MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 38da1c4dabd3275256a93bc7321267979802c35ec2cbd1ecef7a5ad18a61afad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 38da1c4dabd3275256a93bc7321267979802c35ec2cbd1ecef7a5ad18a61afad
SHA3-384 hash: 6fee6626baf7f33bf8a74ff036e897e24205eeb8ba21a254086e74db0f335e856da5f75bd2aa792c918a32e26b6e6115
SHA1 hash: bfd55c4fc230dcee8d5191adb30aef019f13902e
MD5 hash: 68ec9baed33ba11a575f955963e9e7fe
humanhash: sad-stairway-diet-winter
File name:68ec9baed33ba11a575f955963e9e7fe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'371'136 bytes
First seen:2021-08-16 22:01:07 UTC
Last seen:2021-08-30 07:19:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0502db06ce2121af54f791df4affcc47 (1 x RemcosRAT)
ssdeep 24576:oPW9bd22szK2K7DawFENSgbytkj3VzlAYSnHOslvX3:oAx2BNNbytkj7WJ
Threatray 435 similar samples on MalwareBazaar
TLSH T17C558E33F2935437C13E2A39BC36625558297E102924788A3BE52FF85FFA6813B251D7
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/179753/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.22881.12444.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Deleting a recently created file
Running batch commands
Setting a keyboard event handler
Connecting to a non-recommended domain
Connection attempt
Sending a custom TCP request
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/403eebaa-76a1-48d9-bf3c-2ccd6ad1a00a
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/833919
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 466347 Sample: BrgZPo24Wj Startdate: 17/08/2021 Architecture: WINDOWS Score: 100 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->38 40 7 other signatures 2->40 8 BrgZPo24Wj.exe 4 5 2->8         started        12 Dguiter.exe 2->12         started        14 Dguiter.exe 2->14         started        process3 file4 26 C:\Users\user\AppData\Roaming\...\Dguiter.exe, PE32 8->26 dropped 28 C:\Users\user\...\Dguiter.exe:Zone.Identifier, ASCII 8->28 dropped 30 C:\Users\user\AppData\Local\...\install.vbs, data 8->30 dropped 50 Detected unpacking (changes PE section rights) 8->50 52 Detected unpacking (overwrites its own PE header) 8->52 54 Contains functionality to inject code into remote processes 8->54 56 2 other signatures 8->56 16 wscript.exe 1 8->16         started        signatures5 process6 process7 18 cmd.exe 1 16->18         started        process8 20 Dguiter.exe 2 3 18->20         started        24 conhost.exe 18->24         started        dnsIp9 32 185.215.113.102, 2404, 49717 WHOLESALECONNECTIONSNL Portugal 20->32 42 Multi AV Scanner detection for dropped file 20->42 44 Detected unpacking (changes PE section rights) 20->44 46 Detected unpacking (overwrites its own PE header) 20->46 48 5 other signatures 20->48 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/38da1c4dabd3275256a93bc7321267979802c35ec2cbd1ecef7a5ad18a61afad/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-08-16 18:07:07 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hdnbytnl2mtvevvjhpdteeths6mafq26ylf5d3hppjnndctbv6wq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0b71fa3fa8549d6a826faaeb1be86b5f866242f35afdb0c0bc7a8ba6c35981e7
RemcosRAT
134427c58b0e1acd504b9f8980bfa29a808a27216adb1999e8dbc4a3fe2b0031
RemcosRAT
4e4463e40d78f3eb63012ed1f3aa7727d98ff68fc9c7b69cf6c0f482c9483476
RemcosRAT
62960caf3d007638be89631e502733f30c42a9ba0269e8c00457c9dec10e9136
RemcosRAT
643d70b162fbca24123f8c5ad6bab6fb1aa6166fb66a414910a5b78bd68320cf
RemcosRAT
6761993e603b7084d87c6abe972c61d7129a11a60bc1ef564971f183b66e6ae8
RemcosRAT
b2beeab94f7cbc38143e2a050c263476419bb48d2ec37470df5b1ee0da812f50
RemcosRAT
b9b1a3245f7aa2f9fadc4cff8343866030a63f297167df00ca0aa4284f453be1
RemcosRAT
d4d30acde6fa4db431b90817911b44d21c65fc1fa72744625bccafe3899869bc
RemcosRAT
+ 425 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat
Link:
https://tria.ge/reports/210816-zdanzd963s/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
185.215.113.102:2404
Unpacked files
SH256 hash:
b04f5f3dfb5f35a54085ecbbe58b723e84b788fcfee06dcb653a8abdf049dbf4
MD5 hash:
84ed75e502b6ad0be5fc254abde2a46a
SHA1 hash:
ea0137740062d59e572ea1888a17eaf39068af8a
Detections:
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/96f5df8e-d4f2-4c15-a68c-a6c8a2eca36c/
SH256 hash:
38da1c4dabd3275256a93bc7321267979802c35ec2cbd1ecef7a5ad18a61afad
MD5 hash:
68ec9baed33ba11a575f955963e9e7fe
SHA1 hash:
bfd55c4fc230dcee8d5191adb30aef019f13902e
Link:
https://www.unpac.me/results/96f5df8e-d4f2-4c15-a68c-a6c8a2eca36c/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/38da1c4dabd3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/38da1c4dabd3275256a93bc7321267979802c35ec2cbd1ecef7a5ad18a61afad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 38da1c4dabd3275256a93bc7321267979802c35ec2cbd1ecef7a5ad18a61afad

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1540035/
Cape
Cape
https://www.capesandbox.com/analysis/179753/

Comments


Avatar
zbet commented on 2021-08-16 22:01:08 UTC

url : hxxp://185.215.113.102/Ryert.exe