MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 314a9315f4019c00c6a5747656830414b85e32c397b038f0d04d8623ff3d4e63. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 314a9315f4019c00c6a5747656830414b85e32c397b038f0d04d8623ff3d4e63
SHA3-384 hash: 98b97a2504a97dc266c70cf28c88f248fb7d2cafdf8ef5ae809ef75f8d0aa3d06a393c2fa68bad40857153fc4935f37c
SHA1 hash: 738f751a0dafa14b233c2fe49d269cfa35c706d1
MD5 hash: 4f8bda5b014b2dadca5f6df065dbd739
humanhash: mountain-one-wisconsin-sweet
File name:RFQ_Order WT013 - A11197322,pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:626'176 bytes
First seen:2021-07-16 18:35:22 UTC
Last seen:2021-07-16 19:53:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 70df4f508da1cb2b065dbece17e25f7a (1 x RemcosRAT)
ssdeep 12288:lKFL7IAmNztEU8/zjQ6KnRkjjZ1qOeAm:lCLQNzeASj8
Threatray 118 similar samples on MalwareBazaar
TLSH T1F5D47E2775B1D437C1661A789C0777AEA922FA103E6C594B7BE50D8CEE3D1C23926383
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
167
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ_Order WT013 - A11197322,pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-07-16 18:40:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/457f5462-f270-446c-9f46-caa96500e124

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/172243/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.26597.30729.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NeoSpy
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8fafec63-80dd-4a86-ba4d-26d0f5b3edbe
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/817644
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 450055 Sample: RFQ_Order WT013 - A11197322... Startdate: 16/07/2021 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Multi AV Scanner detection for domain / URL 2->51 53 Found malware configuration 2->53 55 6 other signatures 2->55 6 RFQ_Order WT013 - A11197322,pdf.exe 1 19 2->6         started        11 Xgjxmnc.exe 16 2->11         started        13 Xgjxmnc.exe 16 2->13         started        process3 dnsIp4 25 q8s9nw.dm.files.1drv.com 6->25 33 2 other IPs or domains 6->33 23 C:\Users\Public\Libraries\...\Xgjxmnc.exe, PE32 6->23 dropped 57 Writes to foreign memory regions 6->57 59 Creates a thread in another existing process (thread injection) 6->59 61 Injects a PE file into a foreign processes 6->61 15 mshta.exe 2 3 6->15         started        27 q8s9nw.dm.files.1drv.com 11->27 35 2 other IPs or domains 11->35 63 Allocates memory in foreign processes 11->63 19 mobsync.exe 11->19         started        29 192.168.2.1 unknown unknown 13->29 31 q8s9nw.dm.files.1drv.com 13->31 37 2 other IPs or domains 13->37 21 mshta.exe 13->21         started        file5 signatures6 process7 dnsIp8 39 goddywin.freedynamicdns.net 185.244.30.18, 1015, 49725 DAVID_CRAIGGG Netherlands 15->39 41 Contains functionality to steal Chrome passwords or cookies 15->41 43 Contains functionality to inject code into remote processes 15->43 45 Contains functionality to steal Firefox passwords or cookies 15->45 47 Delayed program exit found 15->47 signatures9
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/314a9315f4019c00c6a5747656830414b85e32c397b038f0d04d8623ff3d4e63/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-07-16 18:36:04 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gffjgfpuagoabrvfor3fnayecs4f4mwds6ydr4gqjwdch7z5jzrq._file
Verdict:
malicious
Similar samples:
051bfc878cbfc9748f59edcb04b8d8cfdc75b566e403236385c51374b7afd393
RemcosRAT
0954364fc93fcfcc1ec2518eb732d150544c05ec5960667da080da7a08f9dc2f
RemcosRAT
413c4d1e7f91baf3ea5e77ed4ce25fc092d6167dabe1076ddca27a377d6a8197
RemcosRAT
5dd2f8347b2c2a334231ec2167d38514868ebbeede5311ace774c9a4b5375fff
RemcosRAT
9803a9ef11eebdd87b948f892924c8cba93fdd62a303e85cc9fb5e0438c532b2
RemcosRAT
ac0c607a38214d7bf1cdfe073a5656d3565d4af43f4591702b398df6c36fd834
RemcosRAT
f74e5e77ee6f64654fb912f76a8b5095d783bf3af22dea186ef7b5730c4a868e
RemcosRAT
fff4247394bb0e5f9ad20e8c3f00903a82562ae9eecf701447914bd744b0e61c
RemcosRAT
+ 108 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:graced persistence rat
Link:
https://tria.ge/reports/210716-xylcppxx3s/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
goddywin.freedynamicdns.net:1015
Unpacked files
SH256 hash:
7470d7a49c6e61e406c0e1cfb17ad86221ea7af972abb3da166c1ba1e9a1a7ed
MD5 hash:
9a495f6dc375d601c8aa5015c8a14a17
SHA1 hash:
0f167fabe37b1a5a44a9cbb40e84abb4303230a6
Link:
https://www.unpac.me/results/895dbc0c-01db-4bd8-afd6-5dc9a6551235/
SH256 hash:
314a9315f4019c00c6a5747656830414b85e32c397b038f0d04d8623ff3d4e63
MD5 hash:
4f8bda5b014b2dadca5f6df065dbd739
SHA1 hash:
738f751a0dafa14b233c2fe49d269cfa35c706d1
Link:
https://www.unpac.me/results/895dbc0c-01db-4bd8-afd6-5dc9a6551235/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/314a9315f4019c00c6a5747656830414b85e32c397b038f0d04d8623ff3d4e63

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172243/

Comments