MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 836a211bf7485ac9187eb1da2f8658070ccd27533c83c60976eac54d952bfc44. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 836a211bf7485ac9187eb1da2f8658070ccd27533c83c60976eac54d952bfc44
SHA3-384 hash: c5a3cc5fb7ce810bbec7b88cf3a8e085b1b009288610a45ae5a89f964bcb37f8bc695a45e65ec2ff62a22eb3cc52f5e7
SHA1 hash: a81bf7bccf3b35ac89b979e3ac2e756ce22722f4
MD5 hash: 4e224c189b50b39268c38c04ca5e48f4
humanhash: zulu-xray-sierra-batman
File name:SALARYDOC,pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:843'776 bytes
First seen:2021-10-05 21:08:54 UTC
Last seen:2021-10-05 22:01:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 961dc513b005c9fa212a47cb8687ac19 (1 x NetWire, 1 x RemcosRAT)
ssdeep 12288:zRYwRSGgqDb08Akp0RdhEKmb4Brin4uq89:lTXgqDb08Akyyzbcin4t89
Threatray 1'095 similar samples on MalwareBazaar
TLSH T127055B74B6E45E77E1C22AFABC0E67D695257C213804D6C626DC6ECC7A713E1272208F
File icon (PE):PE icon
dhash icon 6971101d2b2b1520 (2 x NetWire, 2 x RemcosRAT)
Reporter GovCERT_CH
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
271
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SALARYDOC,pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-10-05 21:10:18 UTC
Tags:
rat remcos trojan
Link:
https://app.any.run/tasks/6208a40a-963c-4d23-b239-be920f3a912c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/195202/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.16925.32103.6819.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive fuerboos greyware keylogger packed remcos
Link:
https://www.filescan.io/uploads/615cbef1b95458900cdcac01/reports/45821b1b-16cc-47d2-80b5-afd8714ff686/overview
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d7ac57df-aeca-4887-919f-dafd3e599323
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/865126
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 497554 Sample: SALARYDOC,pdf.exe Startdate: 05/10/2021 Architecture: WINDOWS Score: 100 59 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->59 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 4 other signatures 2->65 8 SALARYDOC,pdf.exe 1 22 2->8         started        13 Zhgsbxj.exe 15 2->13         started        15 Zhgsbxj.exe 15 2->15         started        process3 dnsIp4 45 onedrive.live.com 8->45 47 db-files.fe.1drv.com 8->47 49 1xeakq.db.files.1drv.com 8->49 41 C:\Users\Public\Libraries\...\Zhgsbxj.exe, PE32 8->41 dropped 75 Writes to foreign memory regions 8->75 77 Creates a thread in another existing process (thread injection) 8->77 79 Injects a PE file into a foreign processes 8->79 17 logagent.exe 2 8->17         started        21 cmd.exe 1 8->21         started        23 cmd.exe 1 8->23         started        51 onedrive.live.com 13->51 55 2 other IPs or domains 13->55 81 Multi AV Scanner detection for dropped file 13->81 25 logagent.exe 13->25         started        53 onedrive.live.com 15->53 57 2 other IPs or domains 15->57 27 logagent.exe 15->27         started        file5 signatures6 process7 dnsIp8 43 blessthychild.hopto.org 194.147.140.6, 49786, 6344 PTPEU unknown 17->43 67 Contains functionality to steal Chrome passwords or cookies 17->67 69 Contains functionality to inject code into remote processes 17->69 71 Contains functionality to register a low level keyboard hook 17->71 73 2 other signatures 17->73 29 reg.exe 1 21->29         started        31 conhost.exe 21->31         started        33 cmd.exe 1 23->33         started        35 conhost.exe 23->35         started        signatures9 process10 process11 37 conhost.exe 29->37         started        39 conhost.exe 33->39         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/836a211bf7485ac9187eb1da2f8658070ccd27533c83c60976eac54d952bfc44/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-10-05 21:09:06 UTC
AV detection:
18 of 43 (41.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qnvccg7xjbnmsgd6whnc7bsya4gm2j2thsb4mclw5lcu3fjl7rca._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
11f6a46954cdec78fec52771521926ff6917af81f79e3dc1198a38571b7d7519
RemcosRAT
204806f363e25b8caab19fade1152cbdef6d19a2ee0f122ce2a2aa3949154f1d
RemcosRAT
7eb677c1c5c60d34da90cab2b4ea019c500b5c3db6964cc14849dbe2f9f5fa30
RemcosRAT
b9384216a5aea20cd398e51c6549bb84d6b252f3fde114010e3cc0c60b1e2b13
RemcosRAT
bc6387778b4a0caf34719e4de78d1ea6ecd96ba40a2e1e0997ae91dfe221807e
RemcosRAT
dc1bb96ddee60e15d3344fc4b0413634a54974ef9e854628157800c9d695f028
RemcosRAT
+ 1'085 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:biz logs persistence rat
Link:
https://tria.ge/reports/211005-zzfwssacg8/
Behaviour
Modifies registry key
Suspicious use of WriteProcessMemory
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
blessthychild.hopto.org:6344
Unpacked files
SH256 hash:
28d69b8e9891394a18ff2761d71d7a9de71df4bd7a1e1d273d55e300703f6e4d
MD5 hash:
ef3607df195573fd9da4150a10a9a86a
SHA1 hash:
ea802f027e84560e595cb08f6a9fc4e26556cb1c
Link:
https://www.unpac.me/results/c6b96f24-4fd8-4b63-9e93-800762367738/
SH256 hash:
836a211bf7485ac9187eb1da2f8658070ccd27533c83c60976eac54d952bfc44
MD5 hash:
4e224c189b50b39268c38c04ca5e48f4
SHA1 hash:
a81bf7bccf3b35ac89b979e3ac2e756ce22722f4
Link:
https://www.unpac.me/results/c6b96f24-4fd8-4b63-9e93-800762367738/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/836a211bf748/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/836a211bf7485ac9187eb1da2f8658070ccd27533c83c60976eac54d952bfc44

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 836a211bf7485ac9187eb1da2f8658070ccd27533c83c60976eac54d952bfc44

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/195202/

Comments