MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04f271742dac058c042af388562d7678536a47273846d692649926bad5dce1a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 04f271742dac058c042af388562d7678536a47273846d692649926bad5dce1a0
SHA3-384 hash: 715020806a66447ba94598cf2552ac2f1e0ddfd2dffb63306ed5619eaae3d72de901a21c5e2c14ab80c937e57b7762ba
SHA1 hash: 1de8f27f56a2f2126cbfbe4c8e29169d429e802b
MD5 hash: 7d593f09994cb912572889f82c759b10
humanhash: xray-cardinal-india-cold
File name:Upit_Invoice.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'396'928 bytes
First seen:2020-11-30 08:21:15 UTC
Last seen:2020-11-30 09:40:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ee13d52daaec6dc411f5861456050150 (2 x RemcosRAT)
ssdeep 24576:j6HfVuY8FoR6ScMtNvHoM0XCA1ItFvDgIFpc5MzfsvvHU:j6HV8FHM0XCA1ItFvDpFpcSfsX0
Threatray 1'286 similar samples on MalwareBazaar
TLSH 4855BF73B361843ED53B12349C1BDAA5A925BE132D1C694B3BE47E0F0F36781B825B52
Reporter fabjer
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/105996/
Detection(s):
SecuriteInfo.com.generic.ml.22005.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Connecting to a non-recommended domain
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/550737
Signature
Allocates memory in foreign processes
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/04f271742dac058c042af388562d7678536a47273846d692649926bad5dce1a0/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-11-30 08:22:06 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=atzhc5bnvqcyybbk6oefmllwpbjwurzhhbdnnetetetlvvo44gqa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
14a8520afb80692ed77075a5a9e797fa2822a91e5eb43603762669fb65ef2144
RemcosRAT
2ccee108cf8e10eeef5129554e97fdb481d375475419be26cff2430360db2689
RemcosRAT
4776e02c6cd50638e0cfafc99146fd9296dea093143b7135a4d32e0767673c95
RemcosRAT
74b843d9cabf046a044581d20033d93eecf9d8ea590ce9557569e40d990e6241
RemcosRAT
835109646cd221028859f7d4c7de74be962091d60840952ca85053e396fdc593
RemcosRAT
91ed2df39c53d7246eb84f3023072797925fa037f3a35c585247afc38322c649
RemcosRAT
bd86ba6f082dfd404bc2f3544f5b39ce04084742b334ab00a80f0c12c94daa46
RemcosRAT
dd4198b0a2a1c500bed498963e966d3476b778e1b917434847abb81c987fba55
RemcosRAT
e7def582e6c764fb35cad598da8b83da969897d37241402df8c8bac2b870432f
RemcosRAT
e8001e686b3c1972277296e3ed20992b8fd67e7c7f8dc16a827e09d3f22b02e0
RemcosRAT
+ 1'276 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos persistence rat trojan
Link:
https://tria.ge/reports/201130-5ak6d8trda/
Behaviour
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader, DBatLoader
Remcos
Unpacked files
SH256 hash:
118e4551ac31bdc92e5a34c3069d5b2d8efe60ac58adc83bf2e5ee8a50b5a738
MD5 hash:
fea7f670d5ae5104140e571e68ce91c5
SHA1 hash:
e53bf1b051f2bd122b0781ef818447bcb2c09207
Link:
https://www.unpac.me/results/3b42021c-2d82-463d-b708-40244c1a46ce/
SH256 hash:
f3a016cfc02823e83ee046dad8fcd79507c7a55335bbce4ff5e08f527e5a011c
MD5 hash:
cb3bacc3016e51919e2574c51983a181
SHA1 hash:
8ce37ef0816ee1b7c8f6ab9b307ea90b321e5265
Link:
https://www.unpac.me/results/3b42021c-2d82-463d-b708-40244c1a46ce/
SH256 hash:
04f271742dac058c042af388562d7678536a47273846d692649926bad5dce1a0
MD5 hash:
7d593f09994cb912572889f82c759b10
SHA1 hash:
1de8f27f56a2f2126cbfbe4c8e29169d429e802b
Link:
https://www.unpac.me/results/3b42021c-2d82-463d-b708-40244c1a46ce/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/04f271742dac058c042af388562d7678536a47273846d692649926bad5dce1a0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

rar c70f04478a19fa02ab1167631d0460100420cf070d4b0de5d52795b5c8ef5ed7

RemcosRAT

Executable exe 04f271742dac058c042af388562d7678536a47273846d692649926bad5dce1a0

(this sample)

  
Dropped by
SHA256 c70f04478a19fa02ab1167631d0460100420cf070d4b0de5d52795b5c8ef5ed7
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/105996/

Comments