffb69400e9687f49ab

Threat Level: Known bad

The file f3dcd81603a7b53421fcedce515a7c80N.exe was found to be: Known bad.

Malicious Activity Summary

remcos ranko7 rat

Remcos

Executes dropped EXE

Loads dropped DLL

Drops startup file

Suspicious use of SetThreadContext

AutoIT Executable

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-22 02:40

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-22 02:40

Reported

2024-07-22 02:42

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f3dcd81603a7b53421fcedce515a7c80N.exe"

Signatures

Remcos

rat remcos

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nouses.vbs C:\Users\Admin\AppData\Local\caprone\nouses.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\caprone\nouses.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3708 set thread context of 1696 N/A C:\Users\Admin\AppData\Local\caprone\nouses.exe C:\Windows\SysWOW64\svchost.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\caprone\nouses.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f3dcd81603a7b53421fcedce515a7c80N.exe

"C:\Users\Admin\AppData\Local\Temp\f3dcd81603a7b53421fcedce515a7c80N.exe"

C:\Users\Admin\AppData\Local\caprone\nouses.exe

"C:\Users\Admin\AppData\Local\Temp\f3dcd81603a7b53421fcedce515a7c80N.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\f3dcd81603a7b53421fcedce515a7c80N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 kennyremcosbelintourismedleonline.gleeze.com udp
DE 78.159.112.21:7027 kennyremcosbelintourismedleonline.gleeze.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
DE 78.159.112.21:7027 kennyremcosbelintourismedleonline.gleeze.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
DE 78.159.112.21:7027 kennyremcosbelintourismedleonline.gleeze.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
DE 78.159.112.21:7027 kennyremcosbelintourismedleonline.gleeze.com tcp
DE 78.159.112.21:7027 kennyremcosbelintourismedleonline.gleeze.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
DE 78.159.112.21:7027 kennyremcosbelintourismedleonline.gleeze.com tcp
US 8.8.8.8:53 kennyremcosbelintourismedleonline.gleeze.com udp
DE 78.159.112.21:7027 kennyremcosbelintourismedleonline.gleeze.com tcp

Files

memory/2212-10-0x0000000000B50000-0x0000000000B54000-memory.dmp

C:\Users\Admin\AppData\Local\caprone\nouses.exe

MD5 f3dcd81603a7b53421fcedce515a7c80
SHA1 6f5e15a2415801651cbe54b63eeaddd7df07ab45
SHA256 fdd56eff190fb7974b5432cafd9f0071049c37c853f229ffb69400e9687f49ab
SHA512 f5e969de331afee0b3bed2a58d5159d95c9bbe93eb419980fe061cdcac8de94cc4dfcdd917951c9b6af0003f58f737f7716884472b1fb11a334af78073f51220

C:\Users\Admin\AppData\Local\Temp\oxmanship

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\chiffons

MD5 afaf8231eb3ca65fab3692ce2bc01752
SHA1 7423205a0a2ba079d87afcd696514d7774a5a767
SHA256 1530b374165530f6156105c241b036bd707eda46030e48d8a2ca5a80de042e95
SHA512 7cd28b7e9ca7bb8321a2b4c7063d304dd3cb0aa47e2f1d77efd83846845edb630fc7d7027fed072b96703f651c65ed2b2ea629deb9fd4d9891fa9df5f186cb4e

memory/1696-28-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1696-29-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1696-31-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1696-30-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1696-32-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1696-33-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1696-34-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1696-35-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1696-36-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1696-37-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1696-38-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1696-39-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1696-40-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1696-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1696-42-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1696-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1696-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1696-45-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1696-46-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-22 02:40

Reported

2024-07-22 02:42

Platform

win7-20240704-en

Max time kernel

149s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f3dcd81603a7b53421fcedce515a7c80N.exe"

Signatures

Remcos

rat remcos

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nouses.vbs C:\Users\Admin\AppData\Local\caprone\nouses.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\caprone\nouses.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3dcd81603a7b53421fcedce515a7c80N.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2832 set thread context of 2880 N/A C:\Users\Admin\AppData\Local\caprone\nouses.exe C:\Windows\SysWOW64\svchost.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\caprone\nouses.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f3dcd81603a7b53421fcedce515a7c80N.exe

"C:\Users\Admin\AppData\Local\Temp\f3dcd81603a7b53421fcedce515a7c80N.exe"

C:\Users\Admin\AppData\Local\caprone\nouses.exe

"C:\Users\Admin\AppData\Local\Temp\f3dcd81603a7b53421fcedce515a7c80N.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\f3dcd81603a7b53421fcedce515a7c80N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 kennyremcosbelintourismedleonline.gleeze.com udp
DE 78.159.112.21:7027 kennyremcosbelintourismedleonline.gleeze.com tcp
DE 78.159.112.21:7027 kennyremcosbelintourismedleonline.gleeze.com tcp
DE 78.159.112.21:7027 kennyremcosbelintourismedleonline.gleeze.com tcp
DE 78.159.112.21:7027 kennyremcosbelintourismedleonline.gleeze.com tcp
DE 78.159.112.21:7027 kennyremcosbelintourismedleonline.gleeze.com tcp
DE 78.159.112.21:7027 kennyremcosbelintourismedleonline.gleeze.com tcp
US 8.8.8.8:53 kennyremcosbelintourismedleonline.gleeze.com udp
DE 78.159.112.21:7027 kennyremcosbelintourismedleonline.gleeze.com tcp

Files

memory/2812-10-0x0000000000110000-0x0000000000114000-memory.dmp

\Users\Admin\AppData\Local\caprone\nouses.exe

MD5 f3dcd81603a7b53421fcedce515a7c80
SHA1 6f5e15a2415801651cbe54b63eeaddd7df07ab45
SHA256 fdd56eff190fb7974b5432cafd9f0071049c37c853f229ffb69400e9687f49ab
SHA512 f5e969de331afee0b3bed2a58d5159d95c9bbe93eb419980fe061cdcac8de94cc4dfcdd917951c9b6af0003f58f737f7716884472b1fb11a334af78073f51220

C:\Users\Admin\AppData\Local\Temp\oxmanship

MD5 d3c2e6b58aa6aef0054c6eb19728f613
SHA1 40057214bb8cb9b08174bf3dd6d72b98d2d318ab
SHA256 110657963c15958b17156291fe841ad4117e46afa4a174bb6eefbf1b42fd03d7
SHA512 b7e3fe3c6ab3f959d3dd01dba94d365290e52b31d1ced6a10558d275785aea661d146e820bd4d109af5b0bc8ee832085a5225d5f4c8d517fba61d649a72ef59a

C:\Users\Admin\AppData\Local\Temp\chiffons

MD5 afaf8231eb3ca65fab3692ce2bc01752
SHA1 7423205a0a2ba079d87afcd696514d7774a5a767
SHA256 1530b374165530f6156105c241b036bd707eda46030e48d8a2ca5a80de042e95
SHA512 7cd28b7e9ca7bb8321a2b4c7063d304dd3cb0aa47e2f1d77efd83846845edb630fc7d7027fed072b96703f651c65ed2b2ea629deb9fd4d9891fa9df5f186cb4e

memory/2880-30-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2880-32-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2880-33-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2880-34-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2880-35-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2880-36-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2880-37-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2880-38-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2880-39-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2880-40-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2880-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2880-42-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2880-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2880-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2880-45-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2880-46-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2880-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2880-48-0x0000000000400000-0x0000000000482000-memory.dmp