MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 210d63272f04545a7b964c5712b0157a9e9801500e063a15ecee4b2de2c87254. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 210d63272f04545a7b964c5712b0157a9e9801500e063a15ecee4b2de2c87254
SHA3-384 hash: d37f07be44333dc272d180f8e39c86924459fc111efa5d7f9266949603dc2f33baa8c72dfe0eeb4dfd87351adf849efe
SHA1 hash: e399c5bc013640afc56f21e19f45e971696f92f2
MD5 hash: 3295f12e797cd867575617f57c091b42
humanhash: fourteen-eight-kentucky-item
File name:doc_07621DERG7011220213300.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'140'224 bytes
First seen:2021-05-02 10:35:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9767403c4b88f5a1c65af955107e9428 (3 x RemcosRAT, 1 x FormBook)
ssdeep 24576:jNoIZGADWhQWycaZyTZwgwSQeyjJUD/7sltiH:jNoIZGrwzZyTZwgHQeyU43
Threatray 246 similar samples on MalwareBazaar
TLSH 0835AE21B3D08433D56E1A38CD1BB6FA5832BE013ED4A98B57B87D4C7F79A9079191C2
Reporter abuse_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/147895/
Detection(s):
Win.Trojan.Delf-9830573-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/706412
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 402126 Sample: doc_07621DERG7011220213300.exe Startdate: 02/05/2021 Architecture: WINDOWS Score: 100 29 www.swqrn.com 2->29 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 4 other signatures 2->51 7 doc_07621DERG7011220213300.exe 1 19 2->7         started        12 Aivjxn.exe 16 2->12         started        14 Aivjxn.exe 16 2->14         started        signatures3 process4 dnsIp5 31 ugzjpa.bn.files.1drv.com 7->31 33 onedrive.live.com 7->33 35 bn-files.fe.1drv.com 7->35 23 C:\Users\Public\Libraries\Aivjxn\Aivjxn.exe, PE32 7->23 dropped 53 Detected unpacking (changes PE section rights) 7->53 55 Detected unpacking (overwrites its own PE header) 7->55 57 Contains functionality to steal Chrome passwords or cookies 7->57 63 4 other signatures 7->63 16 doc_07621DERG7011220213300.exe 2 3 7->16         started        37 ugzjpa.bn.files.1drv.com 12->37 41 2 other IPs or domains 12->41 59 Multi AV Scanner detection for dropped file 12->59 61 Injects a PE file into a foreign processes 12->61 19 Aivjxn.exe 12->19         started        39 ugzjpa.bn.files.1drv.com 14->39 43 2 other IPs or domains 14->43 21 Aivjxn.exe 14->21         started        file6 signatures7 process8 dnsIp9 25 www.swqrn.com 185.140.53.230, 16108, 49732, 49733 DAVID_CRAIGGG Sweden 16->25 27 192.168.2.1 unknown unknown 16->27
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/210d63272f04545a7b964c5712b0157a9e9801500e063a15ecee4b2de2c87254/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-05-02 09:04:32 UTC
AV detection:
23 of 47 (48.94%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eegwgjzparkfu64wjrlrfmavpkpjqakqbyddufpm5zfs3ywiojka._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
26c230cde9fb7544f7e3762f1abac39f6c8f0d2db0689178b223e0e68d2a6a0a
RemcosRAT
57a1ee826afb333572965abe745c06597d0111f75494c586619d6b23d9ceda10
RemcosRAT
5d20ab723dbc30184582ccec3877af8fbb8fc78f90d09fd680bf784325951ca3
RemcosRAT
6018d6795b86aef8d39205698ca166c8c5d413d06a8a1fa346741bd56ff0e307
RemcosRAT
6b19b6261188bd102c2139595fa66347ee5717906e85d9fa90fd20e4209a91b0
RemcosRAT
6b4cda8e0f766056eadbd9c59df82298fa4acbf7a6e526d36c4168e4f511bd8b
RemcosRAT
711e6d2b6ee80bd1ac945eee8aa67dfb485249f95bd0eb0357d33e302336a2fb
RemcosRAT
770239e721583e7852323517a01a9bc5ec4922e612104b48ae79ae442c0c697f
RemcosRAT
e4e47b27c701e89ac6a550ab1f8ecb6058c79d9f9bca9a56ec71e3baf01dc545
RemcosRAT
fee06f1a31cdd93b91bf8d0a5991023b2bf6d0ed2957c3bc0f40f05609eb689b
RemcosRAT
+ 236 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat
Link:
https://tria.ge/reports/210502-6jrbgd9g7a/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Enumerates connected drives
Remcos
Malware Config
C2 Extraction:
www.swqrn.com:16108
Unpacked files
SH256 hash:
8f63001a412f92b1e28e17cf0ca84b5d4fa126a661cdae11c5221b7344c26999
MD5 hash:
77fbc4c0b74cf1b87fa3804f3c4c0ff1
SHA1 hash:
721f7b2c9db79c8a34b8ad43f103b22df632d2dc
Link:
https://www.unpac.me/results/76622580-31b1-4d55-a33d-e59862d84568/
SH256 hash:
210d63272f04545a7b964c5712b0157a9e9801500e063a15ecee4b2de2c87254
MD5 hash:
3295f12e797cd867575617f57c091b42
SHA1 hash:
e399c5bc013640afc56f21e19f45e971696f92f2
Link:
https://www.unpac.me/results/76622580-31b1-4d55-a33d-e59862d84568/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/210d63272f04545a7b964c5712b0157a9e9801500e063a15ecee4b2de2c87254

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/147895/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-02 11:04:17 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.025] Anti-Behavioral Analysis::Software Breakpoints
1) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
2) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
3) [F0002.002] Collection::Polling
5) [C0021] Cryptography Micro-objective::Generate Pseudo-random Sequence
6) [C0026.002] Data Micro-objective::XOR::Encode Data
8) [C0049] File System Micro-objective::Get File Attributes
9) [C0051] File System Micro-objective::Read File
10) [C0052] File System Micro-objective::Writes File
11) [C0007] Memory Micro-objective::Allocate Memory
12) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
13) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
14) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
15) [C0038] Process Micro-objective::Create Thread
16) [C0041] Process Micro-objective::Set Thread Local Storage Value
17) [C0018] Process Micro-objective::Terminate Process