MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a74ac9210751c192d84ad49d567de4cc5f7d005f62767b59a6a7901051a5304. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a74ac9210751c192d84ad49d567de4cc5f7d005f62767b59a6a7901051a5304
SHA3-384 hash: 5f044273db18de49f8a693afd83e1b0967ce5a9775e31aa1faee50f67a022afcf718f270be14c92d61fd1aed2a2a8193
SHA1 hash: 5fff78a6a316da25aaae8c3b1755370b90e5361f
MD5 hash: c3c4fbf8aefbd9215f116ce6c429b882
humanhash: hydrogen-july-two-saturn
File name:DOC10909266NR5272RBL2021DHL66178278_LAX27782.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:902'608 bytes
First seen:2021-02-26 05:58:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bb7d710e4610becb375536cd52a53029 (3 x RemcosRAT, 1 x NetWire)
ssdeep 12288:6SI98JWgTynjjFRUbkaWw+S9SmxgfPvMh4KdriR3BhOu75Jf2ydBrRJN7NNNNNNs:6Sgnn/USvf3BhOu75/PBp9Buz155
Threatray 105 similar samples on MalwareBazaar
TLSH A515BF2976A0C7F2D4B019387F5F7158CC90791F151073BE2AF9AACD2A2E2473617A72
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
salonirang.duckdns.org

Intelligence

File Origin
# of uploads :
1
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DOC10909266NR5272RBL2021DHL66178278_LAX27782.exe
Verdict:
Malicious activity
Analysis date:
2021-02-26 06:01:10 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/dffc79dc-b51a-40ba-b7cd-1e0a0b6f698a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/119310/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Launching a process
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/619344
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 358668 Sample: DOC10909266NR5272RBL2021DHL... Startdate: 26/02/2021 Architecture: WINDOWS Score: 100 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 5 other signatures 2->45 6 DOC10909266NR5272RBL2021DHL66178278_LAX27782.exe 1 18 2->6         started        11 Cjnajtec.exe 2->11         started        13 Cjnajtec.exe 2->13         started        process3 dnsIp4 25 cdn.discordapp.com 162.159.133.233, 443, 49717 CLOUDFLARENETUS United States 6->25 23 C:\Users\Public\Libraries\Cjnajtec.exe, PE32 6->23 dropped 47 Writes to foreign memory regions 6->47 49 Creates a thread in another existing process (thread injection) 6->49 51 Injects a PE file into a foreign processes 6->51 15 mspaint.exe 2 3 6->15         started        53 Antivirus detection for dropped file 11->53 55 Machine Learning detection for dropped file 11->55 19 mobsync.exe 11->19         started        21 cmmon32.exe 13->21         started        file5 signatures6 process7 dnsIp8 27 salonirang.duckdns.org 185.202.175.208, 49724, 54604 UNREAL-SERVERSUS Netherlands 15->27 29 Contains functionality to steal Chrome passwords or cookies 15->29 31 Contains functionality to capture and log keystrokes 15->31 33 Contains functionality to inject code into remote processes 15->33 35 Contains functionality to steal Firefox passwords or cookies 19->35 37 Delayed program exit found 19->37 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4a74ac9210751c192d84ad49d567de4cc5f7d005f62767b59a6a7901051a5304/
Threat name:
Win32.Trojan.Bingoml
Create hunting rule
Status:
Malicious
First seen:
2021-02-26 05:59:07 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jj2kzeqqouobslmevve5kz66jtc7puaf6ytwpnm2nj4qcbi2kmca._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0499edd68518a172935fb984e9d97c72c50a00d5aff2cc7d5528cd38da42695c
RemcosRAT
22ac80592400a2e2ed64392413d1bc5ecbbb09f10a811d3243c7212252f75a2c
RemcosRAT
42ef2a340b9b5ec88d5ab83584f07ecc76e7b3842640aecd328ad9d85ad745e8
RemcosRAT
49a4c95599f7bfe481ed85792ded20eae37d7a3889d43f81c349314cf87e6219
RemcosRAT
71f60a985d2cc9fc47c6845a88eea4da19303a96a2ff69daae70276f70dcdae0
RemcosRAT
736c1c3ed4301b2f069ba84d5bcdf3919e88d5412fa13080d2eed53fe98c0ac4
RemcosRAT
c3d5cfa19bb7af77abe161135bd85506171d67dca3f86fa6a68340d05e203f64
RemcosRAT
e418958dc7d42216f8f151aef40df718df0a6a20d7d70c9954f7bd82953707a7
RemcosRAT
f1e9d6eb71a715e5f47a5c6fa5d03e9c3b871a0e88c91c709ff67ab9311caf4e
RemcosRAT
f8d06c20dc2af83af29551f384bbde4e5380911d8db0f9e56ca549bb5995d413
RemcosRAT
+ 95 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat
Link:
https://tria.ge/reports/210226-lmn9192pg2/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
Blocklisted process makes network request
Remcos
Malware Config
C2 Extraction:
salonirang.duckdns.org:54604
Unpacked files
SH256 hash:
706d20d3ed5a944ad7351b2b1e6510db719e150baf045713dfba5494879cd959
MD5 hash:
5e793005579e35e29886ecd8c19b78bb
SHA1 hash:
688b72e225d35b6a0caf21ccbac0fd580374d2d8
Link:
https://www.unpac.me/results/deb3c1ed-91ad-4e75-b9ff-4ad5ecf46858/
SH256 hash:
4a74ac9210751c192d84ad49d567de4cc5f7d005f62767b59a6a7901051a5304
MD5 hash:
c3c4fbf8aefbd9215f116ce6c429b882
SHA1 hash:
5fff78a6a316da25aaae8c3b1755370b90e5361f
Link:
https://www.unpac.me/results/deb3c1ed-91ad-4e75-b9ff-4ad5ecf46858/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 4a74ac9210751c192d84ad49d567de4cc5f7d005f62767b59a6a7901051a5304

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/119310/

Comments