MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3fcc98cda3b1b88eea1619bea29091902d8e9fee91040d3a335215d14bd68bbf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3fcc98cda3b1b88eea1619bea29091902d8e9fee91040d3a335215d14bd68bbf
SHA3-384 hash: d4a4b90b0154d21d36504b1847b5902f20d6ae70b1f4ee503d173ee045136137205c4770f9a58fe05ad3270f01ce36bf
SHA1 hash: 97b14925b0832e5397d4a5a6e0822a456402a224
MD5 hash: 306d49749218ce3809c772f47feec302
humanhash: mango-item-kentucky-aspen
File name:حمل و نقل DHL _ 119040 اسناد تحویل.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:914'432 bytes
First seen:2021-10-02 06:59:54 UTC
Last seen:2021-10-04 06:11:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e28e7623fc562c080a8912e7dcd203b0 (3 x RemcosRAT, 1 x Formbook)
ssdeep 12288:8yZ9wV/AHhLB8ncBBHpeNwoCoicmuYyqq606/B6O90Oe6jkOGbGS:fbwoP8ncbHpeNwoOc/Yyqq6nPjG
Threatray 890 similar samples on MalwareBazaar
TLSH T182154B576EE05D77C26504BC88C9CBF17038BE2B6D198426BBBA0DBC5F2B3213569613
File icon (PE):PE icon
dhash icon 88c7ce3cbddc2f31 (24 x RemcosRAT, 12 x Formbook, 8 x Loki)
Reporter abuse_ch
Tags:DHL exe geo IRN RAT RemcosRAT

Intelligence

File Origin
# of uploads :
4
# of downloads :
162
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
حمل و نقل DHL _ 119040 اسناد تحویل.exe
Verdict:
Suspicious activity
Analysis date:
2021-10-02 07:03:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a1f42fb4-07f7-4954-8a87-6f6235789708

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/194133/
Detection(s):
SecuriteInfo.com.UDS.Backdoor.Win32.Remcos.gen.9246.25173.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching the default Windows debugger (dwwin.exe)
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/055a02bc-6ddd-43a0-99c6-b4e30f43f76b
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/863087
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 495511 Sample: cc#U0644.exe Startdate: 02/10/2021 Architecture: WINDOWS Score: 100 44 ongod4ever.ddns.net 2->44 70 Malicious sample detected (through community Yara rule) 2->70 72 Detected Remcos RAT 2->72 74 Yara detected Remcos RAT 2->74 76 Uses dynamic DNS services 2->76 9 Djdmnmq.exe 14 2->9         started        13 cc#U0644.exe 1 23 2->13         started        16 Djdmnmq.exe 17 2->16         started        signatures3 process4 dnsIp5 48 sn-files.fe.1drv.com 9->48 56 2 other IPs or domains 9->56 78 Writes to foreign memory regions 9->78 80 Allocates memory in foreign processes 9->80 82 Creates a thread in another existing process (thread injection) 9->82 18 DpiScaling.exe 9->18         started        50 sn-files.fe.1drv.com 13->50 58 2 other IPs or domains 13->58 42 C:\Users\Public\Libraries\...\Djdmnmq.exe, PE32 13->42 dropped 84 Injects a PE file into a foreign processes 13->84 21 mobsync.exe 2 13->21         started        24 cmd.exe 1 13->24         started        26 cmd.exe 1 13->26         started        52 192.168.2.1 unknown unknown 16->52 54 sn-files.fe.1drv.com 16->54 60 2 other IPs or domains 16->60 28 secinit.exe 16->28         started        file6 signatures7 process8 dnsIp9 62 Contains functionality to steal Chrome passwords or cookies 18->62 64 Contains functionality to inject code into remote processes 18->64 66 Contains functionality to steal Firefox passwords or cookies 18->66 46 ongod4ever.ddns.net 194.147.140.21, 49757, 49758, 49761 PTPEU unknown 21->46 68 Delayed program exit found 21->68 30 reg.exe 1 24->30         started        32 conhost.exe 24->32         started        34 cmd.exe 1 26->34         started        36 conhost.exe 26->36         started        signatures10 process11 process12 38 conhost.exe 30->38         started        40 conhost.exe 34->40         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3fcc98cda3b1b88eea1619bea29091902d8e9fee91040d3a335215d14bd68bbf/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-10-02 07:00:11 UTC
AV detection:
8 of 45 (17.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=h7gjrtndwg4i52qwdg7kfeersawy5h7oseca2ortkik5cs6wro7q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
078025707e0069438637644d4b57c0ab3f20c21fc738117589b15716d4e429d5
RemcosRAT
1974f2f3c94bc79af6872802cae45f9113ce6b708635930a77aa73db92898852
RemcosRAT
41ed87725575a97d3f1a04554cb78dd3fb973e209950d2f7c54168626ce57ef4
RemcosRAT
4a84faebc419ed0cddbc9e37b337a3090a01051d3ed7d1650c2845369b9a1d63
RemcosRAT
53c2e53d33f80e88b16cce06621f99680e0e5f387315cb81af97cee58080165a
RemcosRAT
6b4a57c6eb6a005e9641a19c161334890128dfd6b15477f1add890041b7c8bf8
RemcosRAT
aa5c39997004aa4812c18e151a5bfd5d2fda4a380c8d1f34111cafcee955dcff
RemcosRAT
ad9f923641c74fc714114423f52d1ef7d1de87e5c40c46377f2718532c0848ae
RemcosRAT
db2b53d49bd5464be6cb3d4492094e8c0b7c3a7cc87b6a2a3f57d30fb3454d1c
RemcosRAT
+ 880 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/211002-hsn56adhd3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
f808a11e5b1cb4332bb4d65cdbcf1e0ca7323b15bcf73cb7462ad3eb30f05703
MD5 hash:
6cfdeebc3c72279486ddd229eb14b009
SHA1 hash:
e3a2a0a2a0fabd55415c9007f52c79fe9e19e0a7
Link:
https://www.unpac.me/results/9be072ca-a88c-4d3b-a09c-43c877603851/
SH256 hash:
3fcc98cda3b1b88eea1619bea29091902d8e9fee91040d3a335215d14bd68bbf
MD5 hash:
306d49749218ce3809c772f47feec302
SHA1 hash:
97b14925b0832e5397d4a5a6e0822a456402a224
Link:
https://www.unpac.me/results/9be072ca-a88c-4d3b-a09c-43c877603851/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3fcc98cda3b1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3fcc98cda3b1b88eea1619bea29091902d8e9fee91040d3a335215d14bd68bbf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/194133/

Comments