Malware Analysis Report

2024-12-07 03:17

Sample ID 241114-djz4vatene
Target bdf1839d82ed286b49c40e5bae59374d59bcbb37ec28266b6aaca47e391ac747.exe
SHA256 bdf1839d82ed286b49c40e5bae59374d59bcbb37ec28266b6aaca47e391ac747
Tags
remcos nov 12 discovery rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bdf1839d82ed286b49c40e5bae59374d59bcbb37ec28266b6aaca47e391ac747

Threat Level: Known bad

The file bdf1839d82ed286b49c40e5bae59374d59bcbb37ec28266b6aaca47e391ac747.exe was found to be: Known bad.

Malicious Activity Summary

remcos nov 12 discovery rat

Remcos family

Remcos

Loads dropped DLL

Executes dropped EXE

Drops startup file

AutoIT Executable

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 03:03

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 03:03

Reported

2024-11-14 03:05

Platform

win7-20240903-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bdf1839d82ed286b49c40e5bae59374d59bcbb37ec28266b6aaca47e391ac747.exe"

Signatures

Remcos

rat remcos

Remcos family

remcos

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outvaunts.vbs C:\Users\Admin\AppData\Local\reaffect\outvaunts.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\reaffect\outvaunts.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1632 set thread context of 2872 N/A C:\Users\Admin\AppData\Local\reaffect\outvaunts.exe C:\Windows\SysWOW64\svchost.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bdf1839d82ed286b49c40e5bae59374d59bcbb37ec28266b6aaca47e391ac747.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\reaffect\outvaunts.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\reaffect\outvaunts.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bdf1839d82ed286b49c40e5bae59374d59bcbb37ec28266b6aaca47e391ac747.exe

"C:\Users\Admin\AppData\Local\Temp\bdf1839d82ed286b49c40e5bae59374d59bcbb37ec28266b6aaca47e391ac747.exe"

C:\Users\Admin\AppData\Local\reaffect\outvaunts.exe

"C:\Users\Admin\AppData\Local\Temp\bdf1839d82ed286b49c40e5bae59374d59bcbb37ec28266b6aaca47e391ac747.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\bdf1839d82ed286b49c40e5bae59374d59bcbb37ec28266b6aaca47e391ac747.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 leehoi01.ddns.net udp
ID 103.187.117.76:5584 tcp
US 154.216.18.171:5584 tcp
US 154.216.20.223:5584 tcp
US 8.8.8.8:53 leehoi02.ddns.net udp
US 8.8.8.8:53 areabill.duckdns.org udp
US 192.169.69.26:9373 areabill.duckdns.org tcp
ID 103.187.117.76:5584 tcp
US 154.216.18.171:5584 tcp
US 154.216.20.223:5584 tcp
US 192.169.69.26:9373 areabill.duckdns.org tcp
ID 103.187.117.76:5584 tcp
US 154.216.18.171:5584 tcp
US 154.216.20.223:5584 tcp
US 8.8.8.8:53 areabill.duckdns.org udp
US 192.169.69.26:9373 areabill.duckdns.org tcp
ID 103.187.117.76:5584 tcp

Files

memory/2224-11-0x0000000000150000-0x0000000000250000-memory.dmp

\Users\Admin\AppData\Local\reaffect\outvaunts.exe

MD5 e244fd43d06ea0f234c71fff8e3f711f
SHA1 a913b51d74327b5fdafa2818acdf72636c3ca20a
SHA256 bdf1839d82ed286b49c40e5bae59374d59bcbb37ec28266b6aaca47e391ac747
SHA512 6af4afb9dbee48c7d6839d445d25abf3816ead782b0514f7e882a2a1d4e4b732b69bd953ef7b88574a3534d331bc0ce06e88d56ebde2988c8e2702cef2fcf823

C:\Users\Admin\AppData\Local\Temp\gunfights

MD5 0aba2400129da5292eb797d53eb72dc0
SHA1 c60074617f55450ef74cbfdeef45c4b45736d56a
SHA256 76cf1f1379ae03b203c5446c05a82cc0cfd1dedc27f1f8acac582d047183f278
SHA512 93701f4b62127938d885393823caa0f420c1537f35c65ecee3fa3d2960c20fdd2e1274e6efd4ba46e58282b3b895543672fd92f8c5f67c44cf2ba56338d41634

C:\Users\Admin\AppData\Local\Temp\Allene

MD5 30900a1deec30509b4a27be3b422e1b3
SHA1 e15d5e96d970ab38a853954ddef3248782755586
SHA256 35447f2a393f57c176ef487fc219208bc5df8065ed7720f3d378ad1d7e679a2e
SHA512 79b32a1611c78d639d3ef0fef09d8e1c33051ce05a7d22653be446d36ac291e26892c65fa6f0e7237928ea57a5b1e571a60afe9230498bc5a4961889f886e50d

memory/1632-31-0x00000000022F0000-0x00000000023F0000-memory.dmp

memory/2872-33-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2872-36-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2872-35-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2872-41-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2872-40-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2872-39-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2872-44-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2872-48-0x0000000000400000-0x000000000047F000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 faeaa8082eabcc7f59dd5741165261ff
SHA1 da06a47c504cd186c34004a9b82b8652d83f4aa6
SHA256 8f6495f21124136054438d8d5c6c9e9f23f96297cf583e8342cec6d37eaee78d
SHA512 644f81da30fadf6e064cb307af202960da5e8c02abad81a016f3ff2ec8a42342f3bf56de41823e737799243fab62014ef11daaa2b5ccfe2a859ff2c78f46bc14

memory/2872-54-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2872-53-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2872-55-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2872-56-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2872-57-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2872-59-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2872-65-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2872-70-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2872-72-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2872-73-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2872-74-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2872-75-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2872-81-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2872-88-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2872-89-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2872-90-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2872-91-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2872-92-0x0000000000400000-0x000000000047F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 03:03

Reported

2024-11-14 03:05

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bdf1839d82ed286b49c40e5bae59374d59bcbb37ec28266b6aaca47e391ac747.exe"

Signatures

Remcos

rat remcos

Remcos family

remcos

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outvaunts.vbs C:\Users\Admin\AppData\Local\reaffect\outvaunts.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\reaffect\outvaunts.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4960 set thread context of 3688 N/A C:\Users\Admin\AppData\Local\reaffect\outvaunts.exe C:\Windows\SysWOW64\svchost.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bdf1839d82ed286b49c40e5bae59374d59bcbb37ec28266b6aaca47e391ac747.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\reaffect\outvaunts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\reaffect\outvaunts.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bdf1839d82ed286b49c40e5bae59374d59bcbb37ec28266b6aaca47e391ac747.exe

"C:\Users\Admin\AppData\Local\Temp\bdf1839d82ed286b49c40e5bae59374d59bcbb37ec28266b6aaca47e391ac747.exe"

C:\Users\Admin\AppData\Local\reaffect\outvaunts.exe

"C:\Users\Admin\AppData\Local\Temp\bdf1839d82ed286b49c40e5bae59374d59bcbb37ec28266b6aaca47e391ac747.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\bdf1839d82ed286b49c40e5bae59374d59bcbb37ec28266b6aaca47e391ac747.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 leehoi01.ddns.net udp
ID 103.187.117.76:5584 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 154.216.18.171:5584 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 181.129.81.91.in-addr.arpa udp
US 154.216.20.223:5584 tcp
US 8.8.8.8:53 leehoi02.ddns.net udp
US 8.8.8.8:53 areabill.duckdns.org udp
US 192.169.69.26:9373 areabill.duckdns.org tcp
US 8.8.8.8:53 26.69.169.192.in-addr.arpa udp
US 8.8.8.8:53 leehoi01.ddns.net udp
ID 103.187.117.76:5584 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 154.216.18.171:5584 tcp
US 154.216.20.223:5584 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 leehoi02.ddns.net udp
US 192.169.69.26:9373 areabill.duckdns.org tcp
US 8.8.8.8:53 leehoi01.ddns.net udp
ID 103.187.117.76:5584 tcp
US 154.216.18.171:5584 tcp
US 154.216.20.223:5584 tcp
US 8.8.8.8:53 leehoi02.ddns.net udp
US 8.8.8.8:53 areabill.duckdns.org udp
US 192.169.69.26:9373 areabill.duckdns.org tcp
US 8.8.8.8:53 leehoi01.ddns.net udp
ID 103.187.117.76:5584 tcp

Files

memory/1704-11-0x00000000041A0000-0x00000000043A0000-memory.dmp

C:\Users\Admin\AppData\Local\reaffect\outvaunts.exe

MD5 e244fd43d06ea0f234c71fff8e3f711f
SHA1 a913b51d74327b5fdafa2818acdf72636c3ca20a
SHA256 bdf1839d82ed286b49c40e5bae59374d59bcbb37ec28266b6aaca47e391ac747
SHA512 6af4afb9dbee48c7d6839d445d25abf3816ead782b0514f7e882a2a1d4e4b732b69bd953ef7b88574a3534d331bc0ce06e88d56ebde2988c8e2702cef2fcf823

C:\Users\Admin\AppData\Local\Temp\Allene

MD5 30900a1deec30509b4a27be3b422e1b3
SHA1 e15d5e96d970ab38a853954ddef3248782755586
SHA256 35447f2a393f57c176ef487fc219208bc5df8065ed7720f3d378ad1d7e679a2e
SHA512 79b32a1611c78d639d3ef0fef09d8e1c33051ce05a7d22653be446d36ac291e26892c65fa6f0e7237928ea57a5b1e571a60afe9230498bc5a4961889f886e50d

C:\Users\Admin\AppData\Local\Temp\gunfights

MD5 0aba2400129da5292eb797d53eb72dc0
SHA1 c60074617f55450ef74cbfdeef45c4b45736d56a
SHA256 76cf1f1379ae03b203c5446c05a82cc0cfd1dedc27f1f8acac582d047183f278
SHA512 93701f4b62127938d885393823caa0f420c1537f35c65ecee3fa3d2960c20fdd2e1274e6efd4ba46e58282b3b895543672fd92f8c5f67c44cf2ba56338d41634

memory/4960-29-0x0000000003C40000-0x0000000003E40000-memory.dmp

memory/3688-31-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3688-32-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3688-33-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3688-38-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3688-37-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3688-39-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3688-42-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3688-45-0x0000000000400000-0x000000000047F000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 dfc5d27dc9206ea98bfe0dbe9a1dff6b
SHA1 9e5d586c81bdf2d9e0bfb465ae187cc2511ba4ea
SHA256 65f68756bcace4d9f21a691ba24c47b941b5059581fefc67b50b7e6cf6077fd0
SHA512 56849c87e5b9fec999c98d64f38b2490121f9685942ab978eb0bdf2560855cc736df81715861b33a4f45a9e043f6f04b8b9e639ed436b5d27a7f0de95aa5dbad

memory/3688-51-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3688-54-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3688-55-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3688-56-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3688-57-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3688-64-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3688-69-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3688-71-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3688-72-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3688-73-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3688-75-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3688-80-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3688-87-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3688-89-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3688-90-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3688-91-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3688-92-0x0000000000400000-0x000000000047F000-memory.dmp