MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21bd242ed07a92a9faef420a0b8bf377e83aaa9413ba4725da7f5c318182f7ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 21bd242ed07a92a9faef420a0b8bf377e83aaa9413ba4725da7f5c318182f7ec
SHA3-384 hash: 4a44d59fc486b1f912f0ed69d9cec0df61b6ee6f0581e41bb5d2aae4a3e377d31d3eb30d5d75680d5b1da04763532f67
SHA1 hash: 88dccd0aa5a9ea79d58588e67db67baf765594fc
MD5 hash: eefe9c12a9664804a7b13e3f34839b18
humanhash: april-happy-coffee-spaghetti
File name:DOCUMENT.EXE
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'014'272 bytes
First seen:2022-07-06 15:00:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ab36861e060dd44fd8e4618504bc2e1 (8 x RemcosRAT, 1 x AveMariaRAT)
ssdeep 12288:R3XJsk7QHcpqF/p9cPGLcoazHlCwdTrzO9sUvB6ZmKcSwu6:R3XGzgqF/pUDHYfvBQmHy
TLSH T175257D22A1C01633C4E71938ED8B57675E377E912A68984227F63C497F39E813AFD187
TrID 46.4% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
31.5% (.EXE) Win32 Executable Borland Delphi 5 (451463/56/28)
18.3% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
0.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
0.9% (.SCR) Windows screen saver (13101/52/3)
File icon (PE):PE icon
dhash icon 33f098d2d6d8f033 (12 x RemcosRAT, 7 x DBatLoader, 6 x Formbook)
Reporter pr0xylife
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
276
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/285179/
Detection(s):
SecuriteInfo.com.UDS.Backdoor.Win32.Remcos.gen.4317.3965.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching the process to interact with network services
Launching a process
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/24151/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
keylogger
Link:
https://www.filescan.io/uploads/62c5a3ef783441cda10e00af/reports/69cc01d1-7758-4591-9575-de7d0acf2bcd/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/41395a16-addf-43c6-8ae1-cc9b6c5b361c
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1025699
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Delayed program exit found
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Remcos RAT
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 658191 Sample: DOCUMENT.EXE Startdate: 06/07/2022 Architecture: WINDOWS Score: 100 57 Multi AV Scanner detection for domain / URL 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Antivirus detection for URL or domain 2->61 63 5 other signatures 2->63 8 DOCUMENT.EXE 1 21 2->8         started        13 Nclhhqukrb.exe 15 2->13         started        15 Nclhhqukrb.exe 15 2->15         started        process3 dnsIp4 43 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49759, 49761 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 8->43 45 l-0004.l-dc-msedge.net 13.107.43.13, 443, 49758, 49760 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 8->45 51 3 other IPs or domains 8->51 33 C:\Users\Public\Libraries33clhhqukrb.exe, PE32 8->33 dropped 35 C:\Users\Public\Libraries35clhhqukrbO.bat, ASCII 8->35 dropped 37 C:\Users\...37clhhqukrb.exe:Zone.Identifier, ASCII 8->37 dropped 73 Writes to foreign memory regions 8->73 75 Allocates memory in foreign processes 8->75 77 Creates a thread in another existing process (thread injection) 8->77 17 DpiScaling.exe 2 2 8->17         started        21 cmd.exe 1 8->21         started        47 onedrive.live.com 13->47 53 2 other IPs or domains 13->53 79 Multi AV Scanner detection for dropped file 13->79 81 Injects a PE file into a foreign processes 13->81 23 logagent.exe 13->23         started        49 onedrive.live.com 15->49 55 2 other IPs or domains 15->55 25 logagent.exe 15->25         started        file5 signatures6 process7 dnsIp8 39 dash.3utilities.com 185.191.231.249, 2404, 49775 UNREAL-SERVERSUS Netherlands 17->39 41 dash1.3utilities.com 185.176.220.74, 2404, 49776 LV-2CLOUD-ASN16LV Latvia 17->41 65 Contains functionalty to change the wallpaper 17->65 67 Contains functionality to steal Chrome passwords or cookies 17->67 69 Contains functionality to steal Firefox passwords or cookies 17->69 71 Delayed program exit found 17->71 27 cmd.exe 1 21->27         started        29 conhost.exe 21->29         started        signatures9 process10 process11 31 conhost.exe 27->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/21bd242ed07a92a9faef420a0b8bf377e83aaa9413ba4725da7f5c318182f7ec/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-07-06 14:57:12 UTC
File Type:
PE (Exe)
Extracted files:
43
AV detection:
12 of 26 (46.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eg6silwqpkjkt6xpiifaxc7to7udvkuuco5eojo2p5oddamc67wa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:remotehost persistence rat trojan
Link:
https://tria.ge/reports/220706-sdvz9sgbc3/
Behaviour
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
dash.3utilities.com:2404
dash1.3utilities.com:2404
dash2.ddns.net:2404
bash.mywire.org:2404
bash1.accesscam.org:2404
dash3.ddns.net:2404
dash4.ddns.net:2404
bash2.accessscam.org:2404
Unpacked files
SH256 hash:
fc3e1d80925d9a8d64ed461baef4ffe90d6b43d7dc3ccba3660c2e3e5b13825e
MD5 hash:
bc5235878c2cdf1a61bee1985706540b
SHA1 hash:
e0edd8d8065ac6bfa55b437890f92db1c976f38e
Link:
https://www.unpac.me/results/3099d03f-ec71-45aa-8558-cab866feed80/
SH256 hash:
0b4b7d7628499c9d0c62562dc64f22baf5390cd32f71e0317c259511ae85b5b6
MD5 hash:
d6e8fb9c9383709a7475144fbc74cb44
SHA1 hash:
3dc32f98eb13d725511b64924730132883ad3591
Link:
https://www.unpac.me/results/3099d03f-ec71-45aa-8558-cab866feed80/
SH256 hash:
21bd242ed07a92a9faef420a0b8bf377e83aaa9413ba4725da7f5c318182f7ec
MD5 hash:
eefe9c12a9664804a7b13e3f34839b18
SHA1 hash:
88dccd0aa5a9ea79d58588e67db67baf765594fc
Link:
https://www.unpac.me/results/3099d03f-ec71-45aa-8558-cab866feed80/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/21bd242ed07a92a9faef420a0b8bf377e83aaa9413ba4725da7f5c318182f7ec

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/285179/

Comments