Malware Analysis Report

2024-12-07 22:43

Sample ID 240723-hqn3dashmh
Target Purchase _Order_0000089.exe
SHA256 b598665f15c6c098ecfc2c5185cb43946c0dfecd9e2f13f8f3d59b185eb73f02
Tags
remcos 2560 collection rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b598665f15c6c098ecfc2c5185cb43946c0dfecd9e2f13f8f3d59b185eb73f02

Threat Level: Known bad

The file Purchase _Order_0000089.exe was found to be: Known bad.

Malicious Activity Summary

remcos 2560 collection rat

Remcos

NirSoft MailPassView

NirSoft WebBrowserPassView

Detected Nirsoft tools

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-23 06:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-23 06:56

Reported

2024-07-23 06:58

Platform

win10v2004-20240709-en

Max time kernel

58s

Max time network

38s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe"

Signatures

Remcos

rat remcos

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 756 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
PID 756 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
PID 756 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
PID 756 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe C:\Program Files (x86)\Windows Mail\wab.exe
PID 756 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe C:\Program Files (x86)\Windows Mail\wab.exe
PID 756 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe C:\Program Files (x86)\Windows Mail\wab.exe
PID 756 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe C:\Windows\System32\svchost.exe
PID 756 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe C:\Windows\System32\svchost.exe
PID 756 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe C:\Windows\System32\svchost.exe
PID 756 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe C:\Windows\System32\svchost.exe
PID 756 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe C:\Windows\System32\svchost.exe
PID 756 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe C:\Windows\System32\svchost.exe
PID 756 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe C:\Windows\System32\svchost.exe
PID 756 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe C:\Windows\System32\svchost.exe
PID 756 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe C:\Windows\System32\svchost.exe
PID 756 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe C:\Windows\System32\svchost.exe
PID 756 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 756 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 756 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 756 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 756 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 756 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 756 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 756 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 756 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 756 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 756 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 756 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 756 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 756 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 756 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2920 wrote to memory of 4596 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2920 wrote to memory of 4596 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2920 wrote to memory of 4596 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2920 wrote to memory of 4596 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2920 wrote to memory of 3460 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2920 wrote to memory of 3460 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2920 wrote to memory of 3460 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2920 wrote to memory of 3460 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2920 wrote to memory of 2436 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2920 wrote to memory of 2436 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2920 wrote to memory of 2436 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2920 wrote to memory of 2436 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe

"C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"

C:\Program Files (x86)\Windows Mail\wab.exe

"C:\Program Files (x86)\Windows Mail\wab.exe"

C:\Windows\System32\svchost.exe

"C:\Windows\System32\svchost.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /stext "C:\Users\Admin\AppData\Local\Temp\rvxapizbbhvecakbginhbfpymzu"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /stext "C:\Users\Admin\AppData\Local\Temp\bxckiakdppnjmpgnytaimskpvneysr"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /stext "C:\Users\Admin\AppData\Local\Temp\drhdjtvwlyfwpvurhencpxwgduvglcofhc"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 107.173.4.16:2560 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 107.173.4.16:2560 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 16.4.173.107.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp

Files

memory/756-1-0x00007FFEFD103000-0x00007FFEFD105000-memory.dmp

memory/756-0-0x0000027E886D0000-0x0000027E886EE000-memory.dmp

memory/756-2-0x00007FFEFD100000-0x00007FFEFDBC1000-memory.dmp

memory/756-3-0x0000027EA2C10000-0x0000027EA2CE0000-memory.dmp

memory/2920-4-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2920-5-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2920-6-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2920-7-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2920-8-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2920-11-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2920-12-0x0000000000400000-0x0000000000482000-memory.dmp

memory/756-13-0x00007FFEFD100000-0x00007FFEFDBC1000-memory.dmp

memory/2920-14-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2920-15-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2920-16-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2920-17-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2920-19-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4596-20-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3460-21-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4596-25-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2436-24-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3460-34-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2436-33-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4596-32-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4596-30-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3460-29-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2436-28-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2436-27-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3460-31-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4596-39-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rvxapizbbhvecakbginhbfpymzu

MD5 982ebb238759653970e22ee9fad24470
SHA1 15fca6be8cc4a276c9f70a73f28c52c3b0eead15
SHA256 c8b9cad5602932ea51b923f39f4b2d9aedf1f4915880d89032ab6636acaf9bea
SHA512 c8777edf0dd3e72e0cf3bb89db2bc7856fed0eeca7199806fec341e9168899e3b700c73a6b2e7cb0e8ccc5523116d6ecfde5c9ebcc83288a162dd1b0ea78201b

memory/2920-41-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2920-44-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2920-45-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2920-46-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2920-51-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 5d684acd522be8be840b07586a4a3d63
SHA1 bc3da7423ca20cd080cbc1a2c452ae685a4a11f2
SHA256 8c935581b61b6bdeb5e487473de8ba42613b7d469cc1a8de26d53965fcaba167
SHA512 0d667d1e1bf8b6476236518c02e745d0550fe05378c36e0767c107beee4a46bf022d56e768112604ad4312feeed3a1da3cdface8e30cc814690328782d6cb158

memory/2920-54-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2920-53-0x0000000000400000-0x0000000000482000-memory.dmp