MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 54960f94810d9ce0b6edcdfb6abfe07a0b372422b51eb478881000c9cfda2091. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 54960f94810d9ce0b6edcdfb6abfe07a0b372422b51eb478881000c9cfda2091
SHA3-384 hash: d44cc2e01bca5eacc6e00039895afea01d5bd2b56922564886c8d3911a86a053870b2fea072c411df2062818e33a7422
SHA1 hash: ca66ef332876eb1fb019fc2f286a989b7192b313
MD5 hash: b4a9ae39027e8530378c05ce71236518
humanhash: oven-carpet-high-william
File name:SecuriteInfo.com.Variant.Zusy.427939.774.26117
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:912'896 bytes
First seen:2022-07-01 08:01:59 UTC
Last seen:2022-07-01 08:51:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 96f6f9a6477a1084212a6d5f12ff3586 (3 x RemcosRAT)
ssdeep 12288:hSH1x/NoKtuSn5/S5/6zbxkRrf1iX1+I+kabKnfIaxLneGt3vmmcSwua:wH1BOSn0O1+7OvCy
Threatray 3'413 similar samples on MalwareBazaar
TLSH T11F157C2A7181C432D1E21D399D4B96F95A37BE802A18A9462BF43C8DBF747513C3D2B7
TrID 46.4% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
31.5% (.EXE) Win32 Executable Borland Delphi 5 (451463/56/28)
18.3% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
0.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
0.9% (.SCR) Windows screen saver (13101/52/3)
dhash icon 70959a9c8cdc5ab0 (3 x RemcosRAT, 2 x DBatLoader, 1 x AveMariaRAT)
Reporter SecuriteInfoCom
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
262
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/284817/
Detection(s):
SecuriteInfo.com.Variant.Zusy.427939.11600.32138.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/23285/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger
Link:
https://www.filescan.io/uploads/62beaa3887c294f96f8d2218/reports/9da61051-e32a-4cda-8baa-94b44653e652/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/5a46bae9-ae96-47de-8c21-8305514610c6
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1023085
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 655582 Sample: SecuriteInfo.com.Variant.Zu... Startdate: 01/07/2022 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 5 other signatures 2->47 6 SecuriteInfo.com.Variant.Zusy.427939.774.exe 1 17 2->6         started        11 Enspilxkno.exe 13 2->11         started        13 Enspilxkno.exe 13 2->13         started        process3 dnsIp4 27 cdn.discordapp.com 162.159.133.233, 443, 49726, 49728 CLOUDFLARENETUS United States 6->27 23 C:\Users\Public\Librariesnspilxkno.exe, PE32 6->23 dropped 25 C:\Users\...nspilxkno.exe:Zone.Identifier, ASCII 6->25 dropped 49 Writes to foreign memory regions 6->49 51 Allocates memory in foreign processes 6->51 53 Creates a thread in another existing process (thread injection) 6->53 15 logagent.exe 2 6->15         started        29 162.159.134.233, 443, 49751 CLOUDFLARENETUS United States 11->29 55 Multi AV Scanner detection for dropped file 11->55 57 Injects a PE file into a foreign processes 11->57 19 DpiScaling.exe 11->19         started        21 DpiScaling.exe 13->21         started        file5 signatures6 process7 dnsIp8 31 blessmyhustlelord.ddns.net 37.0.14.195, 49750, 5017 WKD-ASIE Netherlands 15->31 33 Contains functionalty to change the wallpaper 15->33 35 Found stalling execution ending in API Sleep call 15->35 37 Contains functionality to steal Chrome passwords or cookies 15->37 39 4 other signatures 15->39 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/54960f94810d9ce0b6edcdfb6abfe07a0b372422b51eb478881000c9cfda2091/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2022-07-01 05:18:08 UTC
File Type:
PE (Exe)
Extracted files:
51
AV detection:
7 of 41 (17.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ksla7febbwoobnxnzx5wvp7apiftojbcwupli6eicaamtt62eciq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
4ea16682c6d48eb737c1857beceadc3d3077921c03fa62d9dad44d551d92729d
RemcosRAT
628714308e23fcb40095b63c6822b08f8a9b90de2ac290ff1e8e01b6ccde1568
RemcosRAT
6f4628db14ddcff78f5b0ad2c62f6791e4b29901eb9ef8a3686a2b7019308a99
RemcosRAT
83f54b46a10ce36ac80d885c29cbf1c88c65250163961193916123c282d36784
RemcosRAT
84a066f7294211d47a88b38b0ad9ff2f0e385973c4a3b92b39b2df25e178aca8
RemcosRAT
8a76f76aa6af2cb9a5a30d6bf09722e2fcdb1555c253a15f798529f5ccb5de1d
RemcosRAT
b5734fe9e898335433674437790e741440b75c6a749ceb7455555c88303daedc
RemcosRAT
bfa4daa95a303253a45cc02597d1fa404168fb88e627dc3afa4b3548a6ff893d
RemcosRAT
e7c74f89332dcf4bf0ebaa50d960a8c82a521ca2c9608ecbb13e719e9744b5ca
RemcosRAT
fa3e1ea5a814915ffc65b8a94180aedccf3140f515f05737f3017d6ab6f10b89
RemcosRAT
+ 3'403 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:big persistence rat trojan
Link:
https://tria.ge/reports/220701-jw4wfscfa4/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
blessmyhustlelord.ddns.net:5017
Unpacked files
SH256 hash:
0b4b7d7628499c9d0c62562dc64f22baf5390cd32f71e0317c259511ae85b5b6
MD5 hash:
d6e8fb9c9383709a7475144fbc74cb44
SHA1 hash:
3dc32f98eb13d725511b64924730132883ad3591
Link:
https://www.unpac.me/results/f8ddeaa9-db26-4d32-8c9b-9fdbad020f4c/
SH256 hash:
54960f94810d9ce0b6edcdfb6abfe07a0b372422b51eb478881000c9cfda2091
MD5 hash:
b4a9ae39027e8530378c05ce71236518
SHA1 hash:
ca66ef332876eb1fb019fc2f286a989b7192b313
Link:
https://www.unpac.me/results/f8ddeaa9-db26-4d32-8c9b-9fdbad020f4c/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/54960f94810d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.94
Link:
https://yomi.yoroi.company/submissions/54960f94810d9ce0b6edcdfb6abfe07a0b372422b51eb478881000c9cfda2091

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/284817/

Comments