Malware Analysis Report

2025-04-03 13:55

Sample ID 241109-2tjfvatgkm
Target 62f2fd47d0a3503d3ff5effe1bfc868624525af15e2b002ebc95830db73e5d59
SHA256 62f2fd47d0a3503d3ff5effe1bfc868624525af15e2b002ebc95830db73e5d59
Tags
noviembre 07 muchacha remcos discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

62f2fd47d0a3503d3ff5effe1bfc868624525af15e2b002ebc95830db73e5d59

Threat Level: Known bad

The file 62f2fd47d0a3503d3ff5effe1bfc868624525af15e2b002ebc95830db73e5d59 was found to be: Known bad.

Malicious Activity Summary

noviembre 07 muchacha remcos discovery

Remcos family

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 22:52

Signatures

Remcos family

remcos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 22:52

Reported

2024-11-09 22:54

Platform

win7-20240903-en

Max time kernel

147s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\62f2fd47d0a3503d3ff5effe1bfc868624525af15e2b002ebc95830db73e5d59.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\62f2fd47d0a3503d3ff5effe1bfc868624525af15e2b002ebc95830db73e5d59.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\62f2fd47d0a3503d3ff5effe1bfc868624525af15e2b002ebc95830db73e5d59.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\62f2fd47d0a3503d3ff5effe1bfc868624525af15e2b002ebc95830db73e5d59.exe

"C:\Users\Admin\AppData\Local\Temp\62f2fd47d0a3503d3ff5effe1bfc868624525af15e2b002ebc95830db73e5d59.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 imaxatmonk.imaxatmonk.com udp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp

Files

C:\ProgramData\rochilds\logs.dat

MD5 57bf1eb8c21bb5a9926a1a70898f206d
SHA1 6ada96d1bafbfc22dbeb63e6782b8814795ebfb7
SHA256 a8b514b22d9d4cbe8adc8f6bcae7e8fae3643640e0db9d1df5f330edab2da1f2
SHA512 61c2407f66833bcf67b20ee0756cfe27d84877948f675c79e17b01f971290146286ea8fa79cf1005ac3092e9e0e024e195ad7a50c461458d1194537051098240

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 22:52

Reported

2024-11-09 22:54

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\62f2fd47d0a3503d3ff5effe1bfc868624525af15e2b002ebc95830db73e5d59.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\62f2fd47d0a3503d3ff5effe1bfc868624525af15e2b002ebc95830db73e5d59.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\62f2fd47d0a3503d3ff5effe1bfc868624525af15e2b002ebc95830db73e5d59.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\62f2fd47d0a3503d3ff5effe1bfc868624525af15e2b002ebc95830db73e5d59.exe

"C:\Users\Admin\AppData\Local\Temp\62f2fd47d0a3503d3ff5effe1bfc868624525af15e2b002ebc95830db73e5d59.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 imaxatmonk.imaxatmonk.com udp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
US 8.8.8.8:53 74.209.201.84.in-addr.arpa udp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp
CO 181.49.85.74:2204 imaxatmonk.imaxatmonk.com tcp

Files

C:\ProgramData\rochilds\logs.dat

MD5 042f790976038c93872c1fa04377f9bf
SHA1 48c2cfb1aaca6b35657d49d078996bd6a68c39f9
SHA256 e73a60a4bfcc6a21328cd8a6e175a2a178c221f7f7ab4f0f0e92759397db034a
SHA512 5f72d8bcc1d8f20d3ff3d3d8844df79a369d34e9e21d1b2ca6e7e0bffa26aa07e7f14d6f0750e4468038d06df9f989d72ad4ac342e11fdc9c7aff8346646dcad