MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c11534aab96c1a9ab0a353431241cf62249290248b553b85daf9bb3b23efbf7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c11534aab96c1a9ab0a353431241cf62249290248b553b85daf9bb3b23efbf7
SHA3-384 hash: 53b97b3085f16cd02ff161f67aa1234e0db1afe09a8d9c3b14702b1344628849afdb9bcfcaa97794854edadfc47aa5d2
SHA1 hash: f021d389ddbdde1e1b3c61c99b09bf46ca40612f
MD5 hash: 3120e2d6029f2edfab8d312fb60ca300
humanhash: bakerloo-hotel-green-harry
File name:DHL.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:890'368 bytes
First seen:2022-04-11 17:51:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ad85a789bab9c50ad5509981ee399258 (2 x RemcosRAT, 1 x ModiLoader)
ssdeep 12288:owf0RGKWyAGKcoYJpedtlQYEZDg8mbUskyPjhLFFh2JZec4qO:oemGK9KcoQctlKNLMVneJb
Threatray 7'135 similar samples on MalwareBazaar
TLSH T1A915AD51F2908E32D87F26754C1B6AA598337F432D186BDB2BF01E0C7EB96417939293
File icon (PE):PE icon
dhash icon 0c321272b98ca6d9 (12 x Formbook, 7 x RemcosRAT, 5 x DBatLoader)
Reporter abuse_ch
Tags:DHL exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
306
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
DHL.exe
Verdict:
Malicious activity
Analysis date:
2022-04-11 23:17:27 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/13f99f22-294f-44d5-a072-9096ab402d70

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/262775/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.16051.3109.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching the process to interact with network services
Launching a process
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/13512/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe keylogger shell32.dll
Link:
https://www.filescan.io/uploads/62546ac9482f2f41ca9a7103/reports/338547e4-fd77-4fc7-a0a8-70b27927f099/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/82ec7b6b-68f4-4bab-aa2f-cc091b77f7e8
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/974851
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Program Location with Network Connections
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 607344 Sample: DHL.exe Startdate: 11/04/2022 Architecture: WINDOWS Score: 100 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 4 other signatures 2->57 8 DHL.exe 1 21 2->8         started        13 Xfhprjl.exe 14 2->13         started        15 Xfhprjl.exe 17 2->15         started        process3 dnsIp4 37 l-0004.l-dc-msedge.net 13.107.43.13, 443, 49775, 49777 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 8->37 39 i-dm3-cor004.api.p001.1drv.com 157.55.109.230, 443, 49776, 49778 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 8->39 45 5 other IPs or domains 8->45 33 C:\Users\Public\Libraries\Xfhprjl.exe, PE32 8->33 dropped 67 Writes to foreign memory regions 8->67 69 Creates a thread in another existing process (thread injection) 8->69 71 Injects a PE file into a foreign processes 8->71 17 logagent.exe 2 2 8->17         started        21 cmd.exe 1 8->21         started        41 i-dsm01p-cor002.api.p001.1drv.com 40.90.130.194, 443, 49789, 49791 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 13->41 47 5 other IPs or domains 13->47 73 Multi AV Scanner detection for dropped file 13->73 75 Allocates memory in foreign processes 13->75 23 logagent.exe 13->23         started        43 192.168.2.1 unknown unknown 15->43 49 5 other IPs or domains 15->49 25 logagent.exe 15->25         started        file5 signatures6 process7 dnsIp8 35 febrem.ddns.net 104.168.190.126, 2404, 49788 HOSTWINDSUS United States 17->35 59 Contains functionality to steal Chrome passwords or cookies 17->59 61 Contains functionality to inject code into remote processes 17->61 63 Contains functionality to steal Firefox passwords or cookies 17->63 65 Delayed program exit found 17->65 27 cmd.exe 1 21->27         started        29 conhost.exe 21->29         started        signatures9 process10 process11 31 conhost.exe 27->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4c11534aab96c1a9ab0a353431241cf62249290248b553b85daf9bb3b23efbf7/
Threat name:
Win32.Trojan.RemcosRAT
Create hunting rule
Status:
Malicious
First seen:
2022-04-11 17:52:11 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jqivgsvls3a2tkykgu2dcja46yreskicjc2vhoc5v6n3hmr67p3q._file
Verdict:
malicious
Similar samples:
03632b99b5401681e8dacf45710bfce9919f840843b836bad53c3113dacb097e
RemcosRAT
239419437726bda1c5401f36629aa95050346433232192947ca54890ebb8a39f
RemcosRAT
27309bb8844a4d48af2527787b781fdac2917d6f75f870743428a3e7aa44fc1a
RemcosRAT
31a6f2f0d3d503cabf02e31fee5edab37f32c97360f9204654130ab98f5143b6
RemcosRAT
6353828ddb8f70dd9a535d3314ac328b044539563334f093173b86fd96e24707
RemcosRAT
6458542795cc0a40d4ab238e2be5fb15546d5ca38e52d1f9c7d4157dca27679a
RemcosRAT
8fb9ddc78aef013fcbc8ff38135972fdacf66a871cc4b42f719efefe2255219f
RemcosRAT
afb058fdd8aa200fe754289c9b48d8876f4bbd7cbcefc964742d76c32a990340
RemcosRAT
b65b5c308318e1e0fc2228dd022300099273dc340aa8faba81abc1d3868707ea
RemcosRAT
c122639d652908b10751cb546a1c48e753427aa4d74f6a638fcb6c829b65e12f
RemcosRAT
+ 7'125 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:remotehost persistence rat trojan
Link:
https://tria.ge/reports/220411-wfp4ksbdb8/
Behaviour
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
febrem.ddns.net:2404
febrem1.ddns.net:2404
febrem2.ddns.net:2404
febrem3.ddns.net:2404
febrem4.ddns.net:2404
febrem5.ddns.net:2404
marrem1.ddnsking.com:2404
marrem2.ddnsking.com:2404
marrem3.ddnsking.com:2404
Unpacked files
SH256 hash:
53ac01aeca155b02914c382b97c6f89cf21d6280f488a30eca707bdb9693ce88
MD5 hash:
c755150a74c084c199d24042e9796f35
SHA1 hash:
0fea1a6ae181215deb872c5bb4d2f9ee242f3319
Detections:
win_dbatloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/430c1203-26aa-4da4-b119-5689dca88333/
Parent samples :
bdbae233809182b9302bbd8701a1919dff782e16cd1c96de1a880f93fbeed86d
83e75d66402eaea2f768c66c07416c4b37cd5cbdfbfd5cb12346c9e81a976862
239419437726bda1c5401f36629aa95050346433232192947ca54890ebb8a39f
d0c1da0838f1eca9ec854e342f707688f1c609fbc2fb0c1cb86624ce51cf71f8
be4b642f44ecf847a15699b7a93f52876389fedf12c8b03e51a4ec5c14032bc7
31a6f2f0d3d503cabf02e31fee5edab37f32c97360f9204654130ab98f5143b6
4c11534aab96c1a9ab0a353431241cf62249290248b553b85daf9bb3b23efbf7
48d05f98dc0e107ca09492b3f4e3728464d8c844870057c0aabc728f0043b2f7
3a62728317a01630a7be9167c9223d451bff0384568482468a9d195a5679f533
4e3b7e84edc257cfc5c6d581272695e2ef520f47b6fa8e179960d52f0f0a3140
47beadcc391c39dc4614d8afff3312f46d4c2666447a82bb8052cfcfb2c7e0df
c73ddd4b47e7691c3655bb1aa5ac034368f865fbc40c22b20c6ab774cb23dd31
fb1585455a00f739a0417c47ac5b948fe9df597f8fed63ed3584931031bdfcd2
3ba7ad2a718413ab6d36dd156bbdd5ac1bcca860f039b14c4cb4382aee58bc88
1d4a9312ebe74b0ea65b5b67ecfadc414a891c4a610369dc017966cb2a2d618b
83d7062a6e44aed6a161da23937cc66f97982e045d933dc4dd2049df4496d34b
735623be46db3bafe8eb224ba84e7dfb3127f37b900b669a3eafc5a19f409921
f43ec67b5158f58273a216cbc49003c55b8f0e6316a3390823348924e38507be
13362eb5bba08696533b5e3196ca0700ace9291e8f5a969c3c1b83d4d0e4667c
0740e382a0c41661aefbd38aa819fa21bc2c14a2cffc6209b361d07dae5cee3d
713114d1dcb9d12994f1cfcb7cc765283cff3f2242ee57cdf15e849e15213a0b
4365d53513b910bfea66669db212ec18f2ba9ab2cf461d140fe42a61b8f0e7e2
63bc8623223491c6337ffed73a4435dd5c5d61576ebb34d465708fdf5d9d9dcd
SH256 hash:
4c11534aab96c1a9ab0a353431241cf62249290248b553b85daf9bb3b23efbf7
MD5 hash:
3120e2d6029f2edfab8d312fb60ca300
SHA1 hash:
f021d389ddbdde1e1b3c61c99b09bf46ca40612f
Link:
https://www.unpac.me/results/430c1203-26aa-4da4-b119-5689dca88333/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4c11534aab96/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4c11534aab96c1a9ab0a353431241cf62249290248b553b85daf9bb3b23efbf7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/262775/

Comments