MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a261ffbe76d224c7d9f9136723f1cdf35f661d0e5a38f43a7ee2cb31606f359. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	1a261ffbe76d224c7d9f9136723f1cdf35f661d0e5a38f43a7ee2cb31606f359
SHA3-384 hash:	002c738effc652c906447352c45190d4aa76b6145d5fd8d2a46a1ca9c95fea0db2ddbe3fa0854e585ef916e2c373d903
SHA1 hash:	90ede21c73465a6cc4b16b5913f765119bb5b335
MD5 hash:	e1183028143d612705f5723cc7b3b4df
humanhash:	eighteen-snake-wisconsin-juliet
File name:	DHL_119040 receipt document,pdf.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'199'104 bytes
First seen:	2021-10-19 08:27:10 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a410078918980fce320f92b4875de320 (4 x Formbook, 2 x RemcosRAT, 2 x NetWire)
ssdeep	12288:0xwB6jcB+VlDdNvGOLPs46HcqC9Q1LEYLtwaufAkupubMkkUshtgQowaI9hj8mey:Gr1bvGObs46nCmLJwkuwkPZwakpKhG
Threatray	788 similar samples on MalwareBazaar
TLSH	T1FE458E74B1A041B2E1730EBD4E62F56C851DFE523F547D063AE07A5DABFBA40342628B
File icon (PE):
dhash icon	fedcbb4d750f4c4c (9 x Formbook, 5 x RemcosRAT, 2 x NetWire)
Reporter	abuse_ch
Tags:	DHL exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

182

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/198425/

Detection(s):

Win.Malware.Fhqr-9869314-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5139e41b-cdd3-47b7-882b-88b66842a560

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/872940

Signature

Creates a thread in another existing process (thread injection)

Drops PE files to the user root directory

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1a261ffbe76d224c7d9f9136723f1cdf35f661d0e5a38f43a7ee2cb31606f359/

Threat name:

Win32.Trojan.Woreflint

Status:

Malicious

First seen:

2021-10-19 08:28:07 UTC

AV detection:

10 of 45 (22.22%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ditb767hnurey7m7se3hepy43427myoq4wry6q5h5ywlgfqg6nmq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

5e1473cb44990bf7a1d8da8ad410642430bc6c5663859bc4e4c738e22b3cc71e

RemcosRAT

8f1eefd14608fae865576d9f7a24be116eb9d8dcebf89c954e2e645b06174c4e

RemcosRAT

a97b00620e1e8ef9ef5c5f922f5b40ecf698504402d3e14979701c330bef7b56

RemcosRAT

cd43f136f1d3221cd64fc792a37744dfa9656a9ea5889e52929275c05eb4e33b

RemcosRAT

ed78db064dfb4ae791498b2d08410a69bdad684ff709319d179c2383dd8e2f1c

RemcosRAT

f60b6dfcaf466a9cf6b7831fcd74abc70efc16aec11d3b38fdbc7562003ba61b

RemcosRAT

+ 778 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:asedeybe persistence rat

Link:

https://tria.ge/reports/211019-kc16wsgcgm/

Behaviour

Modifies registry key

Suspicious use of WriteProcessMemory

Adds Run key to start application

Remcos

Malware Config

C2 Extraction:

blowmymind.hopto.org:7676

Unpacked files

SH256 hash:

2c445b887ee8e82dc1256c5042b465cf9294df5df96c3043f9927f21a9225b16

MD5 hash:

ee4f84d3e9caefcf462f319104860abd

SHA1 hash:

649465bbd208cbdc3e2b474ae35e17aca306d465

Detections:

win_temple_loader_w0

Link:

https://www.unpac.me/results/3320b7c9-1cf6-4fae-8301-05f7c07bcbde/

Parent samples :

ca74d0e5b26cf6d8d5e3b04c607f4dacaf6fabc78d369dcb8d3637d6ce72e6bb
1cb6deac4e20e2a13002d118fc863a0757409bab2f45a9390529f1e6ad5217fc
eaeb4a70b5df25c40d3e443b2f4b3adbd193b0ed7ffcaf4c5ca3d5e9955134ef
96e14fedf020cef802a005cf9289d7c8f8a0f2bd516fee5f4096cf36a2f2c1e3
2a9bac8b5d947ef5f72c65bff3fe97d7ffd3602ec49915693987cd9909512187
22dd73a06a3bff8a7866c95b5191aa6a7b57d67d632b2373235e7b2ba4fd46fa
1a261ffbe76d224c7d9f9136723f1cdf35f661d0e5a38f43a7ee2cb31606f359
1e5bb5e00fddfcc62c8bfe71b46a4c8c6c22986c7a51931d16b8ddc465170d72
c11992880daecda35958fd14fcf3b6e5d32a6bda8c904a888ede0dcbb1f91aa6
42e09f0e4d7ab0448e04d5d31fbc63cfb2df988f848853a5a149ff5454040184
ff27831341c8b2477f8f59094764e8c4341be79c3f678f27cc425aef3b1ab21b
6814190b4099c532caabe663df73d8ee0c7d70b55db3c69c56eefc1dc1d162f5
c14cd408876aab6eecaf7354dade35554e21c7a3a784fda79ae5f6d6349f15ff

SH256 hash:

1a261ffbe76d224c7d9f9136723f1cdf35f661d0e5a38f43a7ee2cb31606f359

MD5 hash:

e1183028143d612705f5723cc7b3b4df

SHA1 hash:

90ede21c73465a6cc4b16b5913f765119bb5b335

Link:

https://www.unpac.me/results/3320b7c9-1cf6-4fae-8301-05f7c07bcbde/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/1a261ffbe76d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1a261ffbe76d224c7d9f9136723f1cdf35f661d0e5a38f43a7ee2cb31606f359

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/198425/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample