Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe

"C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7512
Target ID:	1
Parent PID:	4056
Name:	1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe
Path:	C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe
Commandline:	"C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe"
Size:	494592
MD5:	1A3FEE38CED030E1751A309616C39202
Time:	15:17:41
Date:	06/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	532480
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Sigma detected: Remcos	Stealing of Sensitive Information
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
Yara detected Keylogger Generic	Key, Mouse, Clipboard, Microphone and Screen Capturing
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

URLs

Name

Malicious

michelsrmccontrol.duckdns.org

Details

Name:	michelsrmccontrol.duckdns.org
TargetID:	0
From Memory:	false
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses dynamic DNS services	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

http://geoplugin.net/json.gp

unknown

http://geoplugin.net/json.gp/C

unknown

Domains

Name

Malicious

michelsrmccontrol.duckdns.org

107.175.130.20

Details

Name:	michelsrmccontrol.duckdns.org
IP:	107.175.130.20
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses dynamic DNS services	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

107.175.130.20

michelsrmccontrol.duckdns.org

United States

Details

IP:	107.175.130.20
TargetID:	1
Current Path:	C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe
Country:	United States
Countrycode:	USA
ASN number:	36352
ASN name:	AS-COLOCROSSINGUS
Private:	false
Domain:	michelsrmccontrol.duckdns.org

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Rmc-PXKO50

exepath

Details

TargetID:	1
Path:	HKEY_CURRENT_USER\SOFTWARE\Rmc-PXKO50
Value name:	exepath
Value data:	15 4A 30 7C AC 55 CB 7F 26 C3 CF 33 8A 63 8D 0F E0 50 89 83 4F 6E BE F3 BF AF 12 60 C8 D5 48 46 53 7F BC 8D 64 01 76 C2 ED 62 2E FB DF 85 09 DE F4 9E 85 D8 EF 10 B1 C2 6C AC 6E 3F A7 6C 32 BB FF F0 20 60 13 D4 7D 1D C7 D1 B1 5D D4 AD AB 4F 98 82 44 0A 72 5A 9E 00 AD 08 64 7A 5E 3F 17 93 86 6E B3 AF 2F 16 17 97 CC 05 7C E2 AE 94 9F F6 D9 F1 ED B2 33 0D CC 05 D5 93 AB 25 CC 5B ED 25 93 22 2E 0F D5 07 C4 10 FB CF 8E D0 A8 5C 06 1E 8F 69 82 27 B5 C8 F8 4E D9 DB 7C BE 5B 97 92 EE 90 94 09 D5 A2 74 CF 5A 96 BD F2 AC BE 54 74 5F D2 8A E2 8A D6 DB 6B E3 F3 8C 25 E6 47 A3 F0 24 3A 16 D2 F0 9C 1E BC B1 0D 2F 94 6C 3F EC BB 6A 0D 63 28 65 AC 3E 0B AC 68 A1 1E 18 3D 78 53 79 81 89 7C DA FB 13 24 C8 D9 66 29 79 8A 11 FF D9 DD CE

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Remcos	Stealing of Sensitive Information

HKEY_CURRENT_USER\SOFTWARE\Rmc-PXKO50

licence

HKEY_CURRENT_USER\SOFTWARE\Rmc-PXKO50

time

Memdumps

Base Address

Regiontype

Protect

Malicious

459000

unkown

page readonly

459000

unkown

page readonly

76E000

heap

page read and write

2240000

heap

page read and write

580000

heap

page read and write

560000

heap

page read and write

471000

unkown

page read and write

793000

heap

page read and write

9C000

stack

page read and write

21FF000

stack

page read and write

474000

unkown

page read and write

74E000

stack

page read and write

400000

unkown

page readonly

478000

unkown

page readonly

860000

heap

page read and write

5CE000

stack

page read and write

1F0000

heap

page read and write

19C000

stack

page read and write

400000

unkown

page readonly

587000

heap

page read and write

234F000

unkown

page read and write

76A000

heap

page read and write

6CF000

stack

page read and write

478000

unkown

page readonly

401000

unkown

page execute read

401000

unkown

page execute read

471000

unkown

page write copy

70E000

stack

page read and write

760000

heap

page read and write

2200000

heap

page read and write

There are 20 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe