MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a51f81fe3b66e5d065e15fccc4c0e767a01ceafcee23d8ab66c04c48b9bc8f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a51f81fe3b66e5d065e15fccc4c0e767a01ceafcee23d8ab66c04c48b9bc8f9
SHA3-384 hash: a03634adc80bd0b5c072adb7af89543bb383fb3a2c622c518768ec357b34f1572fb96cd9f19068cfd613949790940feb
SHA1 hash: 5a41c9146a568518b512d51c9dc5fe3c34886603
MD5 hash: e8c2d77ca70d2590270ace40dac84638
humanhash: wyoming-floor-maine-eight
File name:RFQ_AP65425652_032421 urgentespdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:849'408 bytes
First seen:2021-10-01 17:50:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8bef6a4d96b506b71db09bffc4184dc7 (5 x RemcosRAT)
ssdeep 12288:tFJgcBmkZEwyRiET71YDWV0YLE+VotReP3mfCL9tZK6O90Oe6jkOGbGR:HGe5aXRiEiDWVxL8qPm6L9tZ2jG
Threatray 685 similar samples on MalwareBazaar
TLSH T17C056C2B1DF01CB2C421167C1C9DA3D67861AF7B1F2F966903FE1D4D2B2B176B42A612
File icon (PE):PE icon
dhash icon 36f0390284e2da70 (12 x RemcosRAT, 7 x Formbook, 1 x OskiStealer)
Reporter James_inthe_box
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ_AP65425652_032421 urgentespdf.exe
Verdict:
Malicious activity
Analysis date:
2021-10-01 17:59:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/78ea6a4b-300b-4def-8d40-1cd7b1833a5f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/194034/
Detection(s):
Win.Trojan.Remcos-9897068-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/93136e5f-90df-46fa-9aaa-b3e39f932857
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/862835
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 495263 Sample: RFQ_AP65425652_032421 urgen... Startdate: 01/10/2021 Architecture: WINDOWS Score: 100 59 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->59 61 Multi AV Scanner detection for domain / URL 2->61 63 Found malware configuration 2->63 65 6 other signatures 2->65 8 RFQ_AP65425652_032421 urgentespdf.exe 1 22 2->8         started        13 Ioobkcf.exe 15 2->13         started        15 Ioobkcf.exe 15 2->15         started        process3 dnsIp4 45 ztmjmg.sn.files.1drv.com 8->45 47 sn-files.fe.1drv.com 8->47 49 onedrive.live.com 8->49 41 C:\Users\Public\Libraries\...\Ioobkcf.exe, PE32 8->41 dropped 75 Writes to foreign memory regions 8->75 77 Creates a thread in another existing process (thread injection) 8->77 79 Injects a PE file into a foreign processes 8->79 17 DpiScaling.exe 2 8->17         started        21 cmd.exe 1 8->21         started        23 cmd.exe 1 8->23         started        51 ztmjmg.sn.files.1drv.com 13->51 55 2 other IPs or domains 13->55 81 Multi AV Scanner detection for dropped file 13->81 25 mobsync.exe 13->25         started        53 ztmjmg.sn.files.1drv.com 15->53 57 2 other IPs or domains 15->57 27 logagent.exe 15->27         started        file5 signatures6 process7 dnsIp8 43 manneedmoney.ddns.net 185.244.30.19, 49758, 6642 DAVID_CRAIGGG Netherlands 17->43 67 Contains functionality to steal Chrome passwords or cookies 17->67 69 Contains functionality to inject code into remote processes 17->69 71 Contains functionality to steal Firefox passwords or cookies 17->71 29 reg.exe 1 21->29         started        31 conhost.exe 21->31         started        33 cmd.exe 1 23->33         started        35 conhost.exe 23->35         started        73 Delayed program exit found 25->73 signatures9 process10 process11 37 conhost.exe 29->37         started        39 conhost.exe 33->39         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2a51f81fe3b66e5d065e15fccc4c0e767a01ceafcee23d8ab66c04c48b9bc8f9/
Threat name:
Win32.Downloader.FormBook
Create hunting rule
Status:
Malicious
First seen:
2021-10-01 17:50:19 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fji7qh7dwzxf2bs6cx6mytaooz5adtvpz3rd3cvwnqcmjc43zd4q._file
Verdict:
malicious
Similar samples:
026668d9855f0c4aac1cb86f163e6e28569a5a4d53d0bde93ac9880a90a8225c
RemcosRAT
0e18df1488198f73ac693eac37584967930540fcaaeca8403f4d8fa2c1126bcd
RemcosRAT
2e9931ce396fe83b4bb02bfda2e15c99ed8b0f11574fe26db531d46354fe5199
RemcosRAT
42d7b502dea09c3cdb997873cee2edcfd5ff84059735faf712111ea5542a065e
RemcosRAT
53161d93cb29f05046231661f5f22988c932dbe84a9ff10e23e5b16cd6199c7e
RemcosRAT
6ee87843a613bf888304843d62cec0507600503af4260024e4b37efdd829cd40
RemcosRAT
ad9f923641c74fc714114423f52d1ef7d1de87e5c40c46377f2718532c0848ae
RemcosRAT
eac2512bff3db9994fa6e61b9ce95ea395e87009200fc18b017e2101e529541b
RemcosRAT
fccbac4760c07819a29dbf1df5d06aa8de89f34cf41b77913e6c2d3fbe578060
RemcosRAT
+ 675 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/211001-we54eachhq/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Unpacked files
SH256 hash:
f808a11e5b1cb4332bb4d65cdbcf1e0ca7323b15bcf73cb7462ad3eb30f05703
MD5 hash:
6cfdeebc3c72279486ddd229eb14b009
SHA1 hash:
e3a2a0a2a0fabd55415c9007f52c79fe9e19e0a7
Link:
https://www.unpac.me/results/1134a8e2-e3d5-45bc-8d65-ab4a98d774cc/
SH256 hash:
2a51f81fe3b66e5d065e15fccc4c0e767a01ceafcee23d8ab66c04c48b9bc8f9
MD5 hash:
e8c2d77ca70d2590270ace40dac84638
SHA1 hash:
5a41c9146a568518b512d51c9dc5fe3c34886603
Link:
https://www.unpac.me/results/1134a8e2-e3d5-45bc-8d65-ab4a98d774cc/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/2a51f81fe3b6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2a51f81fe3b66e5d065e15fccc4c0e767a01ceafcee23d8ab66c04c48b9bc8f9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/194034/

Comments