Malware Analysis Report

2024-12-07 22:43

Sample ID 240722-fpe2zazell
Target 199d642bf20eb5b9ae989bd2872757b19186a0c579a81613b29d64d9c992a746
SHA256 199d642bf20eb5b9ae989bd2872757b19186a0c579a81613b29d64d9c992a746
Tags
july 16 remcos
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

199d642bf20eb5b9ae989bd2872757b19186a0c579a81613b29d64d9c992a746

Threat Level: Known bad

The file 199d642bf20eb5b9ae989bd2872757b19186a0c579a81613b29d64d9c992a746 was found to be: Known bad.

Malicious Activity Summary

july 16 remcos

Remcos family

Unsigned PE

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-22 05:02

Signatures

Remcos family

remcos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-22 05:02

Reported

2024-07-22 05:07

Platform

win10-20240404-en

Max time kernel

298s

Max time network

300s

Command Line

"C:\Users\Admin\AppData\Local\Temp\199d642bf20eb5b9ae989bd2872757b19186a0c579a81613b29d64d9c992a746.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\199d642bf20eb5b9ae989bd2872757b19186a0c579a81613b29d64d9c992a746.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\199d642bf20eb5b9ae989bd2872757b19186a0c579a81613b29d64d9c992a746.exe

"C:\Users\Admin\AppData\Local\Temp\199d642bf20eb5b9ae989bd2872757b19186a0c579a81613b29d64d9c992a746.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 luky00921.ddns.net udp
LT 94.156.79.154:6089 luky00921.ddns.net tcp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
LT 94.156.79.154:6089 luky00921.ddns.net tcp
LT 94.156.79.154:6089 luky00921.ddns.net tcp
US 8.8.8.8:53 luky00921.ddns.net udp
LT 94.156.79.154:6089 luky00921.ddns.net tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
LT 94.156.79.154:6089 luky00921.ddns.net tcp
LT 94.156.79.154:6089 luky00921.ddns.net tcp
US 8.8.8.8:53 luky00921.ddns.net udp
LT 94.156.79.154:6089 luky00921.ddns.net tcp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp
LT 94.156.79.154:6089 luky00921.ddns.net tcp
LT 94.156.79.154:6089 luky00921.ddns.net tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 luky00921.ddns.net udp
LT 94.156.79.154:6089 luky00921.ddns.net tcp
LT 94.156.79.154:6089 luky00921.ddns.net tcp
LT 94.156.79.154:6089 luky00921.ddns.net tcp
US 8.8.8.8:53 luky00921.ddns.net udp
LT 94.156.79.154:6089 luky00921.ddns.net tcp
LT 94.156.79.154:6089 luky00921.ddns.net tcp

Files

C:\ProgramData\remcos\logs.dat

MD5 eb0856442a843cfc31f9ca4242f71d6c
SHA1 771cc674020e7ed91a65fd78c043d3e2157e026b
SHA256 27fae47103e7144d84f0687639e929d5dbf5c291de5b358c113750b956a461b5
SHA512 9f6a746c5e1d4ccea428ec63d36d680beebe368bc053f2c726ccdc93c4e1d498777a29e660b0717384a67f80f7aedaf4332d1b0f4108319f7c34a4bddadd1a3e

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-22 05:02

Reported

2024-07-22 05:07

Platform

win7-20240704-en

Max time kernel

299s

Max time network

303s

Command Line

"C:\Users\Admin\AppData\Local\Temp\199d642bf20eb5b9ae989bd2872757b19186a0c579a81613b29d64d9c992a746.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\199d642bf20eb5b9ae989bd2872757b19186a0c579a81613b29d64d9c992a746.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\199d642bf20eb5b9ae989bd2872757b19186a0c579a81613b29d64d9c992a746.exe

"C:\Users\Admin\AppData\Local\Temp\199d642bf20eb5b9ae989bd2872757b19186a0c579a81613b29d64d9c992a746.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 luky00921.ddns.net udp
LT 94.156.79.154:6089 luky00921.ddns.net tcp
LT 94.156.79.154:6089 luky00921.ddns.net tcp
LT 94.156.79.154:6089 luky00921.ddns.net tcp
US 8.8.8.8:53 luky00921.ddns.net udp
LT 94.156.79.154:6089 luky00921.ddns.net tcp
LT 94.156.79.154:6089 luky00921.ddns.net tcp
LT 94.156.79.154:6089 luky00921.ddns.net tcp
US 8.8.8.8:53 luky00921.ddns.net udp
LT 94.156.79.154:6089 luky00921.ddns.net tcp
LT 94.156.79.154:6089 luky00921.ddns.net tcp
LT 94.156.79.154:6089 luky00921.ddns.net tcp
US 8.8.8.8:53 luky00921.ddns.net udp
LT 94.156.79.154:6089 luky00921.ddns.net tcp
LT 94.156.79.154:6089 luky00921.ddns.net tcp
LT 94.156.79.154:6089 luky00921.ddns.net tcp
US 8.8.8.8:53 luky00921.ddns.net udp
LT 94.156.79.154:6089 luky00921.ddns.net tcp
LT 94.156.79.154:6089 luky00921.ddns.net tcp

Files

C:\ProgramData\remcos\logs.dat

MD5 0b28e93dd1debb908b36cfed19b6b3d7
SHA1 898c6db1c486315c930ee063827706c2c6b8b2d6
SHA256 039a108acc618da74f26114a1fc6819b919fe838ed3ab94d8ac772c48c6c5b2c
SHA512 2c1227772d44331aff3f9fffd8cea28d34b5f4c944a7bca1cfccac30a936f34c65e5580008c8f4b2b7952c35aefee9f740d7b95ba5acf71826bdaaa48972fdce