MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 229803d2640463de8048f78dab377fe80cffd8f46b075eacb276358b1a78cd15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 229803d2640463de8048f78dab377fe80cffd8f46b075eacb276358b1a78cd15
SHA3-384 hash: bdab76e26babba25acac813e0222793bc84e0e32182350541013263e697992d3efb7f73b89bb60321e38867e59f870b3
SHA1 hash: 115c2f1c76d98a31d26a30619951bf75f2de176f
MD5 hash: 555d4f24d56f55ccac8dbe6a6cc29324
humanhash: queen-river-failed-saturn
File name:DHL.AWB-66546754.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'005'888 bytes
First seen:2023-04-04 05:34:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e221f4f7d36469d53810a4b5f9fc8966 (118 x GuLoader, 28 x RemcosRAT, 21 x Formbook)
ssdeep 24576:8rIN0o3NUIpiTsyNmJQssCtjfsVl8/+WM:ewXRIsyCtLe2/+
Threatray 526 similar samples on MalwareBazaar
TLSH T1B7252240BBABB517E6B757304DAACFA423B4BE913E3007332B6236971EF1352551A14E
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e4e4e4e4e4e4cc01 (2 x RemcosRAT)
Reporter abuse_ch
Tags:DHL exe RemcosRAT signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-10-20T04:09:21Z
Valid to:2025-10-19T04:09:21Z
Serial number: 69870e13f1556ea0ec897b3c0732f791ca33549c
Thumbprint Algorithm:SHA256
Thumbprint: 3c469c4d6b6235af3a514d363a72540cc7ebd9508ad3f06120a7b3b19b8b294f
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
251
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL.AWB-66546754.exe
Verdict:
Malicious activity
Analysis date:
2023-04-04 05:35:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2ab67f72-2c23-4fcd-96a2-00c98e4d4643

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/379848/
Detection(s):
SecuriteInfo.com.Variant.Tedy.334195.31525.8919.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file in the %AppData% subdirectories
Searching for the window
Creating a file
Delayed reading of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/642bb707a238e54ef507c6b7/reports/ab9e4b6f-e80f-4b43-babd-395265425ba5/overview
Verdict:
Suspicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/229803d2640463de8048f78dab377fe80cffd8f46b075eacb276358b1a78cd15
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/04da5656-ebc1-44e3-a734-c6bc718b63f4
Result
Threat name:
Remcos, GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad.phis.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1207809
Signature
Detected unpacking (changes PE section rights)
Found potential ransomware demand text
Installs a global keyboard hook
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Tries to detect Any.run
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Yara detected GuLoader
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 840725 Sample: DHL.AWB-66546754.exe Startdate: 04/04/2023 Architecture: WINDOWS Score: 100 37 googlehosted.l.googleusercontent.com 2->37 39 geoplugin.net 2->39 41 2 other IPs or domains 2->41 57 Multi AV Scanner detection for submitted file 2->57 59 Yara detected GuLoader 2->59 61 Yara detected Remcos RAT 2->61 63 3 other signatures 2->63 8 DHL.AWB-66546754.exe 2 43 2->8         started        signatures3 process4 file5 27 C:\Users\user\AppData\...\vcruntime140.dll, PE32 8->27 dropped 29 C:\Users\user\AppData\Roaming\...\msadomd.dll, PE32+ 8->29 dropped 31 C:\Users\user\...\System.Net.WebClient.dll, PE32+ 8->31 dropped 33 7 other files (none is malicious) 8->33 dropped 65 Detected unpacking (changes PE section rights) 8->65 67 Tries to detect Any.run 8->67 12 DHL.AWB-66546754.exe 3 16 8->12         started        signatures6 process7 dnsIp8 45 drive.google.com 142.250.184.206, 443, 49835 GOOGLEUS United States 12->45 47 googlehosted.l.googleusercontent.com 142.250.186.97, 443, 49836 GOOGLEUS United States 12->47 49 2 other IPs or domains 12->49 35 C:\ProgramData\remcos\logs.dat, data 12->35 dropped 69 Tries to detect Any.run 12->69 71 Maps a DLL or memory area into another process 12->71 73 Installs a global keyboard hook 12->73 17 DHL.AWB-66546754.exe 1 12->17         started        20 DHL.AWB-66546754.exe 1 12->20         started        22 DHL.AWB-66546754.exe 1 12->22         started        24 27 other processes 12->24 file9 signatures10 process11 dnsIp12 51 Tries to steal Instant Messenger accounts or passwords 17->51 53 Tries to steal Mail credentials (via file / registry access) 17->53 43 192.168.11.1 unknown unknown 24->43 55 Tries to harvest and steal browser information (history, passwords, etc) 24->55 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/229803d2640463de8048f78dab377fe80cffd8f46b075eacb276358b1a78cd15/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2023-04-04 00:35:51 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ekmahutearr55aci66g2wn375agp7whunmdv5lfsoy2ywgtyzukq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
cloudeye
Create hunting rule
Similar samples:
0dd1d1a74f49a15f9b7dcfc7890060807198b74b835cb17f60886a0f2c9c1376
RemcosRAT
1a0b3222046f0838c8a536e376b898b6c97cdb821aaebae4f9ed0dc9eeb23b7c
RemcosRAT
28ca1fe12d85075d947b1bc3292c14cba784ed1e22287e56819d9a1d86b2f7e4
RemcosRAT
3e924b372c019c41e9995a276ce5c1b1487d14ceb9fbc8d606a09a83df5989b8
RemcosRAT
bf71631457bec8633d10c816bfa914ef51bee4acda9a37c2613697976a21decb
RemcosRAT
c3a3c6015ffc1bc98b5a21f89e78049900e5796e67e098bead011a20a99e7b0d
RemcosRAT
d878b96dad5b242df04a937598ce6a20027ff414f2498e7c606116843d1c74f0
RemcosRAT
d99fdee30a323b0ed4cfbd9c4661530f45b368f829869604fb9a83debfff7a32
RemcosRAT
f4716cf29a2fa3ff5650ff6a4d35a26a5a534658fe7518fdf2c08554158db841
RemcosRAT
ff3949d2a8e0d6b08d2b8b643cdfc6a26f44352da217b4a537e9c16d96ed7198
RemcosRAT
+ 516 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos botnet:remotehost collection discovery downloader rat spyware stealer
Link:
https://tria.ge/reports/230404-f91jeadb37/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Suspicious use of NtCreateThreadExHideFromDebugger
Accesses Microsoft Outlook accounts
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Loads dropped DLL
Reads user/profile data of web browsers
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Guloader,Cloudeye
Remcos
Malware Config
C2 Extraction:
155.94.136.161:2404
Unpacked files
SH256 hash:
df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d
MD5 hash:
ca332bb753b0775d5e806e236ddcec55
SHA1 hash:
f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f
Link:
https://www.unpac.me/results/ff8150bc-2f5c-4e31-97e3-c4c4513b01a4/
SH256 hash:
691ed74e60f820f5b1a66d739ff074503bd16f1b7743792bcf4840e9abbc8d2a
MD5 hash:
efa06cce09748a48345a33e7b79c588d
SHA1 hash:
8c7e2a319f1d097fbb378ddb2ce437c15778615d
Link:
https://www.unpac.me/results/ff8150bc-2f5c-4e31-97e3-c4c4513b01a4/
SH256 hash:
0f7b405e88ec8c9abc31a45b77fb4d3679e7512d0e51d6f43625bbecbd4131fc
MD5 hash:
e45a4501663f81ee22f2d310c3f740f3
SHA1 hash:
22092a32d31e6ad8aa976ec09ad1352ce6d22684
Link:
https://www.unpac.me/results/ff8150bc-2f5c-4e31-97e3-c4c4513b01a4/
SH256 hash:
229803d2640463de8048f78dab377fe80cffd8f46b075eacb276358b1a78cd15
MD5 hash:
555d4f24d56f55ccac8dbe6a6cc29324
SHA1 hash:
115c2f1c76d98a31d26a30619951bf75f2de176f
Link:
https://www.unpac.me/results/ff8150bc-2f5c-4e31-97e3-c4c4513b01a4/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/229803d26404/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/229803d2640463de8048f78dab377fe80cffd8f46b075eacb276358b1a78cd15

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Suspicious_Macro_Presence
Create hunting rule
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 229803d2640463de8048f78dab377fe80cffd8f46b075eacb276358b1a78cd15

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/379848/

Comments