MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21d5d5d31a4a17556ceb223272f3e908a352485dcd90dc203c99826638e7cbd9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	21d5d5d31a4a17556ceb223272f3e908a352485dcd90dc203c99826638e7cbd9
SHA3-384 hash:	994c021290541c0740140464f9fa5f772e8c00bde94982d8c7ee31b98a57a6dcf2322a9706e30e6acd402d31b6b13cb5
SHA1 hash:	8dade95ddbd3c29d8d6e5e47ee4c8eb0bbac0e65
MD5 hash:	b25559abb9260a598d98bf66b7725784
humanhash:	timing-winter-finch-mirror
File name:	SecuriteInfo.com.Trojan7000000f1.31576.17282
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	879'616 bytes
First seen:	2022-08-08 19:46:37 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e255f1b19dfc7ff6f132b8c413389fff (1 x RemcosRAT, 1 x DBatLoader)
ssdeep	12288:Sc7elJklzOj0DyChjxBTGKvF95o7q3PtSGasoVF:S98zOoyChjxll53FdC
TLSH	T16D157E22E17194FACC66A639896693A4E4217C10295CFE4B37ED3CCA9F346C7A53F143
TrID	68.5% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58) 27.0% (.EXE) Win32 Executable Borland Delphi 6 (262638/61) 1.4% (.EXE) Win32 Executable Delphi generic (14182/79/4) 1.3% (.SCR) Windows screen saver (13101/52/3) 0.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	c730f4e4d4d830c7 (5 x DBatLoader, 3 x Formbook, 2 x RemcosRAT)
Reporter	SecuriteInfoCom
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

322

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

SecuriteInfo.com.Trojan7000000f1.31576.17282

Verdict:

Malicious activity

Analysis date:

2022-08-08 19:47:57 UTC

Tags:

rat remcos keylogger

Link:

https://app.any.run/tasks/b5436216-b945-46c8-8c70-838c2859c92e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/297192/

Detection(s):

SecuriteInfo.com.Trojan7000000f1.31576.17282.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

DNS request

Sending a custom TCP request

Creating a file

Running batch commands

Creating a process with a hidden window

Launching cmd.exe command interpreter

Launching the process to interact with network services

Launching a process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/28390/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

keylogger netwire

Link:

https://www.filescan.io/uploads/62f16873c0d6ca9332730255/reports/d085f617-b2be-4950-93eb-a418015e3fbb/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/67386fe6-59a1-413d-8840-2679752a8ba3

Result

Threat name:

DBatLoader

Detection:

malicious

Classification:

troj

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/1048120

Signature

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected DBatLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/21d5d5d31a4a17556ceb223272f3e908a352485dcd90dc203c99826638e7cbd9/

Threat name:

Win32.Trojan.NetWired

Status:

Malicious

First seen:

2022-08-08 17:41:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ehk5luy2jilvk3hleizhf47jbcrvesc5zwinyib4tgbgmohhzpmq._file

Verdict:

malicious

Label(s):

remcos

Result

Malware family:

remcos

Score:

10/10

Tags:

family:modiloader family:remcos botnet:remotehost persistence rat trojan

Link:

https://tria.ge/reports/220808-yhhtdshcg2/

Behaviour

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Adds Run key to start application

Checks computer location settings

Blocklisted process makes network request

ModiLoader, DBatLoader

Remcos

Malware Config

C2 Extraction:

hendersonk1.hopto.org:2404
henderson1.camdvr.org:2404
centplus1.serveftp.com:2404
harrywlike.ddns.net:2404
genekol.nsupdate.info:2404
harrywlike1.ddns.net:2404
hendersonk2022.hopto.org:2404
genekol1.nsupdate.info:2404
generem.camdvr.org:2404

Unpacked files

SH256 hash:

dae03f035dca12ffa33f3fee03fa37a5329b6d68c1ea16f1433278e3c192f934

MD5 hash:

d7d31cd80ef706fbdbe0433270949e72

SHA1 hash:

4f5c50829960ce00e7d60ad625a55599e17fce5b

Detections:

win_dbatloader_g1

Link:

https://www.unpac.me/results/39de727e-0f39-4e0a-95c9-4f1bb398ffd5/

Parent samples :

b7aacc2b12e6e8f89a954e2623b6a53137257e4039ecc45311998caf6cd41cf0
0f94dbc5795808376e1f58af647fe522762836503be7c601a76a59b538f8e9f1
88502779764c4ceacff4b4a39a389bf13389b734f99e76160c865a2da6d21bee
868e3a9f49c41cd1823e765cc8d2e97453ada6baac959e58187e1a337db01b96
1dddbd9bb1c2ed3b0ac846f3dcfbfd99909394f17a813be425b1870ef0f52c5e
e233d86e74d3846be66e323c4850b495c66658ca63cd28ec1a47a3b0c95f7559
5fabffc9eb6177ac29a1e51bf2a8bde55ddd97e2f7c86134eb2512b927f1232e
15e1d48f4ba136aa876c88c4fb16fe160795f40e9850252ce1a4f3a695b4fcb7
663b7bc66499e507ca1f8fad6e42195a54fe242db3cc71bf4762952fe04ce5ee
21d5d5d31a4a17556ceb223272f3e908a352485dcd90dc203c99826638e7cbd9
cd06021301a3677a02936aa5820f303d7aa650f63366266b75e553c669be08f5
35cf771ddfdab8d8f18d4ee2b4841602be4bc77f9d952ecd5f9e870160cfe8f8

SH256 hash:

21d5d5d31a4a17556ceb223272f3e908a352485dcd90dc203c99826638e7cbd9

MD5 hash:

b25559abb9260a598d98bf66b7725784

SHA1 hash:

8dade95ddbd3c29d8d6e5e47ee4c8eb0bbac0e65

Link:

https://www.unpac.me/results/39de727e-0f39-4e0a-95c9-4f1bb398ffd5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/21d5d5d31a4a17556ceb223272f3e908a352485dcd90dc203c99826638e7cbd9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/297192/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample