MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5508d3fe5c41c4dec4a7570f0d60af3b6ba8cb9251ee1eae91e8fc061c3f58ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 14

Intelligence 14 IOCs YARA 5 File information Comments

SHA256 hash:	5508d3fe5c41c4dec4a7570f0d60af3b6ba8cb9251ee1eae91e8fc061c3f58ef
SHA3-384 hash:	750b5b7e929ebd78c6b253b2ef427c9ec3c89d801743b7755568542e95b59514e2a3cf2d2461c1363ecbcb743298f659
SHA1 hash:	a0cc76173c576dc1ce58a81649df71a8165d99ba
MD5 hash:	c69fdd6ab6ec38f6caa4254fc0160e2d
humanhash:	lemon-seven-muppet-blossom
File name:	IMG_8100034200035389923.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	797'696 bytes
First seen:	2022-01-25 11:45:26 UTC
Last seen:	2022-01-25 14:02:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	88dccac4d9ae025e5fe6a132e4dc45bf (1 x Formbook, 1 x RemcosRAT)
ssdeep	12288:ovz2X7tyLZWi55PFwA6qhu6IFRJ9cPuGhHZcL+5zZQDy9W7T3bnvw:obKEki55PF5XhzEJS2GhHZcetpKT7v
TLSH	T1C5058D13B2D18837D13B2FB49C5B97A9983ABE112D2CB9863BE45D4C5F353403825EA7
File icon (PE):
dhash icon	b670390284e2da70 (14 x Formbook, 3 x RemcosRAT, 3 x AveMariaRAT)
Reporter	lowmal3
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

164

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

https://onedrive.live.com/download?cid=C2D965CB96E79C21&resid=C2D965CB96E79C21%21118&authkey=AJG3KxZOEUQxyX8

Verdict:

Malicious activity

Analysis date:

2022-01-25 09:44:19 UTC

Tags:

rat remcos

Link:

https://app.any.run/tasks/d2d4c66f-fa51-4207-ab47-2cf22a52bb2e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/222420/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader44.35298.9561.11038.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Launching a process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Query of malicious DNS domain

Sending a TCP request to an infection source

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/5095/overview

Behaviour

MalwareBazaar

CheckScreenResolution

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control.exe fareit keylogger packed replace.exe

Link:

https://www.filescan.io/uploads/61efe2ff0f8c757253e6df34/reports/a85efc34-4c6e-4834-b333-c1ad131af02f/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2b75357f-4de1-44d4-a97f-05967a1ddcbc

Result

Threat name:

Remcos DBatLoader

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/927040

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to steal Firefox passwords or cookies

Creates a thread in another existing process (thread injection)

Delayed program exit found

Detected Remcos RAT

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected DBatLoader

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5508d3fe5c41c4dec4a7570f0d60af3b6ba8cb9251ee1eae91e8fc061c3f58ef/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2022-01-25 11:46:13 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 27 (74.07%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kuenh7s4ihcn5rfhk4hq2yfphnv2rs4skhxb5lur5d6amhb7ldxq._file

Verdict:

malicious

Label(s):

remcos

Result

Malware family:

remcos

Score:

10/10

Tags:

family:modiloader family:remcos botnet:remotehost persistence rat trojan

Link:

https://tria.ge/reports/220125-nxbcrafccm/

Behaviour

Suspicious use of WriteProcessMemory

Adds Run key to start application

ModiLoader First Stage

ModiLoader, DBatLoader

Remcos

Malware Config

C2 Extraction:

proprapra90.ddns.net:8810
storeyman7109.duckdns.org:8810

Unpacked files

SH256 hash:

9cebbcef1bd6016dfebf4c69f4c49501d914d5a8607777eba952d7ad40346f9a

MD5 hash:

322f2da5c29542aaecc9ee17e1fe7f00

SHA1 hash:

734c432e2595d53c82ee28604f909d3390018dd8

Detections:

win_dbatloader_w0

Link:

https://www.unpac.me/results/2e98d8e2-bcb1-4beb-9e7e-1272b331d0de/

Parent samples :

a7d0cff6a05994c0ae576fa842e44a101879317f62466923f1d96adee2c4a898
770c04c7c3a53d584af17e38e8e3fe5767d431e26ca59b4dc20de71045354295
c1bd90e8816e506f387b5552b7487423da84b9818cf4e94f175ed7206cffe4f5
b93811479bf82f08e97be19c596166482cdb2b31b8762c8c310307dfd6dab61e
bed2b6abf700b607d4f856c63832bae23f4120a8786b5af4cbdaa0d8525a47bc
0d9facf6b7073de4e3db19eb64e80589d98cfe35b66942191390a891bb8b241c
3add41c98717984fa6f6d1bff7b1506024e2d91932b60a43810498c44daaef86
ddfc4415217ec461350071b0965a1132ad43472bdc15980da23c46d8f1da188e
b5cea089bb899e75deef98dc1569dc3af17a070f6fa594377b49299d63bbbd8f
7b2232160ba59858c112d6dcb2252701cdb5c1e38b216fb046bd13718c2716ce
b83152fc7fc7aa9950add1de9c3d12e107e3b6eb481c1a368018ed26d3792cdc
0ba0cd39397ce42a5a678b0ef803f99267dc16de6383f61107e298633e23e436
f69c67cbf4e8f7e6d0f9157de994b80e6eb0f7b251dcc461940d51659055640f
5508d3fe5c41c4dec4a7570f0d60af3b6ba8cb9251ee1eae91e8fc061c3f58ef
cab0b398ecbf051d2fefcd25624c8f2b8119d52304c4e9836ede3b5391119fe6
4e837a08dd24b1f710c6fce10f974a49141decf103d6aeb290c0d36bba75121b
7a5846b1a7c0bbada0892d8b315bef3b4682192268da9ea779e98449681dd7ed
94ca0af32ea93d62fa355e450747ae9755c5dcd09e7b4186cd5bd04d7fc56565
0183d2fd44e215d6dc408bec45db9767a765767737b737032ff97e75adca46cd
5a04697834016e869389ef0d6a08656669cf5597fe0a6378a993250d311482e3
01e537ab28cea013b9a08939057369aa9369e8ff009231cb95101dc24348bb2e
76389098be8a410aaf6b21297912f6ef745db6e8a2f2aaaddda8685bd91091c3
662c7dc1c6b6fbc7cb4622876c0b0b2a42dba7081adede8a65182aef085f7082
7793e93512bcef7b9d90de59ef17b8771ecc9da854da2f4c8b3be8ba3c5a2c20

SH256 hash:

5508d3fe5c41c4dec4a7570f0d60af3b6ba8cb9251ee1eae91e8fc061c3f58ef

MD5 hash:

c69fdd6ab6ec38f6caa4254fc0160e2d

SHA1 hash:

a0cc76173c576dc1ce58a81649df71a8165d99ba

Link:

https://www.unpac.me/results/2e98d8e2-bcb1-4beb-9e7e-1272b331d0de/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/5508d3fe5c41/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5508d3fe5c41c4dec4a7570f0d60af3b6ba8cb9251ee1eae91e8fc061c3f58ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Distributed via e-mail link

Cape

https://www.capesandbox.com/analysis/222420/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample