MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c491171fbe25c5f47f560db3a857cfc716d0c4733466ac08660e8a8be9bc8cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7c491171fbe25c5f47f560db3a857cfc716d0c4733466ac08660e8a8be9bc8cd
SHA3-384 hash: 934072dae7d41cd68c68ae8f2f873895fa24de86b4d05ddcf0c3e2ee43474576d3121086495faed9a13d18775ca4584b
SHA1 hash: 396b3c786833f287477271a252b01954068c1a1c
MD5 hash: d484bdb07de3628f0621f8c167071186
humanhash: freddie-early-mexico-massachusetts
File name:26.11.21_09.36_Anruf.0613259177.scr
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:740'864 bytes
First seen:2021-11-26 06:47:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 01f42bb56bd8196b0da3b3826e73efd5 (4 x Formbook, 1 x RemcosRAT, 1 x DBatLoader)
ssdeep 12288:HOYMYlxIimj6qr9wMiE+wGFYjA2KY59roDBM6nGplGJY:HOJYMimv+9wGqfKY59cM6GplGJ
Threatray 913 similar samples on MalwareBazaar
TLSH T10AF46D2BEB93B436D113057DFC2E97A07D1ABFA22A95F53D28D93C8A0E747926430171
File icon (PE):PE icon
dhash icon 74f0888a8c8880b4 (5 x Formbook, 2 x RemcosRAT, 2 x DBatLoader)
Reporter lowmal3
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
160
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
26.11.21_09.36_Anruf.0613259177.scr
Verdict:
Malicious activity
Analysis date:
2021-11-26 06:48:39 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/da01496a-0f65-4034-a7f4-1168f049b74c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Variant.Zusy.408309.31182.30389.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Launching a process
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger packed
Link:
https://www.filescan.io/uploads/61a08326b71ceed41531308b/reports/c182e7f6-7681-418b-9b18-423eb16f9247/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/bf880822-8b7f-4cde-b66b-debfe0db3bf0
Result
Threat name:
Remcos DBatLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/896503
Signature
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7c491171fbe25c5f47f560db3a857cfc716d0c4733466ac08660e8a8be9bc8cd/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-11-26 06:48:14 UTC
File Type:
PE (Exe)
Extracted files:
49
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=prerc4p34jof6r7vmdntvbl47ryw2dchgndgvqegmdukrpu3zdgq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0f795e11fe7833c1dbe5c9f2f4aba409fa6acab6e408def8a4543cf6d6a825be
RemcosRAT
1fbca7154111316e9d34ac02beb2377d20ca8426cc83669c89313a4a83358503
RemcosRAT
3f9fd47a1850bb51e06ce78cabb32d839b4d4f68daf028aa0465d7cb85099b1a
RemcosRAT
41d511392fc1e9e37a96d7e0d1e2a947d3de3da299d1a0fab9f522b98e38b659
RemcosRAT
502f18997fa73c5af97c3f8f3cd7a8a12d7d648642bd238b4eb15c0457e879a1
RemcosRAT
75d58f5b4293ffc19d29586f96508fe473b3688503ab75a9fecf8b280af3b55a
RemcosRAT
8665814a84a6e826c9b23c2e5f177f1fbcde7736f8b66e419eb4d0cf4b1a0f68
RemcosRAT
cd43f136f1d3221cd64fc792a37744dfa9656a9ea5889e52929275c05eb4e33b
RemcosRAT
d0d6952f4459c50159f7a9142da641df17cae7dc758c9a34bdcd19765bea37bc
RemcosRAT
ffb6236e6dd03ba2599326f3d83d2ffabf8ab18902f1865aa0a68f1881e31978
RemcosRAT
+ 903 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:de2 persistence rat
Link:
https://tria.ge/reports/211126-hkshlsebg9/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
Officialsw.chickenkiller.com:2310
official.ydns.eu:2310
hurricane.ydns.eu:2310
Unpacked files
SH256 hash:
80862d46bdac152572d0faa96c99edb9bcb3d5d3ff5d1d41771f5cb8ad164a2c
MD5 hash:
7c09b28f7639c8b2a033e88db5d9df53
SHA1 hash:
fbcccc3c2d024228a3e1dab743b3912ed8ccbb3c
Detections:
win_temple_loader_w0
Create hunting rule
Link:
https://www.unpac.me/results/660bdabd-3edb-4645-82f0-6790ac964f9d/
Parent samples :
e50290f9b9cf781a2d64f7e3190de28d2b673cd24099675d3b65a80ab70cf9e1
a00a856f0d85fcb7f485777ae81a0b1c52974bb1cd2482ba5e987a7ce8207511
7c491171fbe25c5f47f560db3a857cfc716d0c4733466ac08660e8a8be9bc8cd
5627d54b0f87a8fa0e9a33d2cbce145140eb0e88e77f1076e7658310b742aa83
46e51f41840a1a08e695f8b5dbd03efd3b3f7071edc00d9e916a73a02d8176a1
bc42c1e528e70d0f4152e78278ed1a0e4bacf4cab8bb21da9ea8f99a48676355
62d54d23908b06fb851da8829798a3d82110e0c189a8794f9d7deb9642f1542d
91b5c318543587a212464565a4df06eae2ad2823338389134f06c4409047e18e
57e117773ebe7caaac7d1db9759f5c8313d15db896f7b736459c65164770a5f5
6c2c4e5bb1275643184f07bd2bce3f51722e3b3e0557fbf0d83c0dc6461c4a5b
2d086daa30c03800b673011e6ee10d5ccdfa56842f67188ac348e30ed5cc803c
SH256 hash:
7c491171fbe25c5f47f560db3a857cfc716d0c4733466ac08660e8a8be9bc8cd
MD5 hash:
d484bdb07de3628f0621f8c167071186
SHA1 hash:
396b3c786833f287477271a252b01954068c1a1c
Link:
https://www.unpac.me/results/660bdabd-3edb-4645-82f0-6790ac964f9d/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7c491171fbe2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7c491171fbe25c5f47f560db3a857cfc716d0c4733466ac08660e8a8be9bc8cd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 7c491171fbe25c5f47f560db3a857cfc716d0c4733466ac08660e8a8be9bc8cd

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/209586/

Comments