MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22c7ed8874209dd96c59fbc16dd829802729f9fa34c09cce41f6f64704af7578. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 14

Intelligence 14 IOCs YARA 5 File information Comments

SHA256 hash:	22c7ed8874209dd96c59fbc16dd829802729f9fa34c09cce41f6f64704af7578
SHA3-384 hash:	3556d3008f36cbf38a05356239c123e949ccf99288fe65ae6ef0ba400d26a1d3fbcb7fa37b051ba0298ed38ea2dd5d65
SHA1 hash:	a37d8888c6f9edae97772f48097057514754fb21
MD5 hash:	962ea5390a53f29cad2d6762c38faa6e
humanhash:	mockingbird-beer-papa-nuts
File name:	22c7ed8874209dd96c59fbc16dd829802729f9fa34c09cce41f6f64704af7578
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'031'168 bytes
First seen:	2022-09-08 10:30:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4ece17b2e649d5a5008f1aa7cdee9f6f (4 x RemcosRAT, 1 x Formbook, 1 x ModiLoader)
ssdeep	12288:fMrKprISPxdtyWrV3vneDB5JkTEp9ybqTiQJ5KT7grzwGjReiOXRDJymf7fvO:fMmljztfw+woiiqPheiOXRDDvO
Threatray	1'825 similar samples on MalwareBazaar
TLSH	T11725AFE2B2E1DA3BD0131A79CD1BA3695C69BE402914644E27F2291CEF79343343F65B
TrID	68.5% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58) 27.0% (.EXE) Win32 Executable Borland Delphi 6 (262638/61) 1.4% (.EXE) Win32 Executable Delphi generic (14182/79/4) 1.3% (.SCR) Windows screen saver (13101/52/3) 0.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	ecdce4c48c9ce4c4 (14 x RemcosRAT, 9 x DBatLoader, 5 x Formbook)
Reporter	adrian__luca
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

339

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

22c7ed8874209dd96c59fbc16dd829802729f9fa34c09cce41f6f64704af7578

Verdict:

Suspicious activity

Analysis date:

2022-09-08 10:30:04 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b814cfc6-60e7-4027-aea6-8813e39e5853

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/308740/

Detection(s):

SecuriteInfo.com.Trojan.Siggen18.39208.15296.20834.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

DNS request

Sending a custom TCP request

Creating a file

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/37061/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

keylogger shell32.dll

Link:

https://www.filescan.io/uploads/6319c46abdec86ddb45c9f6b/reports/b5332843-319b-4c11-a861-2c535233fa77/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b311afb2-be0c-42cb-a7dc-d36e473cc51b

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/22c7ed8874209dd96c59fbc16dd829802729f9fa34c09cce41f6f64704af7578/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2022-08-29 15:23:35 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 40 (62.50%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=eld63cdueco5s3cz7paw3wbjqatst6p2gtajztsb633eobfpov4a._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

0c65138d7e2ac35f76f3183ef14f3f4135c3637a53d0bb23f181c621d03b9aee

RemcosRAT

1180d20fb339a0d6d1b5e6d8c849c6f87906a719893ebbebbc2ec9e03bd9bf21

RemcosRAT

26f7e190b28c491aa3a3fa15f27e7cd614f838c9c434b11f53026e6df69d4afe

RemcosRAT

37d426143aa4467af9d3503d7d3e9013d0581d89d9494c8150ff949bb88e48d5

RemcosRAT

883bb860b3a9a3a3940c54fd2ed5bbc757c1cd762e2962017caea38942b132a5

RemcosRAT

ca8e5d3a010ed36cba1078f577a636bc288e382e57feac71c48612a2fddef489

RemcosRAT

e9cd6a0c902f16486ed4b3b3613d821e68773a76fb18c17ba1dfed33fc701036

RemcosRAT

+ 1'815 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:modiloader family:remcos botnet:yk_air_np persistence rat trojan

Link:

https://tria.ge/reports/220908-mkcvdabedq/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

ModiLoader Second Stage

ModiLoader, DBatLoader

Remcos

Malware Config

C2 Extraction:

odi111.ddns.net:3546

Unpacked files

SH256 hash:

fdd6aa73f365a7d9bbe2fce078b2ea33f344cc1b16bd91a7c9f133a613eff082

MD5 hash:

5fcb2990d477aac49478640b807ef3e2

SHA1 hash:

41c106138d5dfe09d4579844804b61f6103b108a

Link:

https://www.unpac.me/results/78a21bdd-c26d-4cc4-aa1b-ae8d6cc9e05e/

SH256 hash:

53619866fb7adb9f5dcbed0dce75932a74830dc02351a6b6c819e9701a13ada1

MD5 hash:

38a86eff48873c72ca4d72f191a56f63

SHA1 hash:

25e96f601aa827d3b1ab70b0fdc67d0c15023b73

Detections:

win_dbatloader_g1

Link:

https://www.unpac.me/results/78a21bdd-c26d-4cc4-aa1b-ae8d6cc9e05e/

Parent samples :

e9f4a7f5f39ac0ea1fc287c5d9521667d3eca8344b2e60fe26f9f795d7f53a8d
2e86f98ee2dc99164970b21058123fda31af9feb290e14646c3a6f49525f2fcc
5968fd5908c38e76d8f57fbfe06bfc87956d15b778eaa637816e1630fb3eb7c4
b725d730c210274c7cc33fa90c06467cf9e3416a9d214e060e14f323d31aa3c7
6620f97090422729f9d69268a68b76cc854f81cd97c25f3463315344ba3d639e
eae13c9aa0b286157c56819381b92a4a6d8e2607f553e7b71539b1959f2cd7a2
efa8f5c281c591960f2a8f508f278b1541de0c308f4039432307de4e0f25627c
aa4a3cf409c65c84e33841c92533d1781a01cd5b1b5ba372e0b3d4c333a8f5fe
d9d5ed4a3733ad8d8edcdd4a4e36f965f3ad5b0b0bb38b54acd9091ee99ff7cf
9e6da348b123ec110ed3d923198f378f6398a6e1f87d3a440340c5ab479e6912
ad2c3ee8225bffd3052bb7d77be8e73b14731a65d420a08bac8cd72f979300b9
22c7ed8874209dd96c59fbc16dd829802729f9fa34c09cce41f6f64704af7578

SH256 hash:

22c7ed8874209dd96c59fbc16dd829802729f9fa34c09cce41f6f64704af7578

MD5 hash:

962ea5390a53f29cad2d6762c38faa6e

SHA1 hash:

a37d8888c6f9edae97772f48097057514754fb21

Detections:

DbatLoaderStage1

Link:

https://www.unpac.me/results/78a21bdd-c26d-4cc4-aa1b-ae8d6cc9e05e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/22c7ed8874209dd96c59fbc16dd829802729f9fa34c09cce41f6f64704af7578

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/308740/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample