MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d07f952f8c6b6a582270151968f2b90d809c5c0bc054ae7bdaa0dec79852cc7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7d07f952f8c6b6a582270151968f2b90d809c5c0bc054ae7bdaa0dec79852cc7
SHA3-384 hash: be46881a411679b5f5fd9bcbe7dc5efc33779fd11d1895708da88f423c6ba797f7ef856dd1bb25bcd3998a06720b218e
SHA1 hash: f707564755c0063dcf0a25a150c77df2db54fb98
MD5 hash: 48335e54c0f0ea65e12b01ca2579e50c
humanhash: yankee-grey-saturn-triple
File name:SecuriteInfo.com.Win32.Injector.DNSU.16804.32581
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:995'840 bytes
First seen:2022-08-12 16:36:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ef868cc32728090ec83adb7d64c7784b (3 x DBatLoader, 1 x RemcosRAT, 1 x Formbook)
ssdeep 12288:z8HA79b9hfYBkePys94ClAFJXCrJ/0KbLtyB4pWRqbudaYz:+Axb3YBkeP944AFJYs0Li/8ikYz
Threatray 1'658 similar samples on MalwareBazaar
TLSH T131256BDAF194C632C0257177CC3F8DAC14267F512A24884666F67F88DAB2BC0296B5F7
TrID 54.7% (.OCX) Windows ActiveX control (116521/4/18)
20.2% (.EXE) InstallShield setup (43053/19/16)
6.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
6.1% (.SCR) Windows screen saver (13101/52/3)
4.9% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon 27d0d8e4d4d8f007 (7 x Formbook, 6 x RemcosRAT, 6 x DBatLoader)
Reporter SecuriteInfoCom
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
363
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.Injector.DNSU.16804.32581
Verdict:
Malicious activity
Analysis date:
2022-08-12 16:37:42 UTC
Tags:
installer remcos
Link:
https://app.any.run/tasks/545473d3-5a4d-4d0c-b294-71abd3f8630b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/298262/
Detection(s):
SecuriteInfo.com.Win32.Injector.DNSU.16804.32581.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching cmd.exe command interpreter
Creating a process with a hidden window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/28800/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger
Link:
https://www.filescan.io/uploads/62f68190f6ec33747d9e5d45/reports/9ef2e071-113a-4c5b-8029-978a93084c10/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/402f9b65-e4d3-47ce-b3e1-3d2cfa83b2f1
Result
Threat name:
DBatLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1050685
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Delayed program exit found
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 683191 Sample: SecuriteInfo.com.Win32.Inje... Startdate: 12/08/2022 Architecture: WINDOWS Score: 100 50 Multi AV Scanner detection for domain / URL 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus detection for URL or domain 2->54 56 6 other signatures 2->56 7 SecuriteInfo.com.Win32.Injector.DNSU.16804.exe 1 17 2->7         started        12 Ydhbvpqdx.exe 14 2->12         started        14 Ydhbvpqdx.exe 14 2->14         started        process3 dnsIp4 38 cdn.discordapp.com 162.159.135.233, 443, 49750, 49751 CLOUDFLARENETUS United States 7->38 32 C:\Users\Public\Libraries\Ydhbvpqdx.exe, PE32 7->32 dropped 34 C:\Users\...\Ydhbvpqdx.exe:Zone.Identifier, ASCII 7->34 dropped 58 Contains functionality to inject threads in other processes 7->58 60 Contains functionality to inject code into remote processes 7->60 62 Writes to foreign memory regions 7->62 64 Injects a PE file into a foreign processes 7->64 16 cmd.exe 2 1 7->16         started        40 162.159.133.233, 443, 49762, 49763 CLOUDFLARENETUS United States 12->40 66 Allocates memory in foreign processes 12->66 68 Creates a thread in another existing process (thread injection) 12->68 20 cmd.exe 1 12->20         started        22 cmd.exe 1 14->22         started        file5 signatures6 process7 dnsIp8 36 lionsguard.ddns.net 194.147.140.27, 49759, 49760, 49761 PTPEU unknown 16->36 42 Contains functionalty to change the wallpaper 16->42 44 Contains functionality to steal Chrome passwords or cookies 16->44 46 Contains functionality to steal Firefox passwords or cookies 16->46 48 Delayed program exit found 16->48 24 WerFault.exe 23 9 16->24         started        26 conhost.exe 16->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7d07f952f8c6b6a582270151968f2b90d809c5c0bc054ae7bdaa0dec79852cc7/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-08-12 16:37:09 UTC
File Type:
PE (Exe)
Extracted files:
117
AV detection:
16 of 25 (64.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pud7suxyy23klarhafizndzlsdmatroaxqcuvz55vig6y6mfftdq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1015aaf219bd6c756e9e5224d219ed551795585e383fb4a6d2a566e7c8dabad5
RemcosRAT
437e444fdf417fa35390eec589e380b8d5c70b5418a4554ee19cb706470a7edc
RemcosRAT
7c46360bc0f882b7d7a6603ce5f141914e645b4afb7f4951cc3e29d76908c518
RemcosRAT
9c9243f11dd44d1f1ac97716014be57244dca97a514e73d5f13da03392cba358
RemcosRAT
b8df890fac057175f86dc5f301f1e1f6d45b2a1b36598934c3fc0144cf433137
RemcosRAT
cd06021301a3677a02936aa5820f303d7aa650f63366266b75e553c669be08f5
RemcosRAT
cfddcbf0a97a326f7a26683f817e7d42082c30f28113bef76e3c3b491c094c69
RemcosRAT
d4729baa39aa4e1052e0999c90450a4cdcd4c4e3831c9a791fb99b94036103b4
RemcosRAT
fd4e5f6c6b0e764dd7c0bb64e65985a4304d0a8f3103ea22656549f0b00508d5
RemcosRAT
+ 1'648 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:soft persistence rat trojan
Link:
https://tria.ge/reports/220812-t4s42afdfj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Checks computer location settings
Blocklisted process makes network request
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
lionsguard.ddns.net:5074
Unpacked files
SH256 hash:
be68fab6f4200377bdef146c6aab14b71298cbb597abda211b379ebe483693cf
MD5 hash:
cac4b85f390cb65b9d7d8c5fab393f06
SHA1 hash:
7fed0db94f2e31f98fa8f04928e30d5f99087bd5
Link:
https://www.unpac.me/results/cd753cea-5643-44a5-98e0-0541f55a3e4b/
SH256 hash:
48e2a2acc6326e8e74d5a79d40b1e9f281202a9a0f07504a90ef12546175e5a4
MD5 hash:
164418b44f01e2ee315df9ebfa1d81d4
SHA1 hash:
1ab0d56eadfa16db8af45fc12f4e0cae310bd0ce
Link:
https://www.unpac.me/results/cd753cea-5643-44a5-98e0-0541f55a3e4b/
SH256 hash:
7d07f952f8c6b6a582270151968f2b90d809c5c0bc054ae7bdaa0dec79852cc7
MD5 hash:
48335e54c0f0ea65e12b01ca2579e50c
SHA1 hash:
f707564755c0063dcf0a25a150c77df2db54fb98
Link:
https://www.unpac.me/results/cd753cea-5643-44a5-98e0-0541f55a3e4b/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7d07f952f8c6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7d07f952f8c6b6a582270151968f2b90d809c5c0bc054ae7bdaa0dec79852cc7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/298262/

Comments