MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a30ee147983ae5664dab25082f5973b2ca00d35e770b5182ed4517ffb91f5ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a30ee147983ae5664dab25082f5973b2ca00d35e770b5182ed4517ffb91f5ab
SHA3-384 hash: 2cee4e1bbab47e108c91b8a0df868ad8105cfd110dc8dd78ee54e2b9c64731ee7fe76c7581aed73ae45bb7da32943180
SHA1 hash: 3b8b4c90ebb1a6f32c2e0e7cd992f368489b8b20
MD5 hash: 74e043e3597365ae5b27f6b40fe1fcd9
humanhash: potato-may-missouri-timing
File name:Dhl Shipping Document.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:849'920 bytes
First seen:2021-10-04 09:25:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8276363bcf2f383c8cd04fac30801161 (10 x RemcosRAT, 2 x NetWire, 1 x Formbook)
ssdeep 12288:0w6jlNSq3W9F1Sa+tiDWIyNuYAycjL7YiEFXXXB:Naeq3gF1Sf+WIyRAyAdSXXXB
Threatray 1'180 similar samples on MalwareBazaar
TLSH T1E505079291109369F02B3775F847550497DAA87D1E202B36F6442BC70B2F3EAADD293F
File icon (PE):PE icon
dhash icon 1432694969516806 (10 x RemcosRAT, 2 x NetWire, 1 x Formbook)
Reporter abuse_ch
Tags:DHL exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
160
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Dhl Shipping Document.exe
Verdict:
Malicious activity
Analysis date:
2021-10-04 09:30:26 UTC
Tags:
installer
Link:
https://app.any.run/tasks/da2abbbd-d961-4f01-bf48-c2d955a7dddd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/194513/
Detection(s):
Win.Trojan.Remcos-9897068-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger packed
Link:
https://www.filescan.io/uploads/615c0f20e3d213d202b76eda/reports/54b7a622-524a-4502-ae14-017bbd173a31/overview
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0fc8de55-6057-4e7b-b2ca-06fd8df040a5
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/863770
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 496195 Sample: Dhl Shipping Document.exe Startdate: 04/10/2021 Architecture: WINDOWS Score: 100 44 fmunity247.ddns.net 2->44 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 5 other signatures 2->70 9 Dhl Shipping Document.exe 1 22 2->9         started        14 Grkbhwj.exe 15 2->14         started        16 Grkbhwj.exe 15 2->16         started        signatures3 process4 dnsIp5 50 onedrive.live.com 9->50 52 bl-files.fe.1drv.com 9->52 54 ai4amg.bl.files.1drv.com 9->54 42 C:\Users\Public\Libraries\...behaviorgraphrkbhwj.exe, PE32 9->42 dropped 80 Writes to foreign memory regions 9->80 82 Creates a thread in another existing process (thread injection) 9->82 84 Injects a PE file into a foreign processes 9->84 18 secinit.exe 2 3 9->18         started        22 cmd.exe 1 9->22         started        24 cmd.exe 1 9->24         started        56 onedrive.live.com 14->56 60 2 other IPs or domains 14->60 26 mobsync.exe 14->26         started        58 onedrive.live.com 16->58 62 2 other IPs or domains 16->62 86 Multi AV Scanner detection for dropped file 16->86 28 mobsync.exe 16->28         started        file6 signatures7 process8 dnsIp9 46 fmunity247.ddns.net 45.133.1.47, 3648, 49780, 49783 DEDIPATH-LLCUS Netherlands 18->46 48 192.168.2.1 unknown unknown 18->48 72 Contains functionality to inject code into remote processes 18->72 74 Contains functionality to steal Firefox passwords or cookies 18->74 76 Delayed program exit found 18->76 30 reg.exe 1 22->30         started        32 conhost.exe 22->32         started        34 cmd.exe 1 24->34         started        36 conhost.exe 24->36         started        78 Contains functionality to steal Chrome passwords or cookies 26->78 signatures10 process11 process12 38 conhost.exe 30->38         started        40 conhost.exe 34->40         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a30ee147983ae5664dab25082f5973b2ca00d35e770b5182ed4517ffb91f5ab/
Threat name:
Win32.Downloader.FormBook
Create hunting rule
Status:
Malicious
First seen:
2021-10-04 09:26:20 UTC
AV detection:
11 of 45 (24.44%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=piyo4fdzqoxfmzg2wjiif5mxhmwkadjv45ylkgbo2rix764r6wvq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
026668d9855f0c4aac1cb86f163e6e28569a5a4d53d0bde93ac9880a90a8225c
RemcosRAT
13e6341cacb27fdd36b2ce19395dbb02947f0c917b6fd10447f1d6381d51b7d4
RemcosRAT
2eb44403d1de2a792569f63907f746809e3d4e35fccf689c2e637f77df79254c
RemcosRAT
7aa3e6c93ac645c2b56f93eb9fe7de45a7fb9958d491190eb6d06198a65e6ca7
RemcosRAT
7eb677c1c5c60d34da90cab2b4ea019c500b5c3db6964cc14849dbe2f9f5fa30
RemcosRAT
91e8ea3e431c0ad9faf6dfe01eb29e4834940054379deb8b657d9cbe23e91682
RemcosRAT
a737c6bf1fe3e63d6d187d114d887c6c1e722579fc9caab72ce4451564e165f6
RemcosRAT
b56242ce9875402fca36f6d831072462bcf7b0996c2a98d048455459485ade1d
RemcosRAT
e6930000e13aa3deafe16f78fcfca8e6276e18ba6a252b8045dfaf570f044328
RemcosRAT
+ 1'170 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotefm persistence rat
Link:
https://tria.ge/reports/211004-ld7kqsgbfk/
Behaviour
Modifies registry key
Suspicious use of WriteProcessMemory
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
fmunity247.ddns.net:3648
Unpacked files
SH256 hash:
f808a11e5b1cb4332bb4d65cdbcf1e0ca7323b15bcf73cb7462ad3eb30f05703
MD5 hash:
6cfdeebc3c72279486ddd229eb14b009
SHA1 hash:
e3a2a0a2a0fabd55415c9007f52c79fe9e19e0a7
Link:
https://www.unpac.me/results/89ec79ee-8345-4f07-abee-9f68cce6782a/
SH256 hash:
5160bc0ae7c937c9362975b410a60cc98a5c492a82caa111d8597319af0eec1f
MD5 hash:
980f16a29d41740f1e813272393af17d
SHA1 hash:
cc4fb378a7e791f2fd7cec8ef7f017d5ec3fbd24
Link:
https://www.unpac.me/results/89ec79ee-8345-4f07-abee-9f68cce6782a/
SH256 hash:
7a30ee147983ae5664dab25082f5973b2ca00d35e770b5182ed4517ffb91f5ab
MD5 hash:
74e043e3597365ae5b27f6b40fe1fcd9
SHA1 hash:
3b8b4c90ebb1a6f32c2e0e7cd992f368489b8b20
Link:
https://www.unpac.me/results/89ec79ee-8345-4f07-abee-9f68cce6782a/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7a30ee147983/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a30ee147983ae5664dab25082f5973b2ca00d35e770b5182ed4517ffb91f5ab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EnvVarScheduledTasks
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC (ab)using Environment Variables in Scheduled Tasks

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 7a30ee147983ae5664dab25082f5973b2ca00d35e770b5182ed4517ffb91f5ab

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/194513/

Comments