MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31a6f2f0d3d503cabf02e31fee5edab37f32c97360f9204654130ab98f5143b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 31a6f2f0d3d503cabf02e31fee5edab37f32c97360f9204654130ab98f5143b6
SHA3-384 hash: 3de73b0cc1560c285671c29a0a2e2cb1873418672fad851178f93d00023414aebd9d74962803cee05fecab9fb85e0744
SHA1 hash: 5ad8b062685df7f18da8c5cc0209f25f37997ad3
MD5 hash: be108727bbee85202d678cff28cc598d
humanhash: harry-neptune-arizona-three
File name:Standard Bank Payment Notification
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:921'088 bytes
First seen:2022-04-11 17:50:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3f80d1f9d9f013af2a55533ae8960c8c (5 x Formbook, 2 x DBatLoader, 2 x RemcosRAT)
ssdeep 24576:niZakGXsru5PAKhEqmlydutZUoEtdPgQb:niWcWfPgQ
Threatray 7'121 similar samples on MalwareBazaar
TLSH T1E1159F12F2918A32D47B1A788C1B57B59937BF532E1C678737E42D5C3E79A8038292D3
File icon (PE):PE icon
dhash icon 0c321272b98ca6d9 (12 x Formbook, 7 x RemcosRAT, 5 x DBatLoader)
Reporter abuse_ch
Tags:exe RemcosRAT Standard Bank Payment Notification

Intelligence

File Origin
# of uploads :
1
# of downloads :
308
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Standard Bank Payment Notification
Verdict:
Malicious activity
Analysis date:
2022-04-11 23:32:28 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/1a1b208a-f6f2-456d-83f2-940d73ab875b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/262772/
Detection(s):
SecuriteInfo.com.Artemis755B93294558.23573.6347.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching the process to interact with network services
Launching a process
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/13511/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe keylogger shell32.dll
Link:
https://www.filescan.io/uploads/62546a8affe27d5119ab7f61/reports/add65d65-d17e-466f-b677-546cab2610a1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5266400a-d0c6-4e50-b32c-cf1cd274ba79
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/974804
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Sigma detected: Suspicious Program Location with Network Connections
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 607287 Sample: Standard Bank Payment Notif... Startdate: 11/04/2022 Architecture: WINDOWS Score: 100 51 Multi AV Scanner detection for domain / URL 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 4 other signatures 2->57 8 Standard Bank Payment Notification.exe 1 20 2->8         started        13 Oqjjzoj.exe 15 2->13         started        15 Oqjjzoj.exe 15 2->15         started        process3 dnsIp4 37 i-am3p-cor003.api.p001.1drv.com 40.90.142.224, 443, 49736, 49738 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 8->37 39 wbavrg.am.files.1drv.com 8->39 45 3 other IPs or domains 8->45 33 C:\Users\Public\Libraries\Oqjjzoj.exe, PE32 8->33 dropped 67 Writes to foreign memory regions 8->67 69 Creates a thread in another existing process (thread injection) 8->69 71 Injects a PE file into a foreign processes 8->71 17 DpiScaling.exe 2 8->17         started        21 cmd.exe 1 8->21         started        41 wbavrg.am.files.1drv.com 13->41 47 3 other IPs or domains 13->47 23 DpiScaling.exe 13->23         started        43 am-files.ha.1drv.com 13.104.158.179, 443, 49752, 49754 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 15->43 49 3 other IPs or domains 15->49 25 DpiScaling.exe 15->25         started        file5 signatures6 process7 dnsIp8 35 79.134.225.44, 49746, 49750, 49755 FINK-TELECOM-SERVICESCH Switzerland 17->35 59 Contains functionality to steal Chrome passwords or cookies 17->59 61 Contains functionality to inject code into remote processes 17->61 63 Contains functionality to steal Firefox passwords or cookies 17->63 65 Delayed program exit found 17->65 27 cmd.exe 1 21->27         started        29 conhost.exe 21->29         started        signatures9 process10 process11 31 conhost.exe 27->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/31a6f2f0d3d503cabf02e31fee5edab37f32c97360f9204654130ab98f5143b6/
Threat name:
Win32.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2022-04-11 17:51:09 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ggtpf4gt2ub4vpyc4mp64xw2wn7tfsltmd4sarsucmfltd2rio3a._file
Verdict:
malicious
Similar samples:
03632b99b5401681e8dacf45710bfce9919f840843b836bad53c3113dacb097e
RemcosRAT
27309bb8844a4d48af2527787b781fdac2917d6f75f870743428a3e7aa44fc1a
RemcosRAT
6353828ddb8f70dd9a535d3314ac328b044539563334f093173b86fd96e24707
RemcosRAT
6458542795cc0a40d4ab238e2be5fb15546d5ca38e52d1f9c7d4157dca27679a
RemcosRAT
6e0e8d1cb340a26f3e8294c7b07ce486b56afcabfb90b7e20e4331b6384a85ce
RemcosRAT
8fb9ddc78aef013fcbc8ff38135972fdacf66a871cc4b42f719efefe2255219f
RemcosRAT
afb058fdd8aa200fe754289c9b48d8876f4bbd7cbcefc964742d76c32a990340
RemcosRAT
b161e9594ef8849e7a1c09a801b5d248cfff6b08c65ed6459dda75b25fdeafee
RemcosRAT
c122639d652908b10751cb546a1c48e753427aa4d74f6a638fcb6c829b65e12f
RemcosRAT
f72d7e445702bbf6b762ebb19d521452b9c76953d93b4d691e0e3e508790256e
RemcosRAT
+ 7'111 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:loostime persistence rat trojan
Link:
https://tria.ge/reports/220411-we5smsbdb3/
Behaviour
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
79.134.225.44:6809
Unpacked files
SH256 hash:
53ac01aeca155b02914c382b97c6f89cf21d6280f488a30eca707bdb9693ce88
MD5 hash:
c755150a74c084c199d24042e9796f35
SHA1 hash:
0fea1a6ae181215deb872c5bb4d2f9ee242f3319
Detections:
win_dbatloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/54d1003d-74b8-4d23-a42e-255be0c73a8c/
Parent samples :
bdbae233809182b9302bbd8701a1919dff782e16cd1c96de1a880f93fbeed86d
83e75d66402eaea2f768c66c07416c4b37cd5cbdfbfd5cb12346c9e81a976862
239419437726bda1c5401f36629aa95050346433232192947ca54890ebb8a39f
d0c1da0838f1eca9ec854e342f707688f1c609fbc2fb0c1cb86624ce51cf71f8
be4b642f44ecf847a15699b7a93f52876389fedf12c8b03e51a4ec5c14032bc7
31a6f2f0d3d503cabf02e31fee5edab37f32c97360f9204654130ab98f5143b6
4c11534aab96c1a9ab0a353431241cf62249290248b553b85daf9bb3b23efbf7
48d05f98dc0e107ca09492b3f4e3728464d8c844870057c0aabc728f0043b2f7
3a62728317a01630a7be9167c9223d451bff0384568482468a9d195a5679f533
4e3b7e84edc257cfc5c6d581272695e2ef520f47b6fa8e179960d52f0f0a3140
47beadcc391c39dc4614d8afff3312f46d4c2666447a82bb8052cfcfb2c7e0df
c73ddd4b47e7691c3655bb1aa5ac034368f865fbc40c22b20c6ab774cb23dd31
fb1585455a00f739a0417c47ac5b948fe9df597f8fed63ed3584931031bdfcd2
3ba7ad2a718413ab6d36dd156bbdd5ac1bcca860f039b14c4cb4382aee58bc88
1d4a9312ebe74b0ea65b5b67ecfadc414a891c4a610369dc017966cb2a2d618b
83d7062a6e44aed6a161da23937cc66f97982e045d933dc4dd2049df4496d34b
735623be46db3bafe8eb224ba84e7dfb3127f37b900b669a3eafc5a19f409921
f43ec67b5158f58273a216cbc49003c55b8f0e6316a3390823348924e38507be
13362eb5bba08696533b5e3196ca0700ace9291e8f5a969c3c1b83d4d0e4667c
0740e382a0c41661aefbd38aa819fa21bc2c14a2cffc6209b361d07dae5cee3d
713114d1dcb9d12994f1cfcb7cc765283cff3f2242ee57cdf15e849e15213a0b
4365d53513b910bfea66669db212ec18f2ba9ab2cf461d140fe42a61b8f0e7e2
63bc8623223491c6337ffed73a4435dd5c5d61576ebb34d465708fdf5d9d9dcd
SH256 hash:
31a6f2f0d3d503cabf02e31fee5edab37f32c97360f9204654130ab98f5143b6
MD5 hash:
be108727bbee85202d678cff28cc598d
SHA1 hash:
5ad8b062685df7f18da8c5cc0209f25f37997ad3
Link:
https://www.unpac.me/results/54d1003d-74b8-4d23-a42e-255be0c73a8c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/31a6f2f0d3d5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/31a6f2f0d3d503cabf02e31fee5edab37f32c97360f9204654130ab98f5143b6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/262772/

Comments