MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3880fb052955a0a189467378cdfa76b830a23417a89265eb347918a99ca3ca65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3880fb052955a0a189467378cdfa76b830a23417a89265eb347918a99ca3ca65
SHA3-384 hash: d49f0178e547db82c5f5c038bbce72ec5ef3906b0fab17e788931665fc5052f0ecb1b132a81dbc3c8eeeae9831c3fdf2
SHA1 hash: 003a786139917002fb8d1981de45b36f8b4e3217
MD5 hash: 5de7b366c68ca0c16a8a533fe1c92955
humanhash: eight-eleven-angel-juliet
File name:SecuriteInfo.com.W32.AIDetect.malware2.21391.16059
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'233'920 bytes
First seen:2022-06-01 15:38:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a8107f66db7a95bce5316821c061ae46 (2 x RemcosRAT, 2 x FormBook)
ssdeep 24576:kW0QEAAFfSLYzN6yD5xhxujQtVSn52bD/MMOd/QLklafc2m9xlG:zEfO4vSn52jOdF4k9xl
TLSH T1C045C021F3908637D3335B345C6B96A99C25BE313D68AC4A7AFD2D4C5F3A3417928293
TrID 52.2% (.OCX) Windows ActiveX control (116521/4/18)
19.3% (.EXE) InstallShield setup (43053/19/16)
6.3% (.EXE) Win32 Executable Delphi generic (14182/79/4)
5.8% (.SCR) Windows screen saver (13101/52/3)
4.7% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon e0e4a3a6a4b8b8a8 (37 x Formbook, 9 x AZORult, 9 x Loki)
Reporter SecuriteInfoCom
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
370
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.W32.AIDetect.malware2.21391.16059
Verdict:
Malicious activity
Analysis date:
2022-06-01 16:01:52 UTC
Tags:
installer rat remcos keylogger
Link:
https://app.any.run/tasks/7fbc6dfb-4f17-4eac-9ef3-22b40937bbf6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/276132/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.21391.16059.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching the process to interact with network services
Launching a process
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2dc182ba-f388-4a63-832b-40a2c2d5ca49
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1005190
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 637682 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 01/06/2022 Architecture: WINDOWS Score: 100 53 Multi AV Scanner detection for domain / URL 2->53 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 6 other signatures 2->59 8 SecuriteInfo.com.W32.AIDetect.malware2.21391.exe 1 22 2->8         started        13 Dmdsmkveoy.exe 14 2->13         started        15 Dmdsmkveoy.exe 17 2->15         started        process3 dnsIp4 39 onedrive.live.com 8->39 47 2 other IPs or domains 8->47 33 C:\Users\Public\Libraries\Dmdsmkveoy.exe, PE32 8->33 dropped 35 C:\Users\...\Dmdsmkveoy.exe:Zone.Identifier, ASCII 8->35 dropped 69 Writes to foreign memory regions 8->69 71 Creates a thread in another existing process (thread injection) 8->71 73 Injects a PE file into a foreign processes 8->73 17 DpiScaling.exe 2 2 8->17         started        21 cmd.exe 1 8->21         started        41 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49804, 49815 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 13->41 49 3 other IPs or domains 13->49 75 Antivirus detection for dropped file 13->75 77 Multi AV Scanner detection for dropped file 13->77 79 Allocates memory in foreign processes 13->79 23 DpiScaling.exe 13->23         started        43 l-0004.l-dc-msedge.net 13.107.43.13, 443, 49829, 49838 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 15->43 45 192.168.2.1 unknown unknown 15->45 51 3 other IPs or domains 15->51 25 DpiScaling.exe 15->25         started        file5 signatures6 process7 dnsIp8 37 stopeet.camdvr.org 45.133.174.187, 2404, 49785 ASBLANKPROXIESGB United Kingdom 17->37 61 Contains functionality to steal Chrome passwords or cookies 17->61 63 Contains functionality to inject code into remote processes 17->63 65 Contains functionality to steal Firefox passwords or cookies 17->65 67 Delayed program exit found 17->67 27 cmd.exe 1 21->27         started        29 conhost.exe 21->29         started        signatures9 process10 process11 31 conhost.exe 27->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3880fb052955a0a189467378cdfa76b830a23417a89265eb347918a99ca3ca65/
Threat name:
Win32.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2022-06-01 15:39:16 UTC
File Type:
PE (Exe)
Extracted files:
83
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hcapwbjjkwqkdckgon4m36twxaykenaxvcjgl2zupemkthfdzjsq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:remotehost persistence rat trojan
Link:
https://tria.ge/reports/220601-s3lswsheb6/
Behaviour
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
stopeet.camdvr.org:2404
amalar.camdvr.org:2404
prosir.casacam.net:2404
Unpacked files
SH256 hash:
0b4b7d7628499c9d0c62562dc64f22baf5390cd32f71e0317c259511ae85b5b6
MD5 hash:
d6e8fb9c9383709a7475144fbc74cb44
SHA1 hash:
3dc32f98eb13d725511b64924730132883ad3591
Link:
https://www.unpac.me/results/a033a128-370b-4895-90ef-682bba0ad3dd/
SH256 hash:
3880fb052955a0a189467378cdfa76b830a23417a89265eb347918a99ca3ca65
MD5 hash:
5de7b366c68ca0c16a8a533fe1c92955
SHA1 hash:
003a786139917002fb8d1981de45b36f8b4e3217
Link:
https://www.unpac.me/results/a033a128-370b-4895-90ef-682bba0ad3dd/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3880fb052955/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3880fb052955a0a189467378cdfa76b830a23417a89265eb347918a99ca3ca65

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/276132/

Comments