MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b103382dedb2748d8164a7ecccde2dee2e81a10b9672d88ce1a8160d4b92e7e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b103382dedb2748d8164a7ecccde2dee2e81a10b9672d88ce1a8160d4b92e7e
SHA3-384 hash: e166cd1fdee987627866eb04cbef5812e4fe135ded16473328246e10ee6094d0503e104972d3ed1346d76245eb66649e
SHA1 hash: 1dcf16ed57ed7ed334c9c5bd47e45c1191bd07fc
MD5 hash: 09a7253465cbb84acd5ccbe801144b6e
humanhash: virginia-sink-lithium-arizona
File name:INV.DHL202038658530 ,PDF.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'008'128 bytes
First seen:2021-09-22 08:54:04 UTC
Last seen:2021-09-22 10:03:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 91a12f22e7f2305a107edddf42c40880 (4 x RemcosRAT, 2 x Formbook, 1 x NetWire)
ssdeep 12288:MYeqaTWvI8UhU0EIp3Cx4Dt9eoAdrL7mSI:MYpa+qUH2y42rPg
Threatray 60 similar samples on MalwareBazaar
TLSH T18E256DF57345D8F6DD14363EDA05B2A63201B7F12C531C88ADB83D8A56B9A94FB8C087
File icon (PE):PE icon
dhash icon b670390284e2da70 (14 x Formbook, 3 x RemcosRAT, 3 x AveMariaRAT)
Reporter abuse_ch
Tags:DHL exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INV.DHL202038658530 ,PDF.exe
Verdict:
Malicious activity
Analysis date:
2021-09-22 08:55:29 UTC
Tags:
installer trojan rat remcos
Link:
https://app.any.run/tasks/3518b56c-9514-4d92-b170-4acacddc89f9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/190111/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.1074.390.UNOFFICIAL
Create hunting rule

Win.Trojan.Zusy-9895656-0
Create hunting rule

Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/82de278f-9853-45a4-b544-61e06c5b99ce
Result
Threat name:
Remcos DBatLoader
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/855447
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 487875 Sample: INV.DHL202038658530 ,PDF.exe Startdate: 22/09/2021 Architecture: WINDOWS Score: 100 62 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->62 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 6 other signatures 2->68 7 INV.DHL202038658530 ,PDF.exe 1 17 2->7         started        12 Cnpnekr.exe 15 2->12         started        14 Cnpnekr.exe 15 2->14         started        process3 dnsIp4 38 qupgdw.db.files.1drv.com 7->38 40 onedrive.live.com 7->40 42 db-files.fe.1drv.com 7->42 34 C:\Users\Public\Libraries\...\Cnpnekr.exe, PE32 7->34 dropped 76 Writes to foreign memory regions 7->76 78 Creates a thread in another existing process (thread injection) 7->78 80 Injects a PE file into a foreign processes 7->80 16 DpiScaling.exe 2 7->16         started        44 qupgdw.db.files.1drv.com 12->44 48 2 other IPs or domains 12->48 82 Machine Learning detection for dropped file 12->82 20 mobsync.exe 12->20         started        46 qupgdw.db.files.1drv.com 14->46 50 2 other IPs or domains 14->50 22 DpiScaling.exe 14->22         started        file5 signatures6 process7 dnsIp8 36 vegospupm.ddns.net 194.147.140.13, 49752, 49767, 49802 PTPEU unknown 16->36 54 Contains functionality to inject code into remote processes 16->54 56 Contains functionality to steal Firefox passwords or cookies 16->56 58 Injects a PE file into a foreign processes 16->58 60 Delayed program exit found 16->60 24 DpiScaling.exe 1 16->24         started        27 DpiScaling.exe 1 16->27         started        29 DpiScaling.exe 2 16->29         started        32 3 other processes 16->32 signatures9 process10 dnsIp11 70 Tries to steal Instant Messenger accounts or passwords 24->70 72 Tries to steal Mail credentials (via file access) 24->72 52 192.168.2.1 unknown unknown 29->52 74 Tries to harvest and steal browser information (history, passwords, etc) 29->74 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3b103382dedb2748d8164a7ecccde2dee2e81a10b9672d88ce1a8160d4b92e7e/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-09-22 08:54:06 UTC
AV detection:
10 of 45 (22.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hmidhaw63mturwawjj7mztpc33roqgqqxfts3cgodkawbvfzfz7a._file
Verdict:
suspicious
Similar samples:
0d182038f62a038b380a4d3c3769d5eb389b08b194b7dce13606252e7e1aff1c
RemcosRAT
4768bc4db58542167ce61a3e0a78bfaa79a3b7dee0b54a587886545ed83a13f7
RemcosRAT
4e1b1d348b5d643308cbefc595c7e3761d79928a45c4b6b9c937d380d135b1c2
RemcosRAT
7df259f7873239aee108522c3efd6fca233db83a268a3c9fad4766994c5a029d
RemcosRAT
9d109cc4f855ab857f7bc081a7bd0e2be2a46d59282970f1a189a019b4467173
RemcosRAT
9d71b356bc7e51729a4726433111be12297dd9403a82cff2e20902944c0af748
RemcosRAT
c5d3c1c7cd8f5545abb3c07b6a5676c1a4979acdcb14e180591a5c36f8cfcebf
RemcosRAT
d21cbbc50e85c872732a119f1c0d567a54cd6a75c512c3bf84baba8a8fbfc97d
RemcosRAT
f4f27e005b5381e5d1eb3d1d95cd4ae5c963c7601934254ebe266f08cfaf78d2
RemcosRAT
+ 50 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:blessings persistence rat
Link:
https://tria.ge/reports/210922-ktwyhacad6/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
vegospupm.ddns.net:5632
Unpacked files
SH256 hash:
9df5839fe41103d241af27c07ec4fce4adfb9129cb57fe6d3fd9a396a750fb49
MD5 hash:
36e70e671e5390c2363ea8803df1c84a
SHA1 hash:
8905d18a2eb8299c800331aee4bbd05afa8f5bcc
Link:
https://www.unpac.me/results/d126f2bf-2619-420e-9ea0-25db90b5542c/
SH256 hash:
3b103382dedb2748d8164a7ecccde2dee2e81a10b9672d88ce1a8160d4b92e7e
MD5 hash:
09a7253465cbb84acd5ccbe801144b6e
SHA1 hash:
1dcf16ed57ed7ed334c9c5bd47e45c1191bd07fc
Link:
https://www.unpac.me/results/d126f2bf-2619-420e-9ea0-25db90b5542c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.50
Link:
https://yomi.yoroi.company/submissions/3b103382dedb2748d8164a7ecccde2dee2e81a10b9672d88ce1a8160d4b92e7e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/190111/

Comments