Analysis

  • max time kernel
    147s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    04/10/2024, 01:48 UTC

General

  • Target

    remcosviejo.exe

  • Size

    483KB

  • MD5

    e6ed0b450a69ad32a2cf629236265e1c

  • SHA1

    c5b490ac0148705cc13e61bec49ca9d3d020cead

  • SHA256

    8de4861c4aca30b32685f9a1b78c307b6faa5011551ebf689babc7c42babb720

  • SHA512

    61c8dbfe1497ef9d32d4c905f2e84f69e3dcedca90f7f7f15bffc69d53088aa3fd0e3900de4b87494303b46e05a08e777ace9715430efb9cdf2f5abc3d646dc3

  • SSDEEP

    6144:vXIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZ5AXIcNc5Gv:vX7tPMK8ctGe4Dzl4h2QnuPs/Z55cv

Score
3/10

Malware Config

Signatures

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\remcosviejo.exe
    "C:\Users\Admin\AppData\Local\Temp\remcosviejo.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    PID:1048

Network

  • flag-us
    DNS
    comandoespecial2023.duckdns.org
    remcosviejo.exe
    Remote address:
    8.8.8.8:53
    Request
    comandoespecial2023.duckdns.org
    IN A
    Response
    comandoespecial2023.duckdns.org
    IN A
    173.208.241.155
  • flag-us
    DNS
    comandoespecial2023.duckdns.org
    remcosviejo.exe
    Remote address:
    8.8.8.8:53
    Request
    comandoespecial2023.duckdns.org
    IN A
    Response
    comandoespecial2023.duckdns.org
    IN A
    173.208.241.155
  • flag-us
    DNS
    comandoespecial2023.duckdns.org
    remcosviejo.exe
    Remote address:
    8.8.8.8:53
    Request
    comandoespecial2023.duckdns.org
    IN A
    Response
  • flag-us
    DNS
    geoplugin.net
    remcosviejo.exe
    Remote address:
    8.8.8.8:53
    Request
    geoplugin.net
    IN A
    Response
    geoplugin.net
    IN A
    178.237.33.50
  • flag-nl
    GET
    http://geoplugin.net/json.gp
    remcosviejo.exe
    Remote address:
    178.237.33.50:80
    Request
    GET /json.gp HTTP/1.1
    Host: geoplugin.net
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    date: Fri, 04 Oct 2024 01:49:04 GMT
    server: Apache
    content-length: 955
    content-type: application/json; charset=utf-8
    cache-control: public, max-age=300
    access-control-allow-origin: *
  • 173.208.241.155:8888
    comandoespecial2023.duckdns.org
    tls
    remcosviejo.exe
    3.4kB
    1.6kB
    13
    17
  • 178.237.33.50:80
    http://geoplugin.net/json.gp
    http
    remcosviejo.exe
    669 B
    2.5kB
    13
    4

    HTTP Request

    GET http://geoplugin.net/json.gp

    HTTP Response

    200
  • 8.8.8.8:53
    comandoespecial2023.duckdns.org
    dns
    remcosviejo.exe
    231 B
    263 B
    3
    3

    DNS Request

    comandoespecial2023.duckdns.org

    DNS Request

    comandoespecial2023.duckdns.org

    DNS Request

    comandoespecial2023.duckdns.org

    DNS Response

    173.208.241.155

    DNS Response

    173.208.241.155

  • 8.8.8.8:53
    geoplugin.net
    dns
    remcosviejo.exe
    59 B
    75 B
    1
    1

    DNS Request

    geoplugin.net

    DNS Response

    178.237.33.50

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\remcos\logs.dat

    Filesize

    144B

    MD5

    39a733a970a3e07054c28e1077958e13

    SHA1

    1f44897e4bcf2f7c228b4d8ac0bba1e6e6b315e7

    SHA256

    cb723a071ffb342f0d3cbf65888c18e9e0aab0fc37dcd2558d9a2cde34fa2fae

    SHA512

    4e8989364b52734b187c7619d58ceb0ebcf71ae0835e2617af06f007d746947f9fe5b6e2edc2debb6b23d76901e1e40811158fa0cc42f012416018ac6364fe11

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.