MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e4c6cc30705e1398ea19d064bd7cfba58448798a81f3c89b86fa66750904a7b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2e4c6cc30705e1398ea19d064bd7cfba58448798a81f3c89b86fa66750904a7b
SHA3-384 hash: 8df3c0488500aa9ad153b4e825a51563716be4bdf7cd34fbc6442b835260f22a0e69f1f49bc8898cedde3a12359fd7d7
SHA1 hash: 7d479edf5dc249fd73f6b27280e01e2410c262ca
MD5 hash: 719e3c1a9d39bb9c2b64eee13015ac9f
humanhash: blossom-high-alabama-uniform
File name:DHL EXPRESS_Pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:952'320 bytes
First seen:2023-04-03 12:28:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:wxbHSd3/vVz+wypdSPhA4oS1VQYzyjv5Djii:wxTSd3n0wdpieVbyjBDjii
Threatray 1'773 similar samples on MalwareBazaar
TLSH T15A152210331D6B2BDA5F46FD44716086033E8A77A306E7EE5CD468797AE3B24091AEC7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 32c29292b2e88e82 (7 x Formbook, 6 x RemcosRAT, 2 x AgentTesla)
Reporter abuse_ch
Tags:DHL exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
DHL EXPRESS_Pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-04-03 12:42:27 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/2c063b3f-29d7-4c98-afe5-5b299bd5576a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/379625/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
exploit packed
Link:
https://www.filescan.io/uploads/642ac6905a075383fbff352f/reports/a38f4f2d-d6d8-44ce-ab32-526a76063256/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/2e4c6cc30705e1398ea19d064bd7cfba58448798a81f3c89b86fa66750904a7b
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6b1eef19-17e9-4f9b-b6a5-cad2f7c11c45
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1207464
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 840377 Sample: DHL_EXPRESS_Pdf.exe Startdate: 03/04/2023 Architecture: WINDOWS Score: 100 74 Multi AV Scanner detection for domain / URL 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 Antivirus detection for URL or domain 2->78 80 9 other signatures 2->80 9 DHL_EXPRESS_Pdf.exe 7 2->9         started        13 OIyUQGxIB.exe 5 2->13         started        15 remcos.exe 2->15         started        17 2 other processes 2->17 process3 file4 62 C:\Users\user\AppData\Roaming\OIyUQGxIB.exe, PE32 9->62 dropped 64 C:\Users\...\OIyUQGxIB.exe:Zone.Identifier, ASCII 9->64 dropped 66 C:\Users\user\AppData\Local\...\tmp2B77.tmp, XML 9->66 dropped 68 C:\Users\user\...\DHL_EXPRESS_Pdf.exe.log, CSV 9->68 dropped 90 Contains functionality to bypass UAC (CMSTPLUA) 9->90 92 Contains functionality to steal Chrome passwords or cookies 9->92 94 Uses schtasks.exe or at.exe to add and modify task schedules 9->94 102 3 other signatures 9->102 19 DHL_EXPRESS_Pdf.exe 2 4 9->19         started        22 powershell.exe 18 9->22         started        24 schtasks.exe 1 9->24         started        96 Multi AV Scanner detection for dropped file 13->96 98 Machine Learning detection for dropped file 13->98 26 schtasks.exe 13->26         started        28 OIyUQGxIB.exe 13->28         started        30 OIyUQGxIB.exe 13->30         started        100 Injects a PE file into a foreign processes 15->100 32 schtasks.exe 15->32         started        34 remcos.exe 15->34         started        signatures5 process6 file7 58 C:\ProgramData\Remcos\remcos.exe, PE32 19->58 dropped 60 C:\ProgramData\...\remcos.exe:Zone.Identifier, ASCII 19->60 dropped 36 remcos.exe 5 19->36         started        39 conhost.exe 22->39         started        41 conhost.exe 24->41         started        43 conhost.exe 26->43         started        45 conhost.exe 32->45         started        process8 signatures9 82 Multi AV Scanner detection for dropped file 36->82 84 Machine Learning detection for dropped file 36->84 86 Adds a directory exclusion to Windows Defender 36->86 88 Injects a PE file into a foreign processes 36->88 47 remcos.exe 36->47         started        50 powershell.exe 36->50         started        52 schtasks.exe 36->52         started        process10 dnsIp11 70 fresh03.ddns.net 103.169.34.187, 34110, 49695 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe unknown 47->70 72 geoplugin.net 178.237.33.50, 49696, 80 ATOM86-ASATOM86NL Netherlands 47->72 54 conhost.exe 50->54         started        56 conhost.exe 52->56         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2e4c6cc30705e1398ea19d064bd7cfba58448798a81f3c89b86fa66750904a7b/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-04-03 12:29:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fzggzqyhaxqttdvbtudexv6pxjmejb4yvaptzcnyn6tgoueqjj5q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0f27e5f647e28a535aa0ab9dde5c707150431f10c62d12f1e192ea02d698b3e4
RemcosRAT
0f8c7d288333c8d1c5d450abeaf869de3d58eb5e8d16138c52b0391cf7a645cc
RemcosRAT
2010a7e1a136a9881ba4db4beb99088ea77ea2997d36e6d1d16fc696b34fda8b
RemcosRAT
7e09b162052fa0f01f2d48609446e1cc66fea01afa412d5aee4cca9afa98fe52
RemcosRAT
8aad378acd6bb2912809751007cc762facf7eefcc867b5fd8ace1e1728329c08
RemcosRAT
c9ec59e23695adca831f06aca398c511cac81f2fd65c7353f14b4725791ab80a
RemcosRAT
dacbcd625ca7774424759d127d5fd0a02acfd39c9e15caab4b76d64caa6357a4
RemcosRAT
df98e5b50efcf7aedf479030e51ca5b9990fad9f0d20d729bb106198ddee923e
RemcosRAT
f3c280a30bfcb13a09179451fc8a2885ea9a95258ee5b52bfd24a1caf7896e54
RemcosRAT
+ 1'763 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:upgraded001 persistence rat
Link:
https://tria.ge/reports/230403-pnxp3agc2w/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Remcos
Malware Config
C2 Extraction:
fresh03.ddns.net:34110
Unpacked files
SH256 hash:
4ef7b60d3fdfe584f4a58f792d7ff432765e464c32966ba6c8482b0d8949d6ff
MD5 hash:
408e8a0eedb376a7a005a6bfd36d6438
SHA1 hash:
a2b7d842a7a6a774fbb87e5d5334f512de77b89d
Link:
https://www.unpac.me/results/89629543-32d9-47e5-8092-6fd3f8153a27/
SH256 hash:
ab8c34704eee9b8f6f23aeeb6c2f6c24d4fbe2c9cc9beb08913d87d1ca4fa66d
MD5 hash:
5452a2ec0bc2398b66852ceddb3c6a2f
SHA1 hash:
960c0f730bfa4ff6c385ac4a0582520f137663dd
Link:
https://www.unpac.me/results/89629543-32d9-47e5-8092-6fd3f8153a27/
SH256 hash:
117dadd0e280d89a26ba3730c87ac7b4e7c40d2bfdb42fde3645b115fb096c61
MD5 hash:
78577b04e7f03c8c03d46c9bccfd3e7a
SHA1 hash:
8a12cec088e3ac421caaf8b4a3776654d86df0d2
Link:
https://www.unpac.me/results/89629543-32d9-47e5-8092-6fd3f8153a27/
SH256 hash:
3c507afadbb1c31a9ebdd24baac5739d47576159e01c5e84f973c951885100aa
MD5 hash:
e79bf0e7e9d52d398e0b23b352394c68
SHA1 hash:
682325763a0ec77e0fd475ea3a4021b4651eceac
Link:
https://www.unpac.me/results/89629543-32d9-47e5-8092-6fd3f8153a27/
SH256 hash:
eb99b9052fb1b154c9731f36fca6c148da71b530f530994427e8886e36f8dffe
MD5 hash:
5d9356dc1909e3385a1b77a1032fecd0
SHA1 hash:
052ee55ae083fe331d00ea3335cd3f68cd08ffdc
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/89629543-32d9-47e5-8092-6fd3f8153a27/
Parent samples :
28c32f08c1471496052f517ee43313f86c38f74bdf0194707735574157a2d55c
3d1a75579ef0717708782f63318b36e8dc0356fc477370ad9c69feac793a6a95
50ca98ba2d54858b97cbbfff758edf7f81a29a8a4884a4319ae994cb8a434de3
f3e4dd541766cd7a3af91ef964b91ded632f13ebe69bd4fb5eadd563c0207059
2e4c6cc30705e1398ea19d064bd7cfba58448798a81f3c89b86fa66750904a7b
SH256 hash:
2e4c6cc30705e1398ea19d064bd7cfba58448798a81f3c89b86fa66750904a7b
MD5 hash:
719e3c1a9d39bb9c2b64eee13015ac9f
SHA1 hash:
7d479edf5dc249fd73f6b27280e01e2410c262ca
Link:
https://www.unpac.me/results/89629543-32d9-47e5-8092-6fd3f8153a27/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2e4c6cc30705/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2e4c6cc30705e1398ea19d064bd7cfba58448798a81f3c89b86fa66750904a7b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Suspicious_Macro_Presence
Create hunting rule
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 2e4c6cc30705e1398ea19d064bd7cfba58448798a81f3c89b86fa66750904a7b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/379625/

Comments