MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d4f1e01cbbd896a55a83dd107e381fe0a572bd2c9327cbb82a9510eb4832e99. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 7 File information Comments

SHA256 hash:	1d4f1e01cbbd896a55a83dd107e381fe0a572bd2c9327cbb82a9510eb4832e99
SHA3-384 hash:	fbdbbe63a85c40a75139e266919fcfdc92bfd3ca9a68cb0addd79b0e237ac71bc73c9cede665278ef3853180c2daf9e5
SHA1 hash:	aac6be857fbb4c31db54a560b51b0e1fca04c227
MD5 hash:	2cfedd565199e2068ad980cbc081ed6e
humanhash:	table-mike-neptune-white
File name:	Documents.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	870'912 bytes
First seen:	2021-09-17 18:16:46 UTC
Last seen:	2021-09-19 16:56:28 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	96d68413d52ee291c9b444b7006f0bce (4 x RemcosRAT, 1 x BitRAT)
ssdeep	12288:mmnGyuE9fz9VBCY4Alz2MjbjBQHhazE2Sdvnk6LHC7WWnMvwfHVBPggseBnDz5ZE:mmnZbz9e0z12HnBngseBDz5ZE
Threatray	2'673 similar samples on MalwareBazaar
TLSH	T175057C66E7C29CF6F43615388CDBBA94152EBCF139D55C4A2D943E046A38392393E18F
dhash icon	8ccc0c37e3969a68 (8 x RemcosRAT, 2 x NetWire, 1 x BitRAT)
Reporter	GovCERT_CH
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

170

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Documents.exe

Verdict:

Malicious activity

Analysis date:

2021-09-17 18:23:13 UTC

Tags:

installer

Link:

https://app.any.run/tasks/2e35fc64-b9d7-4928-b804-46fccacbd11f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/188776/

Detection(s):

PUA.Win.Packer.BorlandDelphi-15

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Launching the default Windows debugger (dwwin.exe)

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

greyware keylogger

Link:

https://www.filescan.io/uploads/61752e589a5a1e91c5d207fa/reports/d2751a1e-2346-41df-819d-d86f6fd86bdb/overview

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/55cee229-6d86-4206-b006-e2baa6192506

Result

Threat name:

Remcos

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/852922

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Creates a thread in another existing process (thread injection)

Detected Remcos RAT

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Malicious sample detected (through community Yara rule)

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1d4f1e01cbbd896a55a83dd107e381fe0a572bd2c9327cbb82a9510eb4832e99/

Threat name:

Win32.Trojan.Injuke

Status:

Malicious

First seen:

2021-09-17 17:19:52 UTC

AV detection:

15 of 28 (53.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=dvhr4aolxwewuvnihxiqpy4b7yffok6szezhzo4cvfiq5nedf2mq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

52fa8487efeb8b203fb1f37501c366088b71de4ded620695ba2e34e8c0f446a2

RemcosRAT

5cfeb31e244749101b15620775505444327ee862cdec4a3e04f6af994a8e32f4

RemcosRAT

63546d7293b43b8c746bbddddcfe798478d99e5786fceff8d1fcfb52b9a64aed

RemcosRAT

66eb53699937b049b917bbcfa13b9b5d2f8449753dcbbf9e35405a766cdc9a70

RemcosRAT

798fc4066cf0b5e0c6711d32ca8d43afc7d4b99f333c184b7fd0b7d3b7eb7559

RemcosRAT

7df259f7873239aee108522c3efd6fca233db83a268a3c9fad4766994c5a029d

RemcosRAT

b9a4e85c7d4645fd515eb3f8b883ee8e5990ff4381a90b5a8f42bff007fbb386

RemcosRAT

e65bff9943ab7ccc3713619a8d908f6caf5392c0c47defe3b66ca9009d2177ed

RemcosRAT

+ 2'663 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost persistence rat

Link:

https://tria.ge/reports/210917-ww1v1sahhj/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Adds Run key to start application

Remcos

Malware Config

C2 Extraction:

rem1.camdvr.org:2404
rem16.hopto.org:2404
rem1666.hopto.org:2404
rem16.camdvr.org:2404
remmusic.freeddns.org:2404
sunwap1.ddns.net:2404
rem166.hopto.org:2404

Unpacked files

SH256 hash:

519197f521aa39b7a7ab34b4500a304a7329d967115c2e48fe1b6eb201e39af1

MD5 hash:

3da921c9355d01d335cf03159a950030

SHA1 hash:

3be3f4ea8f289a123dcd1f6ac97c6f34a503c9cf

Link:

https://www.unpac.me/results/ed5e1eb1-c0dc-4f4c-a35a-686e5f554b42/

SH256 hash:

1d4f1e01cbbd896a55a83dd107e381fe0a572bd2c9327cbb82a9510eb4832e99

MD5 hash:

2cfedd565199e2068ad980cbc081ed6e

SHA1 hash:

aac6be857fbb4c31db54a560b51b0e1fca04c227

Link:

https://www.unpac.me/results/ed5e1eb1-c0dc-4f4c-a35a-686e5f554b42/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.50

Link:

https://yomi.yoroi.company/submissions/1d4f1e01cbbd896a55a83dd107e381fe0a572bd2c9327cbb82a9510eb4832e99

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

exe 1d4f1e01cbbd896a55a83dd107e381fe0a572bd2c9327cbb82a9510eb4832e99

(this sample)

Dropped by

RemcosRAT

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/188776/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample