MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48d05f98dc0e107ca09492b3f4e3728464d8c844870057c0aabc728f0043b2f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48d05f98dc0e107ca09492b3f4e3728464d8c844870057c0aabc728f0043b2f7
SHA3-384 hash: a1fc44087fec7e03fb31932a49298dc28d5c66c5355a140433a786985874c605249f4e9d9d8e7ce68c7797f87a334c30
SHA1 hash: 1b0715a9dd219c178d0106ffe6e50b9e272727ed
MD5 hash: a10faa064c5a43f7112694d4caf46735
humanhash: triple-white-cardinal-victor
File name:DOC112011DHL.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:890'368 bytes
First seen:2022-04-11 17:51:58 UTC
Last seen:2022-04-12 05:26:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ad85a789bab9c50ad5509981ee399258 (2 x RemcosRAT, 1 x ModiLoader)
ssdeep 12288:owf0RGKWyAGKcoYJpedtlQYEZDg8mbUskyPjhLFFh2oZec4qO:oemGK9KcoQctlKNLMVneob
Threatray 8'290 similar samples on MalwareBazaar
TLSH T103159D52B2414E32E87F16798C0B66A99D37BF136D28A7D33BE02D4C7EB52403935297
File icon (PE):PE icon
dhash icon 0c321272b98ca6d9 (12 x Formbook, 7 x RemcosRAT, 5 x DBatLoader)
Reporter abuse_ch
Tags:DHL exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
290
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
DOC112011DHL.exe
Verdict:
Malicious activity
Analysis date:
2022-04-11 23:14:53 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/42c1ec5e-f86f-4a42-8462-c468a6d054b8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/262777/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.31214.27231.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching the process to interact with network services
Launching a process
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/13493/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe keylogger shell32.dll
Link:
https://www.filescan.io/uploads/62546acceab80a7a6cf9394d/reports/eebd1e75-6495-4a66-89c0-c31efacbe1ed/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/af0cf46d-00fe-466a-9155-619f89cf91f3
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/974844
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Program Location with Network Connections
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 607334 Sample: DOC112011DHL.exe Startdate: 11/04/2022 Architecture: WINDOWS Score: 100 59 Multi AV Scanner detection for domain / URL 2->59 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 4 other signatures 2->65 8 Zhwjkcm.exe 15 2->8         started        12 DOC112011DHL.exe 1 20 2->12         started        15 Zhwjkcm.exe 17 2->15         started        process3 dnsIp4 39 i-ams02p-cor001.api.p001.1drv.com 13.105.28.32, 443, 49783, 49785 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 8->39 47 5 other IPs or domains 8->47 67 Multi AV Scanner detection for dropped file 8->67 69 Writes to foreign memory regions 8->69 71 Allocates memory in foreign processes 8->71 17 DpiScaling.exe 8->17         started        41 i-am4p-cor001.api.p001.1drv.com 13.105.66.144, 443, 49775, 49777 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 12->41 43 tp4vrq.am.files.1drv.com 12->43 49 4 other IPs or domains 12->49 33 C:\Users\Public\Libraries\Zhwjkcm.exe, PE32 12->33 dropped 73 Creates a thread in another existing process (thread injection) 12->73 75 Injects a PE file into a foreign processes 12->75 20 logagent.exe 2 2 12->20         started        23 cmd.exe 1 12->23         started        45 i-am3p-cor006.api.p001.1drv.com 13.104.158.180, 443, 49790, 49792 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 15->45 51 5 other IPs or domains 15->51 25 logagent.exe 15->25         started        file5 signatures6 process7 dnsIp8 35 generem1.hopto.org 94.46.246.30, 2404, 49781 UKSERVERS-ASUKDedicatedServersHostingandCo-Location United Kingdom 20->35 37 generem2022.hopto.org 20->37 53 Contains functionality to steal Chrome passwords or cookies 20->53 55 Contains functionality to steal Firefox passwords or cookies 20->55 57 Delayed program exit found 20->57 27 cmd.exe 1 23->27         started        29 conhost.exe 23->29         started        signatures9 process10 process11 31 conhost.exe 27->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/48d05f98dc0e107ca09492b3f4e3728464d8c844870057c0aabc728f0043b2f7/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-04-11 16:30:15 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jdif7gg4byihzieuskz7jy3sqrsnrsceq4afpqfkxrzi6acdwl3q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
566804eeaa9725faf35958d6bd0c12ec0715950881d260b6815618fc399f74c5
RemcosRAT
6353828ddb8f70dd9a535d3314ac328b044539563334f093173b86fd96e24707
RemcosRAT
6a4b5aab71a352d6ae6140f99a28b0c38df78a8985b3383f1bc424ca74e046fe
RemcosRAT
83a1ca1bc7363633b8e514a8c2b79ff0e223fc578b0a20e4e088a3daf5424a61
RemcosRAT
99e39ef9a5267ed9790fbef614fa3a0054025c1cb866295e9e320bc95b128280
RemcosRAT
a02d52f23eb9e8a857c9ed01d81e6220e787a1e2838d42c2734e99bc73cff250
RemcosRAT
a1e618daaaa3133d466df43f3b43ff6b095deb8d2c010f5e35e592800eebc87b
RemcosRAT
a3792b703dde1aa5a935183c6696ce91cdea54579e9045b55848df91e6b312f9
RemcosRAT
db5a12184d9b6acdf484a88b3e65aa9435f8a9d7eda48418aef2d028b98913d4
RemcosRAT
+ 8'280 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:remotehost persistence rat trojan
Link:
https://tria.ge/reports/220411-wfp4ksbdb9/
Behaviour
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
generem2022.hopto.org:2404
generem1.hopto.org:2404
hendersonk1.hopto.org:2404
gene.ddnsgeek.com:2404
henderson.camdvr.org:2404
henderson1.camdvr.org:2404
hobbyhrs.zapto.org:2404
hobbyhrs2.zapto.org:2404
hobbyhrs1.zapto.org:2404
Unpacked files
SH256 hash:
53ac01aeca155b02914c382b97c6f89cf21d6280f488a30eca707bdb9693ce88
MD5 hash:
c755150a74c084c199d24042e9796f35
SHA1 hash:
0fea1a6ae181215deb872c5bb4d2f9ee242f3319
Detections:
win_dbatloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/8617e60f-e91f-48b9-ac44-a525b417ecea/
Parent samples :
bdbae233809182b9302bbd8701a1919dff782e16cd1c96de1a880f93fbeed86d
83e75d66402eaea2f768c66c07416c4b37cd5cbdfbfd5cb12346c9e81a976862
239419437726bda1c5401f36629aa95050346433232192947ca54890ebb8a39f
d0c1da0838f1eca9ec854e342f707688f1c609fbc2fb0c1cb86624ce51cf71f8
be4b642f44ecf847a15699b7a93f52876389fedf12c8b03e51a4ec5c14032bc7
31a6f2f0d3d503cabf02e31fee5edab37f32c97360f9204654130ab98f5143b6
4c11534aab96c1a9ab0a353431241cf62249290248b553b85daf9bb3b23efbf7
48d05f98dc0e107ca09492b3f4e3728464d8c844870057c0aabc728f0043b2f7
3a62728317a01630a7be9167c9223d451bff0384568482468a9d195a5679f533
4e3b7e84edc257cfc5c6d581272695e2ef520f47b6fa8e179960d52f0f0a3140
47beadcc391c39dc4614d8afff3312f46d4c2666447a82bb8052cfcfb2c7e0df
c73ddd4b47e7691c3655bb1aa5ac034368f865fbc40c22b20c6ab774cb23dd31
fb1585455a00f739a0417c47ac5b948fe9df597f8fed63ed3584931031bdfcd2
3ba7ad2a718413ab6d36dd156bbdd5ac1bcca860f039b14c4cb4382aee58bc88
1d4a9312ebe74b0ea65b5b67ecfadc414a891c4a610369dc017966cb2a2d618b
83d7062a6e44aed6a161da23937cc66f97982e045d933dc4dd2049df4496d34b
735623be46db3bafe8eb224ba84e7dfb3127f37b900b669a3eafc5a19f409921
f43ec67b5158f58273a216cbc49003c55b8f0e6316a3390823348924e38507be
13362eb5bba08696533b5e3196ca0700ace9291e8f5a969c3c1b83d4d0e4667c
0740e382a0c41661aefbd38aa819fa21bc2c14a2cffc6209b361d07dae5cee3d
713114d1dcb9d12994f1cfcb7cc765283cff3f2242ee57cdf15e849e15213a0b
4365d53513b910bfea66669db212ec18f2ba9ab2cf461d140fe42a61b8f0e7e2
63bc8623223491c6337ffed73a4435dd5c5d61576ebb34d465708fdf5d9d9dcd
SH256 hash:
48d05f98dc0e107ca09492b3f4e3728464d8c844870057c0aabc728f0043b2f7
MD5 hash:
a10faa064c5a43f7112694d4caf46735
SHA1 hash:
1b0715a9dd219c178d0106ffe6e50b9e272727ed
Link:
https://www.unpac.me/results/8617e60f-e91f-48b9-ac44-a525b417ecea/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/48d05f98dc0e107ca09492b3f4e3728464d8c844870057c0aabc728f0043b2f7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 48d05f98dc0e107ca09492b3f4e3728464d8c844870057c0aabc728f0043b2f7

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/262777/

Comments