MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4367214e711a4e335c0ad9cf6b186e835b5e34ffcec7468ffa3afdd68dac0403. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4367214e711a4e335c0ad9cf6b186e835b5e34ffcec7468ffa3afdd68dac0403
SHA3-384 hash: c6443e5980118ca90f2cba4ee564ac5e87201db53932a21302eddd149735570aaeb3d906568aff8cdffc3fe466885d6e
SHA1 hash: a5e1b8b75a41d0eec829b9f08c2e928dfe1c6dbe
MD5 hash: 641095125f2e7db99cf7a4225db3a949
humanhash: high-thirteen-autumn-sodium
File name:DHL Delivery Document.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'001'472 bytes
First seen:2023-08-01 10:42:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 24576:x+uieYmQ37CZaXudAXJq4E7AMUSrCfyLqlrVeHd8bfM:x+uHYmw7CZEKA5ZYzql08bU
Threatray 2'344 similar samples on MalwareBazaar
TLSH T1D225233115B4D74ADE2E0B7E0870211813B16AA77A35DBBF0FC5B6C66E397460B096F2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon e2e29a86e6ea8686 (13 x AgentTesla, 5 x Formbook, 2 x Loki)
Reporter abuse_ch
Tags:DHL exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
288
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
DHL Delivery Document.exe
Verdict:
Malicious activity
Analysis date:
2023-08-01 10:43:08 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/68465495-50b4-4713-b668-2212bfb03831

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/439538/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.68454749.26713.26154.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64c8e1bb3d0bb8484a8a3574/reports/eabf3f83-004a-49d2-8d23-3a3f8854b376/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/4367214e711a4e335c0ad9cf6b186e835b5e34ffcec7468ffa3afdd68dac0403
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/778651c0-17aa-4445-a49a-cd441a84c237
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1283620
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1283620 Sample: DHL_Delivery_Document.exe Startdate: 01/08/2023 Architecture: WINDOWS Score: 100 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for URL or domain 2->52 54 9 other signatures 2->54 7 UZAaSsigqrFPyy.exe 5 2->7         started        10 DHL_Delivery_Document.exe 7 2->10         started        process3 file4 58 Multi AV Scanner detection for dropped file 7->58 60 Contains functionality to bypass UAC (CMSTPLUA) 7->60 62 Contains functionalty to change the wallpaper 7->62 70 5 other signatures 7->70 13 schtasks.exe 1 7->13         started        15 UZAaSsigqrFPyy.exe 7->15         started        38 C:\Users\user\AppData\...\UZAaSsigqrFPyy.exe, PE32 10->38 dropped 40 C:\...\UZAaSsigqrFPyy.exe:Zone.Identifier, ASCII 10->40 dropped 42 C:\Users\user\AppData\Local\...\tmp2CF5.tmp, XML 10->42 dropped 44 C:\Users\...\DHL_Delivery_Document.exe.log, ASCII 10->44 dropped 64 Uses schtasks.exe or at.exe to add and modify task schedules 10->64 66 Adds a directory exclusion to Windows Defender 10->66 68 Injects a PE file into a foreign processes 10->68 17 DHL_Delivery_Document.exe 3 2 10->17         started        22 powershell.exe 23 10->22         started        24 powershell.exe 20 10->24         started        26 2 other processes 10->26 signatures5 process6 dnsIp7 28 conhost.exe 13->28         started        46 51.75.209.245, 2404 OVHFR France 17->46 36 C:\ProgramData\remcos\logs.dat, data 17->36 dropped 56 Installs a global keyboard hook 17->56 30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        file8 signatures9 process10
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4367214e711a4e335c0ad9cf6b186e835b5e34ffcec7468ffa3afdd68dac0403/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-07-31 14:15:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
32
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=intscttrdjhdgxak3hhwwgdoqnnv4nh7z3dund72hl65ndnmaqbq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
2d12bedd8d6cee6c6fbee5ccb9d7dd25fc6693d9d6a7a0207104f94b681b55aa
RemcosRAT
3ddab0e4f018293bc930fb5a635c471074af3cce36801955d938d3eae8a5c737
RemcosRAT
4400353ebbbd72f1a260b3021c48fa67439ec6accd01ecd27ada202052f27391
RemcosRAT
4a23b3a3cc728ab547f5f3f5149f70242187b45aefa26c5f5663f8cbabeb2330
RemcosRAT
5e95168687b15de3724b3c8240c0b40cdb61c75b440d11a7fa72c2b247c920ae
RemcosRAT
9b41e719470475dfacf64f42d8d8001d90cf442213fdf0e19ad5cd86d9742810
RemcosRAT
a0ebf0e5b7ddce607d73f58a9a3a676bc9cc4645bb1918c8ded7d287fd2275b9
RemcosRAT
c06b82a4003da0da508dbad0b63fad050682b8490aefa104f4f9f016abb60fb6
RemcosRAT
d81a0fe47c7cc9fdba1c13c2aa4f0372579f4c9ac51e16b7384da4b19c7c26a0
RemcosRAT
+ 2'334 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/230801-mr9gxsgd5s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Remcos
Malware Config
C2 Extraction:
51.75.209.245:2404
Unpacked files
SH256 hash:
59c4c36c090328c7e5d0d05294143d5bcc34befb252f360025b29437158d43d4
MD5 hash:
9e7497b825f478a86584b44260e08004
SHA1 hash:
be364d69bc7f412c7cb09a702fa3afb1875be6a5
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/39830ab7-9d37-404c-8dfb-18d4a9589ac3/
Parent samples :
9b41e719470475dfacf64f42d8d8001d90cf442213fdf0e19ad5cd86d9742810
19b06353bd2b915f4fa9b30599477954534bfd37400c511d0868227044163e45
a0ebf0e5b7ddce607d73f58a9a3a676bc9cc4645bb1918c8ded7d287fd2275b9
48fb43de46240bb31eb2e76cf6302d3ba008de77319692a326c0f684b4923a06
4367214e711a4e335c0ad9cf6b186e835b5e34ffcec7468ffa3afdd68dac0403
SH256 hash:
c8264560c6b6f50045b32f6c6acbcf9a2a5ae4a6a9e9fd62a5930b3800441e39
MD5 hash:
682a04f4987cb4f7679530ea59aac46e
SHA1 hash:
aa26f01c49a6a09632ebb7a8878ff9b8cbdedec6
Link:
https://www.unpac.me/results/39830ab7-9d37-404c-8dfb-18d4a9589ac3/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/39830ab7-9d37-404c-8dfb-18d4a9589ac3/
SH256 hash:
6cf753f40707113e2cf6480ac327d6187b439aaee539138c4faa10fb90d042ed
MD5 hash:
4f39797f58b1f8f82f852753ba64c86d
SHA1 hash:
8157432fa57845220b15100ca7132b58a221d56e
Link:
https://www.unpac.me/results/39830ab7-9d37-404c-8dfb-18d4a9589ac3/
SH256 hash:
4367214e711a4e335c0ad9cf6b186e835b5e34ffcec7468ffa3afdd68dac0403
MD5 hash:
641095125f2e7db99cf7a4225db3a949
SHA1 hash:
a5e1b8b75a41d0eec829b9f08c2e928dfe1c6dbe
Link:
https://www.unpac.me/results/39830ab7-9d37-404c-8dfb-18d4a9589ac3/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4367214e711a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4367214e711a4e335c0ad9cf6b186e835b5e34ffcec7468ffa3afdd68dac0403

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 4367214e711a4e335c0ad9cf6b186e835b5e34ffcec7468ffa3afdd68dac0403

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/439538/

Comments