MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4479f2a8ba10224ab48953c468ece2bf5fcb1ebc3f2546681bbd4de5f5d286dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4479f2a8ba10224ab48953c468ece2bf5fcb1ebc3f2546681bbd4de5f5d286dd
SHA3-384 hash: 3f920327ea4f371a7c741c732088eb0ace98d35e8b621d3665e31e6a751c6375671b2ee640eaaeca2bfc4bde6e66ba91
SHA1 hash: d5f01c7e60aaf990f19218a69c413d9872a91d1a
MD5 hash: a08ca774bbbc6f7f42aa7b4fede272b0
humanhash: orange-kitten-alanine-king
File name:Bett ORDINE URGENT-7683,pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:829'440 bytes
First seen:2021-09-27 13:57:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 206016043cadf3442135e07afc507bba (3 x RemcosRAT, 2 x Formbook, 1 x AveMariaRAT)
ssdeep 12288:b71aIFXG0LBXveSLxZrJuGmxXQUTcQvPPRK0mQgMM4/YGu1q:bs6RL9veYLrJlIrTtnArHGE
Threatray 566 similar samples on MalwareBazaar
TLSH T163057D3BA3508C3EF2B21978ECC5F385711A6C113C599D6E15B43A89B92EBD03D39693
File icon (PE):PE icon
dhash icon c4dcf8c6d6d0c8d4 (21 x RemcosRAT, 3 x Formbook, 1 x AveMariaRAT)
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
185.140.53.15:4336

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.140.53.15:4336 https://threatfox.abuse.ch/ioc/227065/

Intelligence

File Origin
# of uploads :
1
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Bett ORDINE URGENT-7683,pdf.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-27 14:05:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c01086b5-ef25-4d60-b27f-d3b2be788c95

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/192131/
Detection(s):
SecuriteInfo.com.ArtemisDA8413DE8D3E.14356.18545.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Malware family:
Remcos RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6fa50f22-87f5-426e-ac7e-9f09cbc9935a
Result
Threat name:
DBatLoader
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/859289
Signature
Multi AV Scanner detection for submitted file
Yara detected DBatLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491724 Sample: Bett ORDINE URGENT-7683,pdf.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 56 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected DBatLoader 2->19 6 Bett ORDINE URGENT-7683,pdf.exe 12 2->6         started        process3 dnsIp4 13 prda.aadg.msidentity.com 6->13 15 onedrive.live.com 6->15 9 WerFault.exe 23 9 6->9         started        11 WerFault.exe 6->11         started        process5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4479f2a8ba10224ab48953c468ece2bf5fcb1ebc3f2546681bbd4de5f5d286dd/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-09-24 10:57:04 UTC
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ir47fkf2carevnejkpcgr3hcx5p4whv4h4sum2a3xvg6l5osq3oq._file
Verdict:
malicious
Similar samples:
03811a474b07747d26379d33ee6788366f0d49bf993334d16607b361093463af
RemcosRAT
198a6c69303e222c1e37be51ff9cf68615b4879fb2b152f96aad90daf49c7df1
RemcosRAT
1ddb357041ae22e5c39f309d8432bf9b64e5b07ee9fcf578b7d94543005714fa
RemcosRAT
4c74f4542101eb419934b0d6fb2765e688314ef1edcd7cf41203d6d3935eef98
RemcosRAT
71c5a4261cc336e193cef7e3e397e160a1a24998185a9458338276e5a8091d63
RemcosRAT
7ede77932ce7a1fb54f227934c436ce1d0f746efce80e66a7664a4f7bfc909cf
RemcosRAT
8bc32885f532e286073afa7781733d97338f3bab7b22f55680b38fe1926d103b
RemcosRAT
a1adbdad4e1d0b04ddbac043a174b0b9e2731402fd9422085243c32c8e575fdf
RemcosRAT
b6788527f99a436b0e8925eb14c8800ced61fd406edd4182aa00072b3f74f39e
RemcosRAT
da3b4c6a3fc81e733843987e557efb53beab50fa9ad528aa1a0d7a0f0e1c6e94
RemcosRAT
+ 556 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210927-q9te7shbc2/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
18498f5add7c31c1af213a720891708124ce271e4a1f4eef7427ff9ceff44767
MD5 hash:
af315fe318bcbca468841006ccc57e0a
SHA1 hash:
9b18984c1d4fcafc7bde26250a937aff6c41a375
Link:
https://www.unpac.me/results/ff77f326-6bca-456c-acc2-ad8bf07caf45/
SH256 hash:
4479f2a8ba10224ab48953c468ece2bf5fcb1ebc3f2546681bbd4de5f5d286dd
MD5 hash:
a08ca774bbbc6f7f42aa7b4fede272b0
SHA1 hash:
d5f01c7e60aaf990f19218a69c413d9872a91d1a
Link:
https://www.unpac.me/results/ff77f326-6bca-456c-acc2-ad8bf07caf45/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/4479f2a8ba10224ab48953c468ece2bf5fcb1ebc3f2546681bbd4de5f5d286dd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/192131/

Comments