MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 33b1629dc01123f78d568c7638f33ca6619834daad9866f666c00062920b13da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 33b1629dc01123f78d568c7638f33ca6619834daad9866f666c00062920b13da
SHA3-384 hash: ee4618dd9eb592f400edde2a782dbb52802dc0585e83f1bb64ad63d41ec4ddabb0c44ffc3faf6c1246ec89f39cf3c96c
SHA1 hash: 65d757d89b60b5545acbf8589c751d0845092ded
MD5 hash: af64a7df92d3f72407194dd17b013c86
humanhash: leopard-kentucky-potato-mountain
File name:BoFA Remittance Advice-2021207.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:827'392 bytes
First seen:2021-07-20 17:23:24 UTC
Last seen:2021-07-20 17:50:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 25123f7d748b46edefb4a7db9e8db89d (3 x RemcosRAT, 1 x AveMariaRAT, 1 x BitRAT)
ssdeep 12288:4szqT1gEnXaAbWRBOQW/xgYwRTtIvsECmW6l4l1G2YaNlRSsM7/Ssdpk6dz:4sOOSaAbWPOQWZ6ltIvy2AfSF764z
Threatray 290 similar samples on MalwareBazaar
TLSH T18F05AE51E2819937D133963CEC1B9779282E7D932D28B8C377FA6C1C6F2A2807D35196
Reporter James_inthe_box
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
172
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BoFA Remittance Advice-2021207.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-20 17:26:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4fb8dde0-f559-4907-916b-f7dd5194fa46

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172875/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.24689.22435.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/22073acd-378d-4bff-af88-8a2aac88c447
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/819131
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 451537 Sample: BoFA Remittance Advice-2021... Startdate: 20/07/2021 Architecture: WINDOWS Score: 100 71 Multi AV Scanner detection for domain / URL 2->71 73 Found malware configuration 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 8 other signatures 2->77 8 BoFA Remittance Advice-2021207.exe 1 24 2->8         started        13 Kxojjlw.exe 13 2->13         started        15 Kxojjlw.exe 13 2->15         started        process3 dnsIp4 59 cdn.discordapp.com 162.159.130.233, 443, 49727, 49728 CLOUDFLARENETUS United States 8->59 55 C:\Users\Public\Libraries\...\Kxojjlw.exe, PE32 8->55 dropped 87 Writes to foreign memory regions 8->87 89 Allocates memory in foreign processes 8->89 91 Creates a thread in another existing process (thread injection) 8->91 17 DpiScaling.exe 5 4 8->17         started        22 wermgr.exe 4 8->22         started        24 cmd.exe 1 8->24         started        30 2 other processes 8->30 61 162.159.135.233, 443, 49740 CLOUDFLARENETUS United States 13->61 93 Injects a PE file into a foreign processes 13->93 26 dialer.exe 13->26         started        63 192.168.2.1 unknown unknown 15->63 28 mobsync.exe 15->28         started        file5 signatures6 process7 dnsIp8 57 twistednerd.dvrlists.com 213.152.187.215, 41078, 49735, 49736 GLOBALLAYERNL Netherlands 17->57 53 C:\Users\user\...\abqsiruororqsamekxsuab.vbs, data 17->53 dropped 79 Contains functionality to steal Chrome passwords or cookies 17->79 81 Contains functionality to inject code into remote processes 17->81 83 Contains functionality to steal Firefox passwords or cookies 17->83 85 2 other signatures 17->85 32 DpiScaling.exe 22->32         started        35 DpiScaling.exe 13 22->35         started        37 DpiScaling.exe 22->37         started        39 wscript.exe 22->39         started        41 reg.exe 1 24->41         started        43 conhost.exe 24->43         started        45 cmd.exe 1 30->45         started        47 conhost.exe 30->47         started        file9 signatures10 process11 signatures12 65 Tries to steal Instant Messenger accounts or passwords 32->65 67 Tries to steal Mail credentials (via file access) 32->67 69 Tries to harvest and steal browser information (history, passwords, etc) 35->69 49 conhost.exe 41->49         started        51 conhost.exe 45->51         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/33b1629dc01123f78d568c7638f33ca6619834daad9866f666c00062920b13da/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-07-20 17:23:12 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
5 of 28 (17.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=goywfhoacer7pdkwrr3dr4z4uzqzqng2vwmgn5tgyaagfeqlcpna._file
Verdict:
malicious
Similar samples:
0789e8d80d058cc3283d3041953b057ccf252b882630982b85786081a5cd5df0
RemcosRAT
4757d64431cbf911d9a6cc5b1cd96ee7f733dd0eb05c41f1fa100ba3d354d4a5
RemcosRAT
6b4a57c6eb6a005e9641a19c161334890128dfd6b15477f1add890041b7c8bf8
RemcosRAT
7162fc24e700f042d19b8f08a42c91bfae05f2a08c66df2bb4cb3d8e8635e475
RemcosRAT
99e69a8f20885bef44503976b29f58ae65f5737bf2948da5d04fd873c70634a6
RemcosRAT
9b795b925c16454a770214d5ef56ee695a5f562498d4d276cf160fbc13162c15
RemcosRAT
c26154711ca9d9d48de370f242deb560bd0b99a0c8f12a2d1db5d4cd6e25d107
RemcosRAT
c65e9659dc7d97331803b2137d4d7e0a47869eca75d718ea9f92397dcd68eb55
RemcosRAT
ef4fb21fec01aa193370b1ac7551aa759765b4e289f781b67d762e61335c7e41
RemcosRAT
fff4247394bb0e5f9ad20e8c3f00903a82562ae9eecf701447914bd744b0e61c
RemcosRAT
+ 280 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:wolf persistence rat
Link:
https://tria.ge/reports/210720-95tnaxy9yn/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Blocklisted process makes network request
Remcos
Malware Config
C2 Extraction:
twistednerd.dvrlists.com:41078
Unpacked files
SH256 hash:
3c89381eb5d9bc9b2cc8835190944650d0fab08f3f5bd80e7d60c805c34f85a3
MD5 hash:
046256d9fc63f3f656d8a381e787ccdd
SHA1 hash:
d60bbe23be14e9acd5d9f718ce5686dbcf65e518
Link:
https://www.unpac.me/results/f66a4a13-f13d-4fa4-bb93-2e8a9f27b7b1/
SH256 hash:
33b1629dc01123f78d568c7638f33ca6619834daad9866f666c00062920b13da
MD5 hash:
af64a7df92d3f72407194dd17b013c86
SHA1 hash:
65d757d89b60b5545acbf8589c751d0845092ded
Link:
https://www.unpac.me/results/f66a4a13-f13d-4fa4-bb93-2e8a9f27b7b1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/33b1629dc01123f78d568c7638f33ca6619834daad9866f666c00062920b13da

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/172875/
  
URLhaus
https://urlhaus.abuse.ch/url/1469289/

Comments