Malware Analysis Report

2024-12-01 03:07

Sample ID 241111-jttmpswflh
Target RFQ-24064562-SUPPLY-NOv-ORDER.com.exe
SHA256 7e1c0ca51cd0f6806f1fe6ddbb45fa4e00b288c686003f3e50b5ee71d2c6818d
Tags
discovery remcos remotehost collection rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7e1c0ca51cd0f6806f1fe6ddbb45fa4e00b288c686003f3e50b5ee71d2c6818d

Threat Level: Known bad

The file RFQ-24064562-SUPPLY-NOv-ORDER.com.exe was found to be: Known bad.

Malicious Activity Summary

discovery remcos remotehost collection rat spyware stealer

Remcos

Remcos family

Detected Nirsoft tools

NirSoft MailPassView

NirSoft WebBrowserPassView

Reads user/profile data of web browsers

Loads dropped DLL

Accesses Microsoft Outlook accounts

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

Drops file in Windows directory

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

NSIS installer

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 07:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 07:58

Reported

2024-11-11 08:00

Platform

win7-20240903-en

Max time kernel

121s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\realisme.ini C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe N/A
File opened for modification C:\Windows\resources\0409\busher.Hed C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe

"C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 480

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nst8660.tmp\System.dll

MD5 34442e1e0c2870341df55e1b7b3cccdc
SHA1 99b2fa21aead4b6ccd8ff2f6d3d3453a51d9c70c
SHA256 269d232712c86983336badb40b9e55e80052d8389ed095ebf9214964d43b6bb1
SHA512 4a8c57fb12997438b488b862f3fc9dc0f236e07bb47b2bce6053dcb03ac7ad171842f02ac749f02dda4719c681d186330524cd2953d33cb50854844e74b33d51

C:\Windows\realisme.ini

MD5 54098ab42483d0d9baafb98e754befed
SHA1 e355e59f79fcd4f5e2c8916a1009e6ac36788c9b
SHA256 37863e9da60268fc68e1c602ee02fed62705704ba3bf1c2e607e0cfe22487d22
SHA512 c960a4365b12b92bbf89d62492db50c79ded4523c9ec86c38dd3fdb2050f1d68caa42d4572d86f2e03069f3e3c638769a4b8d1269de2391c22fde996c3ad2fbb

memory/2872-25-0x0000000002D90000-0x0000000004ED2000-memory.dmp

memory/2872-26-0x0000000002D90000-0x0000000004ED2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 07:58

Reported

2024-11-11 08:00

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe"

Signatures

Remcos

rat remcos

Remcos family

remcos

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\resources\0409\busher.Hed C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe N/A
File opened for modification C:\Windows\realisme.ini C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 772 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe
PID 772 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe
PID 772 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe
PID 772 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe
PID 772 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe
PID 1952 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe
PID 1952 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe
PID 1952 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe
PID 1952 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe
PID 1952 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe
PID 1952 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe
PID 1952 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe
PID 1952 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe
PID 1952 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe

Processes

C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe

"C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe"

C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe

"C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe"

C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe

C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe /stext "C:\Users\Admin\AppData\Local\Temp\nolqbwkmnwjtxjeyadyabdndh"

C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe

C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe /stext "C:\Users\Admin\AppData\Local\Temp\piqibpvgjebgapacrolbmihmphxq"

C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe

C:\Users\Admin\AppData\Local\Temp\RFQ-24064562-SUPPLY-NOv-ORDER.com.exe /stext "C:\Users\Admin\AppData\Local\Temp\akvbchghxmtlkvogazxdpucdyopziyo"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 185.149.234.209:80 185.149.234.209 tcp
US 185.149.234.209:2700 tcp
US 8.8.8.8:53 209.234.149.185.in-addr.arpa udp
US 185.149.234.209:2700 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsc7EA7.tmp\System.dll

MD5 34442e1e0c2870341df55e1b7b3cccdc
SHA1 99b2fa21aead4b6ccd8ff2f6d3d3453a51d9c70c
SHA256 269d232712c86983336badb40b9e55e80052d8389ed095ebf9214964d43b6bb1
SHA512 4a8c57fb12997438b488b862f3fc9dc0f236e07bb47b2bce6053dcb03ac7ad171842f02ac749f02dda4719c681d186330524cd2953d33cb50854844e74b33d51

C:\Windows\realisme.ini

MD5 54098ab42483d0d9baafb98e754befed
SHA1 e355e59f79fcd4f5e2c8916a1009e6ac36788c9b
SHA256 37863e9da60268fc68e1c602ee02fed62705704ba3bf1c2e607e0cfe22487d22
SHA512 c960a4365b12b92bbf89d62492db50c79ded4523c9ec86c38dd3fdb2050f1d68caa42d4572d86f2e03069f3e3c638769a4b8d1269de2391c22fde996c3ad2fbb

memory/772-23-0x00000000029A0000-0x0000000004AE2000-memory.dmp

memory/772-24-0x0000000077451000-0x0000000077571000-memory.dmp

memory/772-25-0x00000000029A0000-0x0000000004AE2000-memory.dmp

memory/1952-26-0x0000000001700000-0x0000000003842000-memory.dmp

memory/1952-27-0x00000000774D8000-0x00000000774D9000-memory.dmp

memory/1952-28-0x00000000774F5000-0x00000000774F6000-memory.dmp

memory/1952-29-0x00000000004A0000-0x00000000016F4000-memory.dmp

memory/1952-33-0x0000000001700000-0x0000000003842000-memory.dmp

memory/4640-35-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4640-36-0x0000000000400000-0x0000000000478000-memory.dmp

memory/736-44-0x0000000000400000-0x0000000000424000-memory.dmp

memory/736-47-0x0000000000400000-0x0000000000424000-memory.dmp

memory/736-45-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3616-43-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3616-40-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4640-39-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3616-38-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3616-37-0x0000000000400000-0x0000000000462000-memory.dmp

memory/736-53-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4640-55-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1952-58-0x0000000077451000-0x0000000077571000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nolqbwkmnwjtxjeyadyabdndh

MD5 75379d3dcbcea6a69bc75b884816dd40
SHA1 7e073a03c3bdbbc60375ddbe56bba211c3d412a6
SHA256 cab559f3bbe4a0beb194dffca723b3072184b92687100462eaab04d66fff8de9
SHA512 710c2cee369a57a0039fc0d0c59de6118780210ef60ad0daf374f03ba94ab08039bc2aff821f7c99a0ecd0e16189c52e5b6d630b3d541f7b11375f134b985e8c

memory/1952-64-0x00000000345B0000-0x00000000345C9000-memory.dmp

memory/1952-63-0x00000000345B0000-0x00000000345C9000-memory.dmp

memory/1952-60-0x00000000345B0000-0x00000000345C9000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-11 07:58

Reported

2024-11-11 08:00

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 220

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-11 07:58

Reported

2024-11-11 08:00

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2504 wrote to memory of 4412 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2504 wrote to memory of 4412 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2504 wrote to memory of 4412 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4412 -ip 4412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp

Files

N/A