MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43cc420597e97eb969e5fdc74282358168629f1c6ed9ddb385e000d17ec64a5a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43cc420597e97eb969e5fdc74282358168629f1c6ed9ddb385e000d17ec64a5a
SHA3-384 hash: 89199daf239e1c0246363e0d775ed7e08d2826e620111808a16cabb45b52c6d038bf2e40660c37a9ef294b0cf4474822
SHA1 hash: 9b3a4862ee021b35bf284640013b7679a0219946
MD5 hash: 82ccaeb12a02d7525eb54bbc12615078
humanhash: kilo-seven-friend-burger
File name:Document.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:766'464 bytes
First seen:2021-09-01 18:20:35 UTC
Last seen:2021-09-05 08:58:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ee4f103a4bbb8328057c2211d7594d0a (2 x RemcosRAT)
ssdeep 12288:uEkuPF5S618CS6qkVdQOHvDc9aGKqa/ykXKQcj2SKI:uE/HS61uyswGKqXkzcR
Threatray 945 similar samples on MalwareBazaar
TLSH T1FAF47C15E7D1CCBEE0A528B45C6F63688C3CBD923E28549A1EE43D6C9F3E6E11714227
dhash icon daebe9240804a462 (7 x RemcosRAT, 1 x Formbook, 1 x AveMariaRAT)
Reporter GovCERT_CH
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Document.exe
Verdict:
Malicious activity
Analysis date:
2021-09-01 18:22:33 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/b5758d2a-7c37-4c20-a0d7-a76cac75f99b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/184543/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Deleting a recently created file
Launching a process
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Creating a file in the %AppData% subdirectories
Unauthorized injection to a system process
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9875d04c-8971-48fd-a35c-c2fd064e83ca
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/843583
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 476014 Sample: Document.exe Startdate: 01/09/2021 Architecture: WINDOWS Score: 100 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Detected Remcos RAT 2->44 46 5 other signatures 2->46 8 Document.exe 20 2->8         started        process3 dnsIp4 32 phcprg.dm.files.1drv.com 8->32 34 onedrive.live.com 8->34 36 dm-files.fe.1drv.com 8->36 48 Writes to foreign memory regions 8->48 50 Creates a thread in another existing process (thread injection) 8->50 52 Injects a PE file into a foreign processes 8->52 12 secinit.exe 2 2 8->12         started        16 cmd.exe 1 8->16         started        18 cmd.exe 1 8->18         started        signatures5 process6 dnsIp7 38 lindron.ddns.net 193.187.90.38, 2404, 49719 OBE-EUROPEObenetworkEuropeSE Sweden 12->38 54 Contains functionality to steal Chrome passwords or cookies 12->54 56 Contains functionality to inject code into remote processes 12->56 58 Contains functionality to steal Firefox passwords or cookies 12->58 60 Delayed program exit found 12->60 20 reg.exe 1 16->20         started        22 conhost.exe 16->22         started        24 cmd.exe 1 18->24         started        26 conhost.exe 18->26         started        signatures8 process9 process10 28 conhost.exe 20->28         started        30 conhost.exe 24->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/43cc420597e97eb969e5fdc74282358168629f1c6ed9ddb385e000d17ec64a5a/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2021-09-01 18:21:05 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ipgeebmx5f7ls2pf7xdufarvqfugfhy4n3m53m4f4aanc7wgjjna._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
3e7e6d13bdd1a095fb9e1647e4f13514976e7a27c3e99b9e06ac7535bd4d1a71
RemcosRAT
4c0c348d5fe6d35084087f5df83a5d5f15aa75a30b1dc37204f701383a7685eb
RemcosRAT
67b3bc26efd46beadbf2f5fceb0e8ef2c8fad2e13e304f0536b6db305854cfd0
RemcosRAT
7a97f05df11f826ba1d973f260a565584d9db207a8130cf2769d0156078cc944
RemcosRAT
83b94c2312c673c3edf7eb5743019777252ec8dc71d16f885f41f83abb1ef2d5
RemcosRAT
9a8c41228b0c201d956ec0c6612e978438c403759d6e1fa0b33e63c3375e3c56
RemcosRAT
9f0c13034df95e3af02c98c025e517e4648c5a229217533f936cf811f61995e9
RemcosRAT
a3dbda9e244c0a7a63e9d669c838c9c290fd8bca5b1d35fa7add5a1950f578bd
RemcosRAT
d89a39469a38c622ff6d1c36603491bedfc5d5dcc92cf629aa50057eda35f563
RemcosRAT
+ 935 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/210901-crn7m11zf2/
Behaviour
Modifies registry key
Suspicious use of WriteProcessMemory
Remcos
Malware Config
C2 Extraction:
lindron.ddns.net:2404
lindron1.ddns.net:2404
lindron2.ddns.net:2404
Unpacked files
SH256 hash:
99b0762d826eceabff965fd4236f6c5770f87806045f6bb82fb7a30e1bdd6092
MD5 hash:
4aeeced1cdeff63c6eba363b22e2cbd6
SHA1 hash:
3fc45edb48b1a105c2285e826ab5ffc68f8adcca
Link:
https://www.unpac.me/results/bc335483-aa72-461b-92b1-b7314b625b49/
SH256 hash:
4e1202f3e7e04b0b3ca1df164bf5381f24063c142317e774d4e5d88b2b3ac744
MD5 hash:
aa23dee2c34813d67fe9c67ec784782a
SHA1 hash:
10b2e7af7cb9d6f852e6d607875a8c9613538930
Link:
https://www.unpac.me/results/bc335483-aa72-461b-92b1-b7314b625b49/
SH256 hash:
43cc420597e97eb969e5fdc74282358168629f1c6ed9ddb385e000d17ec64a5a
MD5 hash:
82ccaeb12a02d7525eb54bbc12615078
SHA1 hash:
9b3a4862ee021b35bf284640013b7679a0219946
Link:
https://www.unpac.me/results/bc335483-aa72-461b-92b1-b7314b625b49/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/43cc420597e9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/43cc420597e97eb969e5fdc74282358168629f1c6ed9ddb385e000d17ec64a5a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 43cc420597e97eb969e5fdc74282358168629f1c6ed9ddb385e000d17ec64a5a

(this sample)

  
Dropped by
RemcosRAT
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/184543/

Comments