MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56795470a3bd1762459af050088e74f3a693ba31980aa545f7a0bca1024f457c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56795470a3bd1762459af050088e74f3a693ba31980aa545f7a0bca1024f457c
SHA3-384 hash: 52aec57e1cd59e88c1c3bd09340ce0dd7c0f98d142b7b811a61e12a147656281e77f1161957d66ef5da7b68b3b085ba6
SHA1 hash: fdbef3d071cfbfb5c6dad4b54c1d9ccdee4d6cce
MD5 hash: e3b426d179aeb615e9a1eefac3015fca
humanhash: hydrogen-low-social-emma
File name:Product details.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:835'072 bytes
First seen:2022-06-07 08:25:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4d00ea591fbd8aea2327581d513e9ec9 (4 x RemcosRAT)
ssdeep 12288:mmS5A8V2lukXgzTvEKYKftiOQnFkjsY9IsnSCJkyKfxxCKraoLF:9IH2luDEKY3OQnFSznSmFK+doLF
TLSH T16D057D6EA64053F3D3B60635DC0B76982525BAD0AD24784E3BEF2F0C4E2425D7D2B9C6
TrID 26.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
24.5% (.SCR) Windows screen saver (13101/52/3)
19.7% (.EXE) Win64 Executable (generic) (10523/12/4)
8.4% (.EXE) Win32 Executable (generic) (4505/5/1)
5.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon 74f08889868e88b4 (13 x RemcosRAT, 4 x AveMariaRAT, 2 x ModiLoader)
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
199.249.230.22:5481

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
199.249.230.22:5481 https://threatfox.abuse.ch/ioc/662028/

Intelligence

File Origin
# of uploads :
1
# of downloads :
345
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Product details.exe
Verdict:
Malicious activity
Analysis date:
2022-06-07 22:13:48 UTC
Tags:
remcos
Link:
https://app.any.run/tasks/d26c2d01-f439-4f3a-9ed1-24943d067a23

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/277260/
Detection(s):
SecuriteInfo.com.UDS.Backdoor.Win32.Remcos.gen.22316.23352.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching the process to interact with network services
Launching a process
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe keylogger replace.exe
Link:
https://www.filescan.io/uploads/629f0bd94c4e28fcf3b94a30/reports/54489580-590e-4876-aa80-56b7ce78cc87/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7519ff35-1292-4d80-abc1-b2fc15cef627
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1007946
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 640438 Sample: Product details.exe Startdate: 07/06/2022 Architecture: WINDOWS Score: 96 63 Malicious sample detected (through community Yara rule) 2->63 65 Detected Remcos RAT 2->65 67 Yara detected Remcos RAT 2->67 69 C2 URLs / IPs found in malware configuration 2->69 8 Oadcevthny.exe 14 2->8         started        12 Product details.exe 1 22 2->12         started        15 Oadcevthny.exe 17 2->15         started        process3 dnsIp4 43 pvgzew.am.files.1drv.com 8->43 51 2 other IPs or domains 8->51 71 Writes to foreign memory regions 8->71 73 Allocates memory in foreign processes 8->73 75 Creates a thread in another existing process (thread injection) 8->75 17 logagent.exe 8->17         started        45 l-0004.l-dc-msedge.net 13.107.43.13, 443, 49729, 49736 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 12->45 47 pvgzew.am.files.1drv.com 12->47 53 2 other IPs or domains 12->53 33 C:\Users\Public\Libraries\Oadcevthny.exe, PE32 12->33 dropped 35 C:\Users\...\Oadcevthny.exe:Zone.Identifier, ASCII 12->35 dropped 77 Injects a PE file into a foreign processes 12->77 20 DpiScaling.exe 2 12->20         started        23 cmd.exe 1 12->23         started        49 pvgzew.am.files.1drv.com 15->49 55 2 other IPs or domains 15->55 25 DpiScaling.exe 15->25         started        file5 signatures6 process7 dnsIp8 57 Contains functionality to steal Chrome passwords or cookies 17->57 59 Contains functionality to steal Firefox passwords or cookies 17->59 61 Delayed program exit found 17->61 37 185.189.112.19, 5481 M247GB United Kingdom 20->37 39 146.70.61.147, 5481 TENET-1ZA United Kingdom 20->39 41 2 other IPs or domains 20->41 27 cmd.exe 1 23->27         started        29 conhost.exe 23->29         started        signatures9 process10 process11 31 conhost.exe 27->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/56795470a3bd1762459af050088e74f3a693ba31980aa545f7a0bca1024f457c/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-06-07 08:26:10 UTC
File Type:
PE (Exe)
Extracted files:
41
AV detection:
13 of 41 (31.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kz4vi4fdxulwerm26biardtu6otjhorrtafkkrpxuc6kcaspiv6a._file
Verdict:
malicious
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:host persistence rat trojan
Link:
https://tria.ge/reports/220607-kbvmqagfdl/
Behaviour
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
185.189.112.19:5481
104.254.90.243:5481
199.249.230.22:5481
146.70.61.147:5481
Unpacked files
SH256 hash:
0b4b7d7628499c9d0c62562dc64f22baf5390cd32f71e0317c259511ae85b5b6
MD5 hash:
d6e8fb9c9383709a7475144fbc74cb44
SHA1 hash:
3dc32f98eb13d725511b64924730132883ad3591
Link:
https://www.unpac.me/results/4de99841-84dc-4ccd-bf70-e26afced59b3/
SH256 hash:
56795470a3bd1762459af050088e74f3a693ba31980aa545f7a0bca1024f457c
MD5 hash:
e3b426d179aeb615e9a1eefac3015fca
SHA1 hash:
fdbef3d071cfbfb5c6dad4b54c1d9ccdee4d6cce
Link:
https://www.unpac.me/results/4de99841-84dc-4ccd-bf70-e26afced59b3/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/56795470a3bd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/56795470a3bd1762459af050088e74f3a693ba31980aa545f7a0bca1024f457c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/277260/

Comments