MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5cfeb31e244749101b15620775505444327ee862cdec4a3e04f6af994a8e32f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5cfeb31e244749101b15620775505444327ee862cdec4a3e04f6af994a8e32f4
SHA3-384 hash: e1038e63eb155a4aa42226844612405cfddf46fec502a378f5a6621a08bfd119da0b156e9d3c95d6014e547dcd790de3
SHA1 hash: d41546957d56604abb27669cad1d8b79a53bb3d8
MD5 hash: 27e655e0e0ff2f4605d88edd08e7e78e
humanhash: double-hot-moon-single
File name:Waybill.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:864'768 bytes
First seen:2021-09-10 00:20:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6da2e3f69203d2c4b15426c5555b3c99 (2 x RemcosRAT, 1 x NetWire, 1 x BitRAT)
ssdeep 12288:FJ07BGWcovyyY29t38Nhrsf2xSKc+FQnuUOpukpxkMCNZL:DyVcovY29tsPrsuzc+FQuUAukpxkJ
Threatray 2'533 similar samples on MalwareBazaar
TLSH T1B5056D5D66A30836E1B31A39ED5A5BF49419BD11B428ED0633F8CACB3E34E6074E9437
dhash icon ba7a6a6afa9a9ae4 (2 x RemcosRAT, 1 x NetWire, 1 x BitRAT)
Reporter GovCERT_CH
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Waybill.exe
Verdict:
Malicious activity
Analysis date:
2021-09-10 00:22:36 UTC
Tags:
installer
Link:
https://app.any.run/tasks/2e66fb06-d079-45c2-854d-d627ce29c14d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/186749/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Trojan0052d4b21.26004.26896.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Launching a process
Sending a UDP request
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Unauthorized injection to a system process
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7b7b872d-fa6b-48e2-979b-ea280ed4d4b1
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/848499
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 480930 Sample: Waybill.exe Startdate: 10/09/2021 Architecture: WINDOWS Score: 100 39 Multi AV Scanner detection for domain / URL 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 7 other signatures 2->45 6 Waybill.exe 1 17 2->6         started        11 Wjqbpqp.exe 13 2->11         started        13 Wjqbpqp.exe 13 2->13         started        process3 dnsIp4 25 cdn.discordapp.com 162.159.133.233, 443, 49735, 49736 CLOUDFLARENETUS United States 6->25 23 C:\Users\Public\Libraries\...\Wjqbpqp.exe, PE32 6->23 dropped 47 Writes to foreign memory regions 6->47 49 Allocates memory in foreign processes 6->49 51 Creates a thread in another existing process (thread injection) 6->51 15 DpiScaling.exe 2 3 6->15         started        53 Multi AV Scanner detection for dropped file 11->53 55 Injects a PE file into a foreign processes 11->55 19 ieinstal.exe 11->19         started        21 logagent.exe 13->21         started        file5 signatures6 process7 dnsIp8 27 rem1.camdvr.org 217.138.204.41, 2404 M247GB United Kingdom 15->27 29 rem16.hopto.org 37.120.138.222, 2404, 49750 M247GB Romania 15->29 31 Contains functionalty to change the wallpaper 15->31 33 Contains functionality to steal Chrome passwords or cookies 15->33 35 Contains functionality to capture and log keystrokes 15->35 37 3 other signatures 15->37 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5cfeb31e244749101b15620775505444327ee862cdec4a3e04f6af994a8e32f4/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-09-09 21:08:05 UTC
AV detection:
14 of 45 (31.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lt7lghrei5eragyvmidxkucuiqzh52dczxweupqe62xzssuogl2a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
17c742f29afb5c4352f3fb0079fbb0b2d72da1e65cfc59695f9a7259088b4615
RemcosRAT
462062209acc090a567e2bd571acd1d52c19d0d80ee56da256a3c58aaf3b12e9
RemcosRAT
52fa8487efeb8b203fb1f37501c366088b71de4ded620695ba2e34e8c0f446a2
RemcosRAT
63546d7293b43b8c746bbddddcfe798478d99e5786fceff8d1fcfb52b9a64aed
RemcosRAT
66eb53699937b049b917bbcfa13b9b5d2f8449753dcbbf9e35405a766cdc9a70
RemcosRAT
798fc4066cf0b5e0c6711d32ca8d43afc7d4b99f333c184b7fd0b7d3b7eb7559
RemcosRAT
7df259f7873239aee108522c3efd6fca233db83a268a3c9fad4766994c5a029d
RemcosRAT
b9a4e85c7d4645fd515eb3f8b883ee8e5990ff4381a90b5a8f42bff007fbb386
RemcosRAT
e65bff9943ab7ccc3713619a8d908f6caf5392c0c47defe3b66ca9009d2177ed
RemcosRAT
+ 2'523 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat
Link:
https://tria.ge/reports/210910-anbp9scbam/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
rem1.camdvr.org:2404
rem16.hopto.org:2404
rem1666.hopto.org:2404
rem16.camdvr.org:2404
remmusic.freeddns.org:2404
sunwap1.ddns.net:2404
rem166.hopto.org:2404
Unpacked files
SH256 hash:
cd4b225505e84218ef7418c8e5f41acbb67c51bd43e9ddcfa25341259377d3df
MD5 hash:
b7816cb3535b2f2675804d3052295003
SHA1 hash:
db4588853aa1ec16b1f2d29b1e873a653a1ecb13
Link:
https://www.unpac.me/results/9e3389d1-4ae8-4481-b638-e8bfa1d823e7/
SH256 hash:
5cfeb31e244749101b15620775505444327ee862cdec4a3e04f6af994a8e32f4
MD5 hash:
27e655e0e0ff2f4605d88edd08e7e78e
SHA1 hash:
d41546957d56604abb27669cad1d8b79a53bb3d8
Link:
https://www.unpac.me/results/9e3389d1-4ae8-4481-b638-e8bfa1d823e7/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5cfeb31e2447/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/5cfeb31e244749101b15620775505444327ee862cdec4a3e04f6af994a8e32f4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 5cfeb31e244749101b15620775505444327ee862cdec4a3e04f6af994a8e32f4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/186749/

Comments