MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6780919c60b1e4b3f1ef9cfb03bdd492f51ebc505ccddbd47be023d66d429eaf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6780919c60b1e4b3f1ef9cfb03bdd492f51ebc505ccddbd47be023d66d429eaf
SHA3-384 hash: ba39040acb963d670c7d957fc74341f5a8b721b6bb35009df53d0591582615118f9caf7dc27d2445ea051abc666c9f8d
SHA1 hash: 529a46b132794e9d2336823a25475201395308b9
MD5 hash: 3500d0e2f69231f93be137ba59872b87
humanhash: juliet-maine-network-kentucky
File name:AD_Order Onayı _ Acil,pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:831'488 bytes
First seen:2021-09-16 10:07:20 UTC
Last seen:2021-09-16 10:52:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ff0bb68e944131943365efbe4d5b9737 (4 x RemcosRAT, 1 x AveMariaRAT, 1 x OskiStealer)
ssdeep 24576:DMvnUyU3fec2QPesTNGIZHrIzvlZwXI7Dyj3SaH+MJF:DqUjes
Threatray 612 similar samples on MalwareBazaar
TLSH T188052960D1501FB1E02F38785C059BC9903B7DC83D1AEEEA99B4ED7A75712823DAE14B
dhash icon 0cb23272b98ce6d1 (6 x RemcosRAT, 5 x Formbook, 2 x DBatLoader)
Reporter GovCERT_CH
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
157
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AD_Order Onayı _ Acil,pdf.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-16 10:09:26 UTC
Tags:
installer
Link:
https://app.any.run/tasks/b2d21d0b-6a8c-488e-9e64-9cd50f42d52e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.2712.5000.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching the default Windows debugger (dwwin.exe)
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger
Link:
https://www.filescan.io/uploads/617521a19a5a1e91c5d20457/reports/680a87b0-889a-4cde-baf5-b945bfd67565/overview
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7bfa74f1-6cdf-43c6-a42f-0e14a43ae2d2
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/851971
Signature
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 484401 Sample: AD_Order Onay#U0131 _ Acil,... Startdate: 16/09/2021 Architecture: WINDOWS Score: 100 42 zion6.ddns.net 2->42 60 Malicious sample detected (through community Yara rule) 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 Detected Remcos RAT 2->64 66 3 other signatures 2->66 9 AD_Order Onay#U0131 _ Acil,pdf.exe 1 21 2->9         started        14 Wblcicl.exe 16 2->14         started        16 Wblcicl.exe 17 2->16         started        signatures3 process4 dnsIp5 46 smmfgq.dm.files.1drv.com 9->46 48 onedrive.live.com 9->48 50 dm-files.fe.1drv.com 9->50 40 C:\Users\Public\Libraries\Wblcicl.exe, PE32 9->40 dropped 74 Writes to foreign memory regions 9->74 76 Creates a thread in another existing process (thread injection) 9->76 78 Injects a PE file into a foreign processes 9->78 18 mobsync.exe 2 9->18         started        22 cmd.exe 1 9->22         started        24 cmd.exe 1 9->24         started        52 smmfgq.dm.files.1drv.com 14->52 56 2 other IPs or domains 14->56 26 logagent.exe 14->26         started        54 smmfgq.dm.files.1drv.com 16->54 58 2 other IPs or domains 16->58 80 Multi AV Scanner detection for dropped file 16->80 file6 signatures7 process8 dnsIp9 44 zion6.ddns.net 91.193.75.133, 2815, 49742, 49743 DAVID_CRAIGGG Serbia 18->44 68 Contains functionality to steal Chrome passwords or cookies 18->68 70 Contains functionality to steal Firefox passwords or cookies 18->70 72 Delayed program exit found 18->72 28 reg.exe 1 22->28         started        30 conhost.exe 22->30         started        32 cmd.exe 1 24->32         started        34 conhost.exe 24->34         started        signatures10 process11 process12 36 conhost.exe 28->36         started        38 conhost.exe 32->38         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6780919c60b1e4b3f1ef9cfb03bdd492f51ebc505ccddbd47be023d66d429eaf/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-09-16 10:08:06 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m6ajdhdawhslh4pptt5qhpousl2r5pcqltg5xvd34ar5m3kct2xq._file
Verdict:
malicious
Similar samples:
1a7126ebae2322bac10b972bd00d62687e5f5e5b7f59c6ab63b9310180f3ce4e
RemcosRAT
4611b180e4173882dba3e08aaa44ae28ce14d2f2709b2017082d57bcdecfb352
RemcosRAT
4d80ab79360b092bb5d8fa41d14388dffe5ef42839b6dbbf741f0ce5c3424d1e
RemcosRAT
69602c57c04a253c515050483eb532b5be82ab598e7b1d3ea421310cee29c895
RemcosRAT
6a3aa7d5ab777a2824d7d312dfd49e0b03e30959a9219e7f782860d2d8b9a12c
RemcosRAT
6a96d22dec9171b154bb1a94c68fa02dda51713709dad161681a759f64cc3014
RemcosRAT
6b637314dc7b63dfce69d3efe9b792d8fb2fbb0d9f19ea70aa0ff83ae8dbd495
RemcosRAT
8cb9b0ac073c398ffc0147a1a84ffa9c2db217df67c5a89f34f4a5fb12be7cc3
RemcosRAT
b0a0d1d399e98e48cae6a87c280339bc1b0d1c22f84ae589e0c3dca78e76d108
RemcosRAT
e3d62ea202f60dcb69703dcba7c59b2bf552c5ce2e951dfab0f1808af9e096a2
RemcosRAT
+ 602 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210916-l58l4scge5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
519197f521aa39b7a7ab34b4500a304a7329d967115c2e48fe1b6eb201e39af1
MD5 hash:
3da921c9355d01d335cf03159a950030
SHA1 hash:
3be3f4ea8f289a123dcd1f6ac97c6f34a503c9cf
Link:
https://www.unpac.me/results/3a268186-289c-4e61-b21e-fc7dea3f1668/
SH256 hash:
6780919c60b1e4b3f1ef9cfb03bdd492f51ebc505ccddbd47be023d66d429eaf
MD5 hash:
3500d0e2f69231f93be137ba59872b87
SHA1 hash:
529a46b132794e9d2336823a25475201395308b9
Link:
https://www.unpac.me/results/3a268186-289c-4e61-b21e-fc7dea3f1668/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6780919c60b1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/6780919c60b1e4b3f1ef9cfb03bdd492f51ebc505ccddbd47be023d66d429eaf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 6780919c60b1e4b3f1ef9cfb03bdd492f51ebc505ccddbd47be023d66d429eaf

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments