MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7cfeccb31a610ee9b5e5501c712c380a2098a360eaaad0a15d7d5c23b3cc6830. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 17

Intelligence 17 IOCs YARA File information Comments

SHA256 hash:	7cfeccb31a610ee9b5e5501c712c380a2098a360eaaad0a15d7d5c23b3cc6830
SHA3-384 hash:	ca1ee46aab04861fb676e15ea2fa1f12d77e83ad6a2b1e37fde154247ca19b2e943d88764cdb44ca0bbd6a2df8c98d91
SHA1 hash:	0e39f16f0eb5bf40c00d4db436d1754385a32e00
MD5 hash:	3f960dea792fe4f00cee113cda4b8320
humanhash:	idaho-kitten-florida-leopard
File name:	SecuriteInfo.com.Trojan.Garf.Gen.7.7243.23318
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	579'386 bytes
First seen:	2022-11-15 03:38:31 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	29b61e5a552b3a9bc00953de1c93be41 (174 x Formbook, 82 x AgentTesla, 81 x Loki)
ssdeep	12288:WAYjTFFX9mM0e2k0Di5kjYNAEtrIAGiL4PTL+/u99C7:JYjTlmZewiQGCNPTL+/uLe
Threatray	2'206 similar samples on MalwareBazaar
TLSH	T1D5C423A448D57863F7A12676DC66E11E82F3A51220E36E4783549E3DBF37AC4E22F017
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	f4f679b179698cd4 (17 x RemcosRAT, 4 x SnakeKeylogger, 2 x NanoCore)
Reporter	SecuriteInfoCom
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

211

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

SecuriteInfo.com.Trojan.Garf.Gen.7.7243.23318

Verdict:

Malicious activity

Analysis date:

2022-11-15 03:40:03 UTC

Tags:

rat remcos

Link:

https://app.any.run/tasks/678a93d0-dd8c-4eb8-875f-3315944f2d20

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/334037/

Detection(s):

SecuriteInfo.com.Trojan.Garf.Gen.7.7243.23318.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file in the %AppData% subdirectories

Searching for the window

Сreating synchronization primitives

Setting a keyboard event handler

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process by context flags manipulation

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/52532/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

formbook overlay packed remcos shell32.dll

Link:

https://www.filescan.io/uploads/637309d7f75d59fef0b96b5c/reports/edf7f48e-b227-40ab-ac2e-7f79bc3d1938/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/841d702e-ddee-4e13-8c46-675de051f70d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7cfeccb31a610ee9b5e5501c712c380a2098a360eaaad0a15d7d5c23b3cc6830/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2022-11-15 01:53:25 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pt7mzmy2mehotnpfkaohclbybiqjri3a5kvnbik5pvochm6mnaya._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

31edb5c9a0590d100f941cfcb0c142abf141fba4a90c6bddb6c7fc59b4475f28

RemcosRAT

4b3b8c9037168a82409fbe027ecf77ba5b1b9262960b07dde8e15acfb1e3a5df

RemcosRAT

8c2653e4d9998668579383d87f291afe6ba5740ec3bc6d8f44618c0f9af77189

RemcosRAT

9d724226a2a3c8676d4a58b64b636d9dcc178c1d40fcf321309afa14505cf285

RemcosRAT

ae86ff848167aff1ce842e1c0e77bea0a84dfcb0ec4f115086c99225775c80c4

RemcosRAT

d42107d756734247da36e67eb859e1ca7fefcdae69d5cd50730979d7b005e83d

RemcosRAT

f9dbb342e635717b55ef19c20e7943858acf892e6040a9a4f3609eaa41981bc9

RemcosRAT

+ 2'196 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:uc persistence rat

Link:

https://tria.ge/reports/221115-d7l7wsbb5t/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Loads dropped DLL

Executes dropped EXE

Remcos

Malware Config

C2 Extraction:

ucremcz1.ddns.net:1823

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/2e2e8683-8c64-4e52-92f5-47a2768eb775

Unpacked files

SH256 hash:

c2296809155417083c5c50349b1c817a942c72a3411251fbcd6900558be81ed1

MD5 hash:

2dbb39ff68e2110693f6fa79a766c3be

SHA1 hash:

6eccdf701150d004c49aff4070f0f34c16ae1a0b

Detections:

Remcos

win_remcos_auto

Link:

https://www.unpac.me/results/2673f6f9-191b-499b-b985-95c2348a164c/

Parent samples :

7cfeccb31a610ee9b5e5501c712c380a2098a360eaaad0a15d7d5c23b3cc6830
779fe92ccc2fcb737c36756838a50a12d290c3e55cf7a18082abca41cd95c9b4
536e19198d8723feea5c3ebfa3f87c785c6b2e23d83a79b73c0977b27460dbf1
a41233051e12f046dedb8f3d46e9d32c58f24db45aeb6829b36f699e64987f35
f1ee84bf85dec48e4b94e5967de93bbed0d1b96ef43d68c2aa0b8ab7675d2c70
0e768f811e046c0f38205d11e2a58ee5aac2828c36f213bde4dbebba4b15d8d5
f830ced2c0d06737392dddabd93828fa37430b0c6ec27cb7186c46d5e2f570b8
ae07807f71e0584e2651db6ac5ba04db40923066375ed1977ac9b5ac65f5af44
5a159a1e3deab9eca53f48c007215faa102fe2c8f7264d5a96e9c0ee45bcb762
6b7d18ed04b75a9838ba614735d052e74d869a477f750ab40de6c358400391f3
5f635737ca64bc5078c9615f666e228c156bdfca21c37bdc9c201cd008e70584
eed19736f86e5b33a89ab883adf5544a3fb216e3a768d7e0cd8689f7021d1c17
dde008f345205986c8132477eed086b88b3e43a685eded0c60716fe996468b63
4660f046efd070aa71962df9b4f89f9ae34a8f49cfb9ebd514690d0efc4fd1ca
71a5204e8fe7c72dc1b6cf72c705396e4d04269c59694300f6698b44480fd8bf
079d4fb4e951c8072a66799ef1524aca47d34de646bffb34125cc3b60533c338
0a728ec3848abe9aa05ba647339d8f78ef0d94d1b52e916ff6c76024e28ebd93
52d4cc0f07a62e6d37c82b33480131cc2c1d5b83d11104997f06cac4d8876f5d

SH256 hash:

d8960e0bb9758a6b65788bd81eb0d66c245b6047532da86263db663d0d357603

MD5 hash:

427285b908f9f961ed8e8411f2faca66

SHA1 hash:

114519edda5b73fd333b34ff455c5f3634a81240

Link:

https://www.unpac.me/results/2673f6f9-191b-499b-b985-95c2348a164c/

SH256 hash:

7cfeccb31a610ee9b5e5501c712c380a2098a360eaaad0a15d7d5c23b3cc6830

MD5 hash:

3f960dea792fe4f00cee113cda4b8320

SHA1 hash:

0e39f16f0eb5bf40c00d4db436d1754385a32e00

Link:

https://www.unpac.me/results/2673f6f9-191b-499b-b985-95c2348a164c/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7cfeccb31a61/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7cfeccb31a610ee9b5e5501c712c380a2098a360eaaad0a15d7d5c23b3cc6830

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/334037/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample

MalwareBazaar Database

Database Entry

Intelligence

File Origin

Vendor Threat Intelligence

Result

Behaviour

Result

Behaviour

Result

Details

Result

Signature

Behaviour

Result

Behaviour

Malware Config

Unpacked files

File information

Comments

Login required