MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 50ca98ba2d54858b97cbbfff758edf7f81a29a8a4884a4319ae994cb8a434de3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 50ca98ba2d54858b97cbbfff758edf7f81a29a8a4884a4319ae994cb8a434de3
SHA3-384 hash: f0f65b52d4ac04776f40f1f1be9517f7a7c95cb393a423b0012fcd71d209cbfeb39bb6a676ca580e2636f64cba07d401
SHA1 hash: 0ca4c0eff139395f381b9c2dfc18aaa5634e9d3c
MD5 hash: 26b590d41fbcc2741134c3fb52507dfb
humanhash: south-five-jig-football
File name:DHL-EXPRESS.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:992'768 bytes
First seen:2023-03-30 17:19:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:dBpSUVpLFZvLdF33lwPfDf1aZsTDe9aimX:dBgAfLdFHif1M0q9
Threatray 1'823 similar samples on MalwareBazaar
TLSH T1EF2512147BED960EE12A877C86E4C5B06378DDC4E222CB530FDDBC97B39E3869912452
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 32c29292b2e88e82 (7 x Formbook, 6 x RemcosRAT, 2 x AgentTesla)
Reporter abuse_ch
Tags:DHL exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
255
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
DHL-EXPRESS.exe
Verdict:
Malicious activity
Analysis date:
2023-03-30 17:23:19 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/f8cda33a-18e9-4608-8806-3eeeb8988411

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/378874/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook packed remcos
Link:
https://www.filescan.io/uploads/6425c4c68e162174987d8b29/reports/2d1ec53e-f693-408a-a7b9-da39e8935815/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/50ca98ba2d54858b97cbbfff758edf7f81a29a8a4884a4319ae994cb8a434de3
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4d3ff9e2-b34c-4b7b-bce0-5c772701fbc0
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1205413
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 838335 Sample: DHL-EXPRESS.exe Startdate: 30/03/2023 Architecture: WINDOWS Score: 100 75 fresh03.ddns.net 2->75 81 Multi AV Scanner detection for domain / URL 2->81 83 Malicious sample detected (through community Yara rule) 2->83 85 Antivirus detection for URL or domain 2->85 87 9 other signatures 2->87 10 DHL-EXPRESS.exe 7 2->10         started        14 PzGlCBaqHsZS.exe 3 2->14         started        16 remcos.exe 2->16         started        18 2 other processes 2->18 signatures3 process4 file5 67 C:\Users\user\AppData\...\PzGlCBaqHsZS.exe, PE32 10->67 dropped 69 C:\Users\...\PzGlCBaqHsZS.exe:Zone.Identifier, ASCII 10->69 dropped 71 C:\Users\user\AppData\Local\...\tmpD1F5.tmp, XML 10->71 dropped 73 C:\Users\user\AppData\...\DHL-EXPRESS.exe.log, ASCII 10->73 dropped 95 Contains functionality to bypass UAC (CMSTPLUA) 10->95 97 Contains functionality to steal Chrome passwords or cookies 10->97 99 Uses schtasks.exe or at.exe to add and modify task schedules 10->99 105 3 other signatures 10->105 20 DHL-EXPRESS.exe 2 4 10->20         started        23 powershell.exe 22 10->23         started        25 schtasks.exe 1 10->25         started        101 Multi AV Scanner detection for dropped file 14->101 103 Machine Learning detection for dropped file 14->103 27 schtasks.exe 16->27         started        35 2 other processes 16->35 29 schtasks.exe 18->29         started        31 schtasks.exe 18->31         started        33 remcos.exe 18->33         started        37 2 other processes 18->37 signatures6 process7 file8 63 C:\ProgramData\Remcos\remcos.exe, PE32 20->63 dropped 65 C:\ProgramData\...\remcos.exe:Zone.Identifier, ASCII 20->65 dropped 39 remcos.exe 5 20->39         started        42 conhost.exe 23->42         started        44 conhost.exe 25->44         started        46 conhost.exe 27->46         started        48 conhost.exe 29->48         started        50 conhost.exe 31->50         started        process9 signatures10 89 Multi AV Scanner detection for dropped file 39->89 91 Machine Learning detection for dropped file 39->91 93 Adds a directory exclusion to Windows Defender 39->93 52 remcos.exe 39->52         started        55 powershell.exe 11 39->55         started        57 schtasks.exe 1 39->57         started        process11 dnsIp12 77 fresh03.ddns.net 103.169.34.187, 34110, 49699 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe unknown 52->77 79 geoplugin.net 178.237.33.50, 49700, 80 ATOM86-ASATOM86NL Netherlands 52->79 59 conhost.exe 55->59         started        61 conhost.exe 57->61         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/50ca98ba2d54858b97cbbfff758edf7f81a29a8a4884a4319ae994cb8a434de3/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-03-30 17:20:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kdfjrornkscyxf6lx77xldw7p6a2fgukjcckimm25gkmxcsdjxrq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
2cf6b9480c8c7a3e9ecfda6a28bac4f48f019d35f75d89847c8ef866aef2cc98
RemcosRAT
4d833b054ab8a92e1342bf015ae2348b5c88d8b5281a7bda7b5ef21e67926ad7
RemcosRAT
bd636a268d4511297bcf90fde8103829bf21a31e7075b93aae30824af3e3703d
RemcosRAT
c130d7ecfd4247d4b31878fc53e77b29f6cf286a977964d32069baa3769d4779
RemcosRAT
ca598fdf9fb15e2c04dbb11f4c4ba49c397029ed14fe2eedbc5c320eea4a00a6
RemcosRAT
cf30e92c897a307421160bcc8072cd2901b89331de784059a1a1608d2ca80123
RemcosRAT
d8e945322322e348f8ccd15cd7eb464b39f45664d831aa368398e64461869d05
RemcosRAT
f4b21e57bb6fabca1dd4b5499d5940749346c350975dcc07cf8f40db0376acfc
RemcosRAT
f72a28baaee398dbbd65efbdae0cf4864f208f806f4592f8f6bb7c9a735c2362
RemcosRAT
+ 1'813 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:upgraded001 persistence rat
Link:
https://tria.ge/reports/230330-vwer4sfa2s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Remcos
Malware Config
C2 Extraction:
fresh03.ddns.net:34110
Unpacked files
SH256 hash:
5062f99a5460cbd448d7f9c35d5c05aafa3ce36357be73268367d779dd92396e
MD5 hash:
c499b0e057f46db9f5ad9f0e9181830e
SHA1 hash:
fda2b448e6c7a411e1baed2a8bca7050b9b769ef
Link:
https://www.unpac.me/results/9de324dd-dfe6-499f-823f-4e3775b1cc20/
SH256 hash:
3c507afadbb1c31a9ebdd24baac5739d47576159e01c5e84f973c951885100aa
MD5 hash:
e79bf0e7e9d52d398e0b23b352394c68
SHA1 hash:
682325763a0ec77e0fd475ea3a4021b4651eceac
Link:
https://www.unpac.me/results/9de324dd-dfe6-499f-823f-4e3775b1cc20/
SH256 hash:
a77c0624acc8061304e10944d5adbba8cc92a402eba09aa4ba0a938e9cd8843a
MD5 hash:
4a0e7903e28ada3031b833989d7cbecf
SHA1 hash:
1cb9fd5951005d242db18f41a80d962394db036d
Link:
https://www.unpac.me/results/9de324dd-dfe6-499f-823f-4e3775b1cc20/
SH256 hash:
eff756023f8a735803482392f5929450a16c9d802a32d7e23a5167e81a545065
MD5 hash:
1237d9e2d9f6e93aef3a0a2d25de6956
SHA1 hash:
0cb7388008b64a52f28e0569f6266674266c1b0e
Link:
https://www.unpac.me/results/9de324dd-dfe6-499f-823f-4e3775b1cc20/
SH256 hash:
eb99b9052fb1b154c9731f36fca6c148da71b530f530994427e8886e36f8dffe
MD5 hash:
5d9356dc1909e3385a1b77a1032fecd0
SHA1 hash:
052ee55ae083fe331d00ea3335cd3f68cd08ffdc
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/9de324dd-dfe6-499f-823f-4e3775b1cc20/
Parent samples :
28c32f08c1471496052f517ee43313f86c38f74bdf0194707735574157a2d55c
3d1a75579ef0717708782f63318b36e8dc0356fc477370ad9c69feac793a6a95
50ca98ba2d54858b97cbbfff758edf7f81a29a8a4884a4319ae994cb8a434de3
f3e4dd541766cd7a3af91ef964b91ded632f13ebe69bd4fb5eadd563c0207059
2e4c6cc30705e1398ea19d064bd7cfba58448798a81f3c89b86fa66750904a7b
SH256 hash:
50ca98ba2d54858b97cbbfff758edf7f81a29a8a4884a4319ae994cb8a434de3
MD5 hash:
26b590d41fbcc2741134c3fb52507dfb
SHA1 hash:
0ca4c0eff139395f381b9c2dfc18aaa5634e9d3c
Link:
https://www.unpac.me/results/9de324dd-dfe6-499f-823f-4e3775b1cc20/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/50ca98ba2d54/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/50ca98ba2d54858b97cbbfff758edf7f81a29a8a4884a4319ae994cb8a434de3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 50ca98ba2d54858b97cbbfff758edf7f81a29a8a4884a4319ae994cb8a434de3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/378874/

Comments