MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5371be34589e6447d7e2714c298903587fcfdebcd634822107a19b3de2b33f6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5371be34589e6447d7e2714c298903587fcfdebcd634822107a19b3de2b33f6b
SHA3-384 hash: 38b870c5e24fa734e1fa9caa80c4fe18ff39cb50d37b3465d9ce97b5935708049ecffd6d1674d6fa8fef9a05394df513
SHA1 hash: 98b2e582cd9ba41bb1f53b3295297b1463f4c6a2
MD5 hash: 1d6f4cdc27931834afbf1423105d38d3
humanhash: fourteen-whiskey-moon-angel
File name:1d6f4cdc27931834afbf1423105d38d3.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:638'466 bytes
First seen:2021-07-09 08:24:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a3768a75eba55604b789706b6a238d1c (2 x Formbook, 1 x RemcosRAT)
ssdeep 12288:QLyh5Wt60Cibp9t/iOWccO3RTWjSiuPBR5lpbTYwX:QLmH0N9WlkTGSBRp
Threatray 37 similar samples on MalwareBazaar
TLSH T16FD47C61B2D04033C6A295359F47E718AC37BF613E185DDA27E8798DD93F793380A262
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
172
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
zxcv.EXE
Verdict:
Malicious activity
Analysis date:
2021-07-08 14:12:33 UTC
Tags:
trojan stealer vidar raccoon loader rat azorult
Link:
https://app.any.run/tasks/fe33e5a0-e625-4fc1-8c90-2126ce3bfc64

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170635/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Trojan.Siggen14.29138.32660.25207.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d1cbf762-9008-4862-8242-cd06e7280d80
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
evad.troj
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813907
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 446318 Sample: ZCI8lXL6ev.exe Startdate: 09/07/2021 Architecture: WINDOWS Score: 100 69 Multi AV Scanner detection for submitted file 2->69 71 Yara detected BitRAT 2->71 73 Machine Learning detection for sample 2->73 8 ZCI8lXL6ev.exe 1 24 2->8         started        13 Pqlgwrp.exe 13 2->13         started        15 Pqlgwrp.exe 13 2->15         started        process3 dnsIp4 57 cdn.discordapp.com 162.159.133.233, 443, 49727, 49728 CLOUDFLARENETUS United States 8->57 53 C:\Users\Public\Libraries\...\Pqlgwrp.exe, PE32 8->53 dropped 75 Writes to foreign memory regions 8->75 77 Creates a thread in another existing process (thread injection) 8->77 79 Injects a PE file into a foreign processes 8->79 17 cmd.exe 1 8->17         started        20 cmd.exe 1 8->20         started        22 secinit.exe 8->22         started        59 162.159.134.233, 443, 49738 CLOUDFLARENETUS United States 13->59 81 Multi AV Scanner detection for dropped file 13->81 83 Machine Learning detection for dropped file 13->83 85 Allocates memory in foreign processes 13->85 24 mshta.exe 1 13->24         started        27 mshta.exe 15->27         started        file5 signatures6 process7 dnsIp8 63 Uses cmd line tools excessively to alter registry or file data 17->63 65 Uses schtasks.exe or at.exe to add and modify task schedules 17->65 29 cmd.exe 1 17->29         started        32 conhost.exe 17->32         started        34 reg.exe 1 20->34         started        36 conhost.exe 20->36         started        38 WerFault.exe 23 9 22->38         started        61 arsaxa.ac.ug 79.134.225.25, 49740, 49741, 49747 FINK-TELECOM-SERVICESCH Switzerland 24->61 67 Hides threads from debuggers 24->67 41 WerFault.exe 27->41         started        signatures9 process10 dnsIp11 87 Uses cmd line tools excessively to alter registry or file data 29->87 43 conhost.exe 29->43         started        45 reg.exe 1 1 29->45         started        47 schtasks.exe 1 29->47         started        49 reg.exe 1 29->49         started        51 conhost.exe 34->51         started        55 192.168.2.1 unknown unknown 38->55 signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5371be34589e6447d7e2714c298903587fcfdebcd634822107a19b3de2b33f6b/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-07-08 14:48:30 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kny34ncytzsepv7cofgctcidlb747xv42y2ieiihugnt3yvth5vq._file
Verdict:
malicious
Similar samples:
4cadcc2d7a8ecf067470f99305eca7473fb339936290259643ece74a8502dfb3
RemcosRAT
6e75af8d5d325800f4cfcaab0ec5a96976011f10544863ec3f75ee2a21eaded3
RemcosRAT
6f536ae781fd98358126408aa6991b4bb3ec3f9940929a22b25f785b71ec770d
RemcosRAT
85adf569d259dc53c5099fea6e90ff3a614a406b4308ebdf9f40e8bed151f526
RemcosRAT
88f79e83c95b1e666a1bcb387919b2dba6ebb0cdc6db14c7f6d1229728e40a6c
RemcosRAT
92fee75dbfa7cb48d837b580cc3544832cf116d9991ac9cd0135cef22e535510
RemcosRAT
ab893fbabe7b944a559507848df6549660cfb33de9d4b0da6d645690981c662a
RemcosRAT
c31cfb4fc17ad48af21bc13020fd46ba29e9761aba5a256965eeab9366b689c1
RemcosRAT
dfca1bf3a2bc630e60ee036b0fd5be55b2f2b44e7dc8d2005b86d763bfc7c8ac
RemcosRAT
f353dc700a77a88665e2d6cb4f73396ba3b4437cc3ee9a6a7e095de5f77277c5
RemcosRAT
+ 27 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader persistence trojan upx
Link:
https://tria.ge/reports/210709-7l6wqazjvx/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
UPX packed file
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
1fd7371f99d6d6c22279f208d56c7030cc4a7807c44eca52aceb56d7f67ce794
MD5 hash:
135e22fb2a688966b3e75e16441f9d18
SHA1 hash:
5364d1af468956d5b0341c5f43aaf674679f7a32
Link:
https://www.unpac.me/results/21ecdea1-53d0-4c99-a745-32176090d36a/
SH256 hash:
5371be34589e6447d7e2714c298903587fcfdebcd634822107a19b3de2b33f6b
MD5 hash:
1d6f4cdc27931834afbf1423105d38d3
SHA1 hash:
98b2e582cd9ba41bb1f53b3295297b1463f4c6a2
Link:
https://www.unpac.me/results/21ecdea1-53d0-4c99-a745-32176090d36a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5371be34589e6447d7e2714c298903587fcfdebcd634822107a19b3de2b33f6b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 5371be34589e6447d7e2714c298903587fcfdebcd634822107a19b3de2b33f6b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/948788/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/170635/

Comments