MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03811a474b07747d26379d33ee6788366f0d49bf993334d16607b361093463af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 03811a474b07747d26379d33ee6788366f0d49bf993334d16607b361093463af
SHA3-384 hash: 617dca5c2abffd29e75a129a2de0136c917146525523132d90f5d8a4b2f00415de4d6afa8d6cbf2edc781a7bb541baf5
SHA1 hash: dae4220aebf17fda27db3dd270ce76ed4a638f26
MD5 hash: da8413de8d3e993911acbc14f04a5881
humanhash: nevada-mexico-tennessee-fanta
File name:INV.DHL2020 ,PDF.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:829'440 bytes
First seen:2021-09-23 07:17:00 UTC
Last seen:2021-09-24 17:05:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 206016043cadf3442135e07afc507bba (3 x RemcosRAT, 2 x Formbook, 1 x AveMariaRAT)
ssdeep 12288:b71aIFXG0LBXveSLxZrJuGmxXQUTcQvPPRKKmQgMM4/YGu1q:bs6RL9veYLrJlIrTtnAZHGE
Threatray 492 similar samples on MalwareBazaar
TLSH T12E055C3AB2529CBDF2B2193DCCD9B6D4B86FBD103714CD8551B03AC979A91C13C192AB
File icon (PE):PE icon
dhash icon c4dcf8c6d6d0c8d4 (21 x RemcosRAT, 3 x Formbook, 1 x AveMariaRAT)
Reporter abuse_ch
Tags:DHL exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INV.DHL2020 ,PDF.exe
Verdict:
Malicious activity
Analysis date:
2021-09-23 07:38:15 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/acdcd73a-e339-4717-994e-d8bc274c9479

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/190664/
Detection(s):
SecuriteInfo.com.ArtemisDA8413DE8D3E.14356.18545.UNOFFICIAL
Create hunting rule

Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/86f3a953-82d6-4c9d-9e48-0cd57787790d
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/856281
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 488712 Sample: INV.DHL2020 ,PDF.exe Startdate: 23/09/2021 Architecture: WINDOWS Score: 100 44 vegospupm.ddns.net 2->44 62 Multi AV Scanner detection for domain / URL 2->62 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 5 other signatures 2->68 9 INV.DHL2020 ,PDF.exe 1 23 2->9         started        14 Bjivlrx.exe 14 2->14         started        16 Bjivlrx.exe 17 2->16         started        signatures3 process4 dnsIp5 48 ptv2eq.db.files.1drv.com 9->48 56 2 other IPs or domains 9->56 42 C:\Users\Public\Libraries\...\Bjivlrx.exe, PE32 9->42 dropped 78 Writes to foreign memory regions 9->78 80 Creates a thread in another existing process (thread injection) 9->80 82 Injects a PE file into a foreign processes 9->82 18 logagent.exe 2 9->18         started        22 cmd.exe 1 9->22         started        24 cmd.exe 1 9->24         started        50 192.168.2.1 unknown unknown 14->50 52 ptv2eq.db.files.1drv.com 14->52 58 2 other IPs or domains 14->58 84 Multi AV Scanner detection for dropped file 14->84 26 DpiScaling.exe 14->26         started        54 ptv2eq.db.files.1drv.com 16->54 60 2 other IPs or domains 16->60 28 mobsync.exe 16->28         started        file6 signatures7 process8 dnsIp9 46 vegospupm.ddns.net 194.147.140.13, 49743, 49744, 49745 PTPEU unknown 18->46 70 Contains functionality to inject code into remote processes 18->70 72 Contains functionality to steal Firefox passwords or cookies 18->72 74 Delayed program exit found 18->74 30 reg.exe 1 22->30         started        32 conhost.exe 22->32         started        34 cmd.exe 1 24->34         started        36 conhost.exe 24->36         started        76 Contains functionality to steal Chrome passwords or cookies 26->76 signatures10 process11 process12 38 conhost.exe 30->38         started        40 conhost.exe 34->40         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/03811a474b07747d26379d33ee6788366f0d49bf993334d16607b361093463af/
Threat name:
Win32.Downloader.FormBook
Create hunting rule
Status:
Malicious
First seen:
2021-09-23 07:17:06 UTC
AV detection:
8 of 45 (17.78%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aoarur2la52h2jrxtuz64z4igzxq2sn7teztjulga6zwccjumoxq._file
Verdict:
suspicious
Similar samples:
27bc88fd389ded5b1102d7ef23245aceeb4a516c7291afc954abb876898aa42f
RemcosRAT
34400bb7662a1aa0865f6ec06892fff142dd3ff8d09464141f75a96a42724493
RemcosRAT
3f032c4e18eced05282ae0a19f738dfef527c2281ce7bebaa28ca028941903f4
RemcosRAT
5f14d3a74387554c330e7ee790f26fb55c5bfeb1dbefc6f2de93ba69d46383e8
RemcosRAT
61005cab010bde9798cb5c7ee05497c08ba71d638644f05a1b5e58c8eac67ca1
RemcosRAT
a3aab02445dfa2ff67c27a8965fb2263965c2ad3f31475e6b6a4459b5c191827
RemcosRAT
a8b283876cfe18a0878401c02c83f73f13afda1bdd12f95549dfcedd2f805e5f
RemcosRAT
b8b54b232ca4f2ee4362d0d66218e77fbd950922221ab00676d43877904e249b
RemcosRAT
b8ff5642173ea1664b856f47468ebf4778be3154b7b0a6bfa6a0950f51973c69
RemcosRAT
bd47342e4916289cdab05ec453d284432add03e4bbe2fc9da584103369f9cbc9
RemcosRAT
+ 482 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:blessings persistence rat
Link:
https://tria.ge/reports/210923-h4c72aadcr/
Behaviour
Modifies registry key
Suspicious use of WriteProcessMemory
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
vegospupm.ddns.net:5632
Unpacked files
SH256 hash:
18498f5add7c31c1af213a720891708124ce271e4a1f4eef7427ff9ceff44767
MD5 hash:
af315fe318bcbca468841006ccc57e0a
SHA1 hash:
9b18984c1d4fcafc7bde26250a937aff6c41a375
Link:
https://www.unpac.me/results/cd41a1f0-1f51-4ebd-b8f8-fbc4e60d8ec5/
SH256 hash:
03811a474b07747d26379d33ee6788366f0d49bf993334d16607b361093463af
MD5 hash:
da8413de8d3e993911acbc14f04a5881
SHA1 hash:
dae4220aebf17fda27db3dd270ce76ed4a638f26
Link:
https://www.unpac.me/results/cd41a1f0-1f51-4ebd-b8f8-fbc4e60d8ec5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/03811a474b07747d26379d33ee6788366f0d49bf993334d16607b361093463af

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/190664/

Comments