MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22eb93bbc1e2fbfc6435a3e3514684d17c3577e4edae4bb76470212e72b70e89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 22eb93bbc1e2fbfc6435a3e3514684d17c3577e4edae4bb76470212e72b70e89
SHA3-384 hash: 38caeebe0e6cdc140a68e0c70f05636bae6be99f3c9a68dd523f6aa5502ab537780eddd2d74790e530ece0c6388daad8
SHA1 hash: 27164d3a46371fced7048c360234168b9f14bb00
MD5 hash: 304d2c9bfcb267e55e0ae271282be76c
humanhash: sierra-georgia-ink-happy
File name:ScanDocument_00E7HFHRU485657EYDGRHEY4857RY4ETEE.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:764'928 bytes
First seen:2022-07-15 07:34:59 UTC
Last seen:2024-07-24 12:10:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 18f85d098be21d07cafd3921b5691c65 (3 x RemcosRAT, 2 x Formbook, 1 x AveMariaRAT)
ssdeep 12288:2b44V+BUxttW33c90UPj6c1AjRaHIFsqrHkRE:2E4V7tW3SF1DofjkR
Threatray 2'287 similar samples on MalwareBazaar
TLSH T1E3F42B13B5B1CC72C426DA7B8C1BF7A85E2F7E203E14794F3AE43A1D6E366903915192
TrID 68.5% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
27.0% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
1.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.3% (.SCR) Windows screen saver (13101/52/3)
0.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 27d0d8d6d6d8d027 (11 x RemcosRAT, 5 x Formbook, 5 x DBatLoader)
Reporter cocaman
Tags:exe payment RemcosRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
ScanDocument_00E7HFHRU485657EYDGRHEY4857RY4ETEE.exe
Verdict:
Malicious activity
Analysis date:
2022-07-14 14:50:22 UTC
Tags:
trojan rat remcos
Link:
https://app.any.run/tasks/9c1bac34-5c99-42d7-b751-bdb1d929e6bc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/289429/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.175.19809.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Launching a process
Reading critical registry keys
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Sending a TCP request to an infection source
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/25284/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger
Link:
https://www.filescan.io/uploads/62d118aa01fde6ede6833232/reports/90bf4e43-dd66-47a8-9fe4-b6dc1c9c055e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/91dc436f-b4c3-47d5-8695-b5003f4a6812
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1032280
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Remcos RAT
Yara detected UAC Bypass using ComputerDefaults
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 664774 Sample: ScanDocument_00E7HFHRU48565... Startdate: 15/07/2022 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 6 other signatures 2->55 7 ScanDocument_00E7HFHRU485657EYDGRHEY4857RY4ETEE.exe 1 18 2->7         started        12 Dwxekr.exe 13 2->12         started        14 Dwxekr.exe 13 2->14         started        process3 dnsIp4 39 vervain.co.in 199.79.62.221, 443, 49743, 49749 PUBLIC-DOMAIN-REGISTRYUS United States 7->39 31 C:\Users\Public\Libraries\Dwxekr.exe, PE32 7->31 dropped 33 C:\Users\...\Dwxekr.exe:Zone.Identifier, ASCII 7->33 dropped 63 Writes to foreign memory regions 7->63 65 Allocates memory in foreign processes 7->65 67 Creates a thread in another existing process (thread injection) 7->67 16 SndVol.exe 2 15 7->16         started        69 Multi AV Scanner detection for dropped file 12->69 71 Machine Learning detection for dropped file 12->71 73 Injects a PE file into a foreign processes 12->73 20 SndVol.exe 12->20         started        22 mobsync.exe 14->22         started        file5 signatures6 process7 dnsIp8 35 www.ugodengerguard.xyz 91.192.100.47, 2404, 49768, 49771 AS-SOFTPLUSCH Switzerland 16->35 37 geoplugin.net 178.237.33.50, 49772, 80 ATOM86-ASATOM86NL Netherlands 16->37 41 Performs DNS queries to domains with low reputation 16->41 43 Contains functionality to steal Chrome passwords or cookies 16->43 45 Contains functionality to inject code into remote processes 16->45 47 3 other signatures 16->47 24 SndVol.exe 1 16->24         started        27 SndVol.exe 2 16->27         started        29 SndVol.exe 1 16->29         started        signatures9 process10 signatures11 57 Tries to steal Instant Messenger accounts or passwords 24->57 59 Tries to steal Mail credentials (via file / registry access) 24->59 61 Tries to harvest and steal browser information (history, passwords, etc) 27->61
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/22eb93bbc1e2fbfc6435a3e3514684d17c3577e4edae4bb76470212e72b70e89/
Threat name:
Win32.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2022-07-14 07:27:27 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=elvzho6b4l57yzbvuprvcrue2f6dk57e5wxexn3eoaqs44vxb2eq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0a7baae0933a14082beb95b1c5484dd958e333f7fc499f645c1d550d8ad124a1
RemcosRAT
1015aaf219bd6c756e9e5224d219ed551795585e383fb4a6d2a566e7c8dabad5
RemcosRAT
62671da23d0acb718d487ed7e7ad280f615915d3551e0a65b0ac82966a6610d9
RemcosRAT
7c46360bc0f882b7d7a6603ce5f141914e645b4afb7f4951cc3e29d76908c518
RemcosRAT
81b648fca4135b631044dd68aee71ee704dcc930ae635658b9438585c5dc6b90
RemcosRAT
91dfebe2d0d1f9ac3e495529066a6cd987ad302d33be7fb7fc744f5905daf832
RemcosRAT
ba02bac73b14833463ceaa2380d5b040be444ccd53bd01e33ee4a442f8219ffc
RemcosRAT
d3b0ff3262302f0478cdc55f8d77d9d7c999255282a3181bd6cc09a252077ee9
RemcosRAT
+ 2'277 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:remotehost persistence rat suricata trojan
Link:
https://tria.ge/reports/220715-jensxaefel/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader Second Stage
NirSoft WebBrowserPassView
Nirsoft
ModiLoader, DBatLoader
Remcos
suricata: ET MALWARE Remocs 3.x Unencrypted Checkin
suricata: ET MALWARE Remocs 3.x Unencrypted Server Response
Malware Config
C2 Extraction:
www.ugodengerguard.xyz:2404
Unpacked files
SH256 hash:
dc0377ea26efeb8d3411b8a861a20c9fa07af02308075ed1a8a7b849980893f1
MD5 hash:
5bff59b56c06a281b66ef4e919ce560c
SHA1 hash:
d8b49405898da4060988afe98219d5b62e4e2a7a
Link:
https://www.unpac.me/results/42897b19-30d4-4e7f-b0e2-0d8c1727b6a4/
SH256 hash:
22eb93bbc1e2fbfc6435a3e3514684d17c3577e4edae4bb76470212e72b70e89
MD5 hash:
304d2c9bfcb267e55e0ae271282be76c
SHA1 hash:
27164d3a46371fced7048c360234168b9f14bb00
Link:
https://www.unpac.me/results/42897b19-30d4-4e7f-b0e2-0d8c1727b6a4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.74
Link:
https://yomi.yoroi.company/submissions/22eb93bbc1e2fbfc6435a3e3514684d17c3577e4edae4bb76470212e72b70e89

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

rar d5e1856fb4dc42f516949e2a8196d86845164a0b50804f4225abae23a21600df

RemcosRAT

Executable exe 22eb93bbc1e2fbfc6435a3e3514684d17c3577e4edae4bb76470212e72b70e89

(this sample)

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/289429/
  
Dropped by
SHA256 d5e1856fb4dc42f516949e2a8196d86845164a0b50804f4225abae23a21600df
  
Dropped by
MD5 9d6772ba244c11bdc0c052cc1c98a876

Comments