MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a9d0bcd27a4183c6765d336c9afd2974d39ead469b932883b6ef3a3b8887c28. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a9d0bcd27a4183c6765d336c9afd2974d39ead469b932883b6ef3a3b8887c28
SHA3-384 hash: 94a6e71d95a33f831e8f1db980624b44492ddbde8ec0aa857ad1b8cec74ed1f87596084dd8578371ab952bab0925dc38
SHA1 hash: 709380ee493d9d222cfc04b13140492b03b3b154
MD5 hash: 147a576f14d2ff6ccc4c8b3d918e7865
humanhash: massachusetts-shade-cardinal-idaho
File name:EDEL New P.O_#T11 - KJ4511,pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'052'160 bytes
First seen:2022-07-12 08:26:52 UTC
Last seen:2022-07-12 08:47:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6a102166317d313ef57572741259ca4a (6 x RemcosRAT, 1 x Formbook, 1 x ModiLoader)
ssdeep 24576:YkH9czoiliazNQtMTMO3Yu0POdX0ofjkRf:Ykdq6yXhLc
Threatray 2'576 similar samples on MalwareBazaar
TLSH T1B0254922F271CC32C127CE374C56B3A99E2E7E516E69B94F3AE03E1C1E366813915197
TrID 92.5% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
1.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.8% (.SCR) Windows screen saver (13101/52/3)
1.4% (.EXE) Win64 Executable (generic) (10523/12/4)
0.6% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 27d0d8d6d6d8d027 (11 x RemcosRAT, 5 x Formbook, 5 x DBatLoader)
Reporter GovCERT_CH
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
248
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
EDEL New P.O_#T11 - KJ4511,pdf.exe
Verdict:
Malicious activity
Analysis date:
2022-07-12 08:46:31 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/f4eaebd0-8060-47cb-8233-2bcb1ff111e9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/286483/
Detection(s):
SecuriteInfo.com.W32.Delf.RI.genEldorado.7337.15181.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.W32.Delf.RI.genEldorado.25950.9010.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger
Link:
https://www.filescan.io/uploads/62cd30597b0de92856648dd0/reports/b943205e-c637-45dd-953d-423bb9875c24/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4e886738-4674-4baf-bd9b-fa4b7289f073
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1029236
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a9d0bcd27a4183c6765d336c9afd2974d39ead469b932883b6ef3a3b8887c28/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-07-12 06:52:49 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pkoqxtjhuqmdyz3f2m3mtl6ss5gtt2wung4tfcb3n3z2hoeipqua._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
54960f94810d9ce0b6edcdfb6abfe07a0b372422b51eb478881000c9cfda2091
RemcosRAT
6f4628db14ddcff78f5b0ad2c62f6791e4b29901eb9ef8a3686a2b7019308a99
RemcosRAT
83f54b46a10ce36ac80d885c29cbf1c88c65250163961193916123c282d36784
RemcosRAT
bfa4daa95a303253a45cc02597d1fa404168fb88e627dc3afa4b3548a6ff893d
RemcosRAT
ce4ca50b7ccb205ee84b76edbd4004d683fe14c69d9d9d102e6e9d89b53c33af
RemcosRAT
e03a40e689b0ce40227d155c33d3f9817534f0e1bd63e26bbfa80ee60755b783
RemcosRAT
e7c74f89332dcf4bf0ebaa50d960a8c82a521ca2c9608ecbb13e719e9744b5ca
RemcosRAT
fa3e1ea5a814915ffc65b8a94180aedccf3140f515f05737f3017d6ab6f10b89
RemcosRAT
+ 2'566 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:big persistence rat trojan
Link:
https://tria.ge/reports/220712-kceb5aaban/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
blessmyhustlelord.ddns.net:5017
Unpacked files
SH256 hash:
dc0377ea26efeb8d3411b8a861a20c9fa07af02308075ed1a8a7b849980893f1
MD5 hash:
5bff59b56c06a281b66ef4e919ce560c
SHA1 hash:
d8b49405898da4060988afe98219d5b62e4e2a7a
Link:
https://www.unpac.me/results/5c0893a2-b289-4646-8ac2-5392f883aa33/
SH256 hash:
7a9d0bcd27a4183c6765d336c9afd2974d39ead469b932883b6ef3a3b8887c28
MD5 hash:
147a576f14d2ff6ccc4c8b3d918e7865
SHA1 hash:
709380ee493d9d222cfc04b13140492b03b3b154
Link:
https://www.unpac.me/results/5c0893a2-b289-4646-8ac2-5392f883aa33/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7a9d0bcd27a4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a9d0bcd27a4183c6765d336c9afd2974d39ead469b932883b6ef3a3b8887c28

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 7a9d0bcd27a4183c6765d336c9afd2974d39ead469b932883b6ef3a3b8887c28

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/286483/

Comments