Malware Analysis Report

2025-01-02 03:12

Sample ID 240815-jb1cjawgrj
Target 15082024_0730_14082024_Sparkasse Bank__Kopija za Plakanje.pdf.img
SHA256 2af504652f89c2e7b475e1b3031914550771f79b921f8049e61813c4e71175fe
Tags
remcos remotehost discovery rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2af504652f89c2e7b475e1b3031914550771f79b921f8049e61813c4e71175fe

Threat Level: Known bad

The file 15082024_0730_14082024_Sparkasse Bank__Kopija za Plakanje.pdf.img was found to be: Known bad.

Malicious Activity Summary

remcos remotehost discovery rat

Remcos

Drops startup file

Executes dropped EXE

Loads dropped DLL

AutoIT Executable

Suspicious use of SetThreadContext

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 07:30

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 07:30

Reported

2024-08-15 07:32

Platform

win7-20240704-en

Max time kernel

149s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Sparkasse Bank__Kopija za Plakanje.pdf.exe"

Signatures

Remcos

rat remcos

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\phagocytose.vbs C:\Users\Admin\AppData\Local\fascinatress\phagocytose.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\fascinatress\phagocytose.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sparkasse Bank__Kopija za Plakanje.pdf.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2232 set thread context of 2472 N/A C:\Users\Admin\AppData\Local\fascinatress\phagocytose.exe C:\Windows\SysWOW64\svchost.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Sparkasse Bank__Kopija za Plakanje.pdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\fascinatress\phagocytose.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\fascinatress\phagocytose.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Sparkasse Bank__Kopija za Plakanje.pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Sparkasse Bank__Kopija za Plakanje.pdf.exe"

C:\Users\Admin\AppData\Local\fascinatress\phagocytose.exe

"C:\Users\Admin\AppData\Local\Temp\Sparkasse Bank__Kopija za Plakanje.pdf.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\Sparkasse Bank__Kopija za Plakanje.pdf.exe"

Network

Country Destination Domain Proto
US 204.10.160.230:7983 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

memory/1952-11-0x00000000000B0000-0x00000000000B4000-memory.dmp

\Users\Admin\AppData\Local\fascinatress\phagocytose.exe

MD5 37a8b23ece95b5ebc90eaf975f9f5473
SHA1 e646bf9c1cb9d198fb44b6c387f91b2836cfab21
SHA256 b31a2876eb7b1f32fb340dcaaec23f5053b1283ac5d5cd79fe09dab488840fb7
SHA512 5af69aa0172ef776ecac27ebee962ccac039777e152150579b449d055a66cc8fb44a2fa111bdacef3ff93bded145bea7f5dad1d075eecc68f60182c501b8337b

C:\Users\Admin\AppData\Local\Temp\chiffons

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\roundups

MD5 2dcc8f12f0d2740eb0a47e49ff243fd3
SHA1 8a741ec35768cc19d2d66f6a96da575dd04faa33
SHA256 a99874539aea0515661343251070a9077dd812e2dd44c650886c5aa6f97230cc
SHA512 1f53b261262e2189cd91d76bb1d32f960ff093b4903bbeff20575f2c9d8927e196def0b45ac7c24c1f5109e25b1b559a442211a9d0c8c11a5813d7066bff8deb

memory/2232-31-0x00000000000B0000-0x0000000000202000-memory.dmp

memory/2472-33-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2472-38-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2232-37-0x00000000000B0000-0x0000000000202000-memory.dmp

memory/2472-36-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2472-35-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2472-40-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2472-39-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2472-41-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2472-44-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2472-45-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2472-46-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2472-47-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2472-48-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2472-49-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2472-50-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2472-51-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2472-52-0x0000000000400000-0x000000000047F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 07:30

Reported

2024-08-15 07:33

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Sparkasse Bank__Kopija za Plakanje.pdf.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\phagocytose.vbs C:\Users\Admin\AppData\Local\fascinatress\phagocytose.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\fascinatress\phagocytose.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\fascinatress\phagocytose.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Sparkasse Bank__Kopija za Plakanje.pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Sparkasse Bank__Kopija za Plakanje.pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Sparkasse Bank__Kopija za Plakanje.pdf.exe"

C:\Users\Admin\AppData\Local\fascinatress\phagocytose.exe

"C:\Users\Admin\AppData\Local\Temp\Sparkasse Bank__Kopija za Plakanje.pdf.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\Sparkasse Bank__Kopija za Plakanje.pdf.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 944 -ip 944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 692

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp

Files

memory/5084-11-0x0000000001240000-0x0000000001244000-memory.dmp

C:\Users\Admin\AppData\Local\fascinatress\phagocytose.exe

MD5 37a8b23ece95b5ebc90eaf975f9f5473
SHA1 e646bf9c1cb9d198fb44b6c387f91b2836cfab21
SHA256 b31a2876eb7b1f32fb340dcaaec23f5053b1283ac5d5cd79fe09dab488840fb7
SHA512 5af69aa0172ef776ecac27ebee962ccac039777e152150579b449d055a66cc8fb44a2fa111bdacef3ff93bded145bea7f5dad1d075eecc68f60182c501b8337b

C:\Users\Admin\AppData\Local\Temp\chiffons

MD5 29940de4a83fc4c485811c4f8645a065
SHA1 65b28fcb5a08f27a2f0f55542f7e87b29e465958
SHA256 8a4ed4095ebca19eafff691df862c94772a367a62c5f78883bd186286d0b942e
SHA512 764a3ab9a2458e7a2802098f0bb083aeb7e16adf81ccf21db05bbc3d6346ee05dc49bbbbb846f9ee7381a682873b58850f5eed75e46ae11dfbf617bdaf947b97

C:\Users\Admin\AppData\Local\Temp\roundups

MD5 2dcc8f12f0d2740eb0a47e49ff243fd3
SHA1 8a741ec35768cc19d2d66f6a96da575dd04faa33
SHA256 a99874539aea0515661343251070a9077dd812e2dd44c650886c5aa6f97230cc
SHA512 1f53b261262e2189cd91d76bb1d32f960ff093b4903bbeff20575f2c9d8927e196def0b45ac7c24c1f5109e25b1b559a442211a9d0c8c11a5813d7066bff8deb