MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64dbf3976d752392f5594ebd0fe2185f26b04cc4998d94e46062b4e3615c7ccf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 64dbf3976d752392f5594ebd0fe2185f26b04cc4998d94e46062b4e3615c7ccf
SHA3-384 hash: 842369a8b0ba9399a6716858b6b2c2c9011fbe840ebb0c08b5a62334480aad183508b39cb52de37137169bc30b4d4c86
SHA1 hash: 7626899da63238904792095f55b6095d6038143b
MD5 hash: f2d7a001bdc3a590dccad2b6b7ef7739
humanhash: king-william-lion-tennessee
File name:DOCS-RFQ-009934.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:975'360 bytes
First seen:2021-08-01 10:05:46 UTC
Last seen:2021-08-01 10:45:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 23869c7840ff70c0fa3f99abf1a224c5 (1 x RemcosRAT)
ssdeep 12288:ZJcwZP9daceFar4BasT9dqmeLdb2joBqUJeyL5Z1MxtSWu9egz9:ZDUgr4BasT9Am0bgWjSxwHB
Threatray 123 similar samples on MalwareBazaar
TLSH T12F256C12A2610E37C93F3239EC0E9A6C5827FD41DD6897C37EA93D5D7B382D06466293
dhash icon 0c323272b98ca6d9 (5 x RemcosRAT, 3 x DBatLoader, 1 x Formbook)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'178
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DOCS-RFQ-009934.exe
Verdict:
Malicious activity
Analysis date:
2021-08-01 10:08:44 UTC
Tags:
installer
Link:
https://app.any.run/tasks/80ec08ff-8167-4cc6-a42f-74becee69813

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175561/
Detection(s):
SecuriteInfo.com.Malware.AI.3377521915.23452.27007.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Deleting a recently created file
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/728f026b-5827-4b90-a149-c864118c4b2f
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/825065
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 457473 Sample: DOCS-RFQ-009934.exe Startdate: 01/08/2021 Architecture: WINDOWS Score: 100 59 Multi AV Scanner detection for domain / URL 2->59 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 9 other signatures 2->65 8 DOCS-RFQ-009934.exe 1 24 2->8         started        13 Xzjarqx.exe 16 2->13         started        15 Xzjarqx.exe 16 2->15         started        process3 dnsIp4 45 onedrive.live.com 8->45 53 2 other IPs or domains 8->53 41 C:\Users\Public\Libraries\...\Xzjarqx.exe, PE32 8->41 dropped 75 Writes to foreign memory regions 8->75 77 Creates a thread in another existing process (thread injection) 8->77 79 Injects a PE file into a foreign processes 8->79 17 secinit.exe 2 3 8->17         started        21 cmd.exe 1 8->21         started        23 cmd.exe 1 8->23         started        47 192.168.2.1 unknown unknown 13->47 49 onedrive.live.com 13->49 55 2 other IPs or domains 13->55 81 Multi AV Scanner detection for dropped file 13->81 25 ieinstal.exe 13->25         started        51 onedrive.live.com 15->51 57 2 other IPs or domains 15->57 27 dialer.exe 15->27         started        file5 signatures6 process7 dnsIp8 43 style.ptbagasps.co.id 185.62.86.145, 42024 THINKSYSTEMSUK-ASNGB United Kingdom 17->43 67 Contains functionality to steal Chrome passwords or cookies 17->67 69 Contains functionality to inject code into remote processes 17->69 71 Contains functionality to steal Firefox passwords or cookies 17->71 73 Delayed program exit found 17->73 29 reg.exe 1 21->29         started        31 conhost.exe 21->31         started        33 cmd.exe 1 23->33         started        35 conhost.exe 23->35         started        signatures9 process10 process11 37 conhost.exe 29->37         started        39 conhost.exe 33->39         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/64dbf3976d752392f5594ebd0fe2185f26b04cc4998d94e46062b4e3615c7ccf/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2021-08-01 06:48:26 UTC
AV detection:
15 of 27 (55.56%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mtn7hf3nourzf5kzj26q7yqyl4tlatgetggzjzdamk2ogyk4pthq._file
Verdict:
malicious
Similar samples:
10f675a780a5814df0a79b673213a2ed2989816a517797df5656551b0819789c
RemcosRAT
74bfe12181435ac80211c35fb1aa7955965d252ea6db5d12576a21d2590f7596
RemcosRAT
8c777c0ffb0097d517ed08dee3c306d7fddc7687bcb0349d5eed0a6b5c82f93a
RemcosRAT
9eaf84474a458ff7b9847687ed30ab6533a54c5ae028a2ec14885884440975f7
RemcosRAT
a643135974d54161165848843bdaddd082f25635e1fb8f6d4b45f8451042ba93
RemcosRAT
e805423ef1971ad60f2cf93dd0845f3bc13fb5bce5dc3b3b3e39f56c4f9142e7
RemcosRAT
fd866b4e18b49ef0232eda27280a0d56a9e408792bba4cddded1961fe64e7bf3
RemcosRAT
+ 113 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat
Link:
https://tria.ge/reports/210801-1h169yzg6j/
Behaviour
Modifies registry key
Suspicious use of WriteProcessMemory
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
style.ptbagasps.co.id:42024
Unpacked files
SH256 hash:
a6dbc14cb792b7eb21fb78abbcfc50ab940717ff8bdebf2f8db47e1ab12b6f9b
MD5 hash:
49995a2953873c7265752d191ae9f40b
SHA1 hash:
2f911fc1c8371812fbe412cf60886cf7554b20c9
Link:
https://www.unpac.me/results/28eabbce-d383-4eff-8caa-c5af55ddfec0/
SH256 hash:
64dbf3976d752392f5594ebd0fe2185f26b04cc4998d94e46062b4e3615c7ccf
MD5 hash:
f2d7a001bdc3a590dccad2b6b7ef7739
SHA1 hash:
7626899da63238904792095f55b6095d6038143b
Link:
https://www.unpac.me/results/28eabbce-d383-4eff-8caa-c5af55ddfec0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/64dbf3976d752392f5594ebd0fe2185f26b04cc4998d94e46062b4e3615c7ccf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EnvVarScheduledTasks
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC (ab)using Environment Variables in Scheduled Tasks
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 64dbf3976d752392f5594ebd0fe2185f26b04cc4998d94e46062b4e3615c7ccf

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/175561/

Comments