MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f715d5b757b50e756c70424d15902f064ad12df112413e518b78c22a7372e9a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1f715d5b757b50e756c70424d15902f064ad12df112413e518b78c22a7372e9a
SHA3-384 hash: 4250e61ccbb6f69b4cc44666b4615a3eee3d61e246c27d8a237103cfefb95d0ee788942f4372b79b48bb4e3879b1203e
SHA1 hash: 38aecfe339bd1fdfc4e55f732d27ac16af6c0ed6
MD5 hash: fc63cbe8a1d6c4b5c4c9eed806ecce86
humanhash: speaker-snake-sink-charlie
File name:from-iso_DHL WAYBILL DOCUMENT,PDF.EXE
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:856'576 bytes
First seen:2021-09-17 18:31:11 UTC
Last seen:2021-09-17 20:20:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e56b8f875592e725f8372fa466f75b12 (2 x RemcosRAT, 1 x OskiStealer, 1 x Smoke Loader)
ssdeep 12288:RNnBrnT39eHh9pAE6pPnrvQHOgJ8q//CS4/FZ4KPvnk6LHC7WWnMvwfHVBPggseO:35nReHhXknrvJ5K/vtKHngseB
Threatray 693 similar samples on MalwareBazaar
TLSH T1B2056B92B7C1CDF4F426193C4CDAFA842A6DBDF639245DC90EA44E082F251A2763D16F
dhash icon 4cca4c67d3261aca (6 x RemcosRAT, 4 x Formbook, 2 x AveMariaRAT)
Reporter abuse_ch
Tags:DHL exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
166
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Dhl Waybill Document,pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-09-17 06:50:17 UTC
Tags:
trojan rat remcos keylogger
Link:
https://app.any.run/tasks/453dc8bb-3646-4c8e-b126-e205353a310f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/188779/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46985616.13242.4780.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger
Link:
https://www.filescan.io/uploads/61752e78db358dd15ed92b7b/reports/104c2aed-df6c-4132-8ab2-0977dd3cc6de/overview
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/43f38cd3-8bdc-4937-b4a8-6a6b21246a80
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/852938
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 485374 Sample: from-iso_DHL WAYBILL DOCUME... Startdate: 17/09/2021 Architecture: WINDOWS Score: 100 47 Multi AV Scanner detection for domain / URL 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 7 other signatures 2->53 8 from-iso_DHL WAYBILL DOCUMENT,PDF.EXE 1 23 2->8         started        13 Gqzfuef.exe 13 2->13         started        15 Gqzfuef.exe 15 2->15         started        process3 dnsIp4 45 cdn.discordapp.com 162.159.135.233, 443, 49733, 49734 CLOUDFLARENETUS United States 8->45 41 C:\Users\Public\Libraries\...behaviorgraphqzfuef.exe, PE32 8->41 dropped 65 Writes to foreign memory regions 8->65 67 Creates a thread in another existing process (thread injection) 8->67 69 Injects a PE file into a foreign processes 8->69 17 logagent.exe 2 3 8->17         started        21 cmd.exe 1 8->21         started        23 cmd.exe 1 8->23         started        25 mshta.exe 13->25         started        27 SndVol.exe 15->27         started        file5 signatures6 process7 dnsIp8 43 fmunity247.ddns.net 193.187.91.115, 6397 OBE-EUROPEObenetworkEuropeSE Sweden 17->43 55 Contains functionality to inject code into remote processes 17->55 57 Delayed program exit found 17->57 29 reg.exe 1 21->29         started        31 conhost.exe 21->31         started        33 cmd.exe 1 23->33         started        35 conhost.exe 23->35         started        59 Contains functionalty to change the wallpaper 25->59 61 Contains functionality to steal Chrome passwords or cookies 25->61 63 Contains functionality to steal Firefox passwords or cookies 25->63 signatures9 process10 process11 37 conhost.exe 29->37         started        39 conhost.exe 33->39         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1f715d5b757b50e756c70424d15902f064ad12df112413e518b78c22a7372e9a/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-09-17 18:32:10 UTC
AV detection:
12 of 45 (26.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=d5yv2w3vpnioovwhaqsncwic6bsk2ew7cesbhziyw6gcfjzxf2na._file
Verdict:
malicious
Similar samples:
0840ac6a8ee445eed007f29220dad3dd03e59cf161524623c831596673c7e8d0
RemcosRAT
1d4f1e01cbbd896a55a83dd107e381fe0a572bd2c9327cbb82a9510eb4832e99
RemcosRAT
6b637314dc7b63dfce69d3efe9b792d8fb2fbb0d9f19ea70aa0ff83ae8dbd495
RemcosRAT
a4e0f53f95a9c758592dfd652c6c7bdc3535d45b7f4ab2c2bb6a7e2f3b215526
RemcosRAT
bb63c61554ccc2caa79eec3705c3e4ce41626e88f375a8a1bc5b514e489b0f04
RemcosRAT
c6efb11667620971bfa2b783b75762c69c1bf3fe2cee9bd4ddc51164e8ba8563
RemcosRAT
c9b74e819b296f329399e9867d40d7b87477be291ee5509bdde6a7d90778fc44
RemcosRAT
d89a39469a38c622ff6d1c36603491bedfc5d5dcc92cf629aa50057eda35f563
RemcosRAT
e2293ae17fbdeb8e626efa388175c1144d82f12efe55990aa658f1c21445c47f
RemcosRAT
e3d62ea202f60dcb69703dcba7c59b2bf552c5ce2e951dfab0f1808af9e096a2
RemcosRAT
+ 683 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:fm unity persistence rat
Link:
https://tria.ge/reports/210917-w6ltvagbd8/
Behaviour
Modifies registry key
Suspicious use of WriteProcessMemory
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
fmunity247.ddns.net:6397
Unpacked files
SH256 hash:
519197f521aa39b7a7ab34b4500a304a7329d967115c2e48fe1b6eb201e39af1
MD5 hash:
3da921c9355d01d335cf03159a950030
SHA1 hash:
3be3f4ea8f289a123dcd1f6ac97c6f34a503c9cf
Link:
https://www.unpac.me/results/b7fd8e71-cf4c-43ba-a6f7-2438e08f47ce/
SH256 hash:
1f715d5b757b50e756c70424d15902f064ad12df112413e518b78c22a7372e9a
MD5 hash:
fc63cbe8a1d6c4b5c4c9eed806ecce86
SHA1 hash:
38aecfe339bd1fdfc4e55f732d27ac16af6c0ed6
Link:
https://www.unpac.me/results/b7fd8e71-cf4c-43ba-a6f7-2438e08f47ce/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1f715d5b757b50e756c70424d15902f064ad12df112413e518b78c22a7372e9a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EnvVarScheduledTasks
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC (ab)using Environment Variables in Scheduled Tasks
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/188779/

Comments