MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 83d297c0de9846ebf9db06df45c0b09dd2751bbb2e487d9d6df1128a29da6d47. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 83d297c0de9846ebf9db06df45c0b09dd2751bbb2e487d9d6df1128a29da6d47
SHA3-384 hash: 0a68659e551625ba0c53edc30efcacf91a3ba0ce4631e7136bb1b9a435091c93f3a229a979971b9ca6e79abd40a2d7e8
SHA1 hash: 73ed323c58b8a1821b4c2dba28b1b288104bee52
MD5 hash: b395c429aef5096df450c86e2e6ec810
humanhash: victor-georgia-maine-texas
File name:DHL Shipping Documents PDF.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:689'775 bytes
First seen:2022-11-22 09:32:11 UTC
Last seen:2022-11-28 08:41:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 78a9c9b8759e86c97d7e023fa7c068d2 (2 x RemcosRAT)
ssdeep 12288:nfGnCCrgOjvTLw531oS9uEG03GVc7xK+MPk6xBXlelOkaF4oxEEPUZ:fGnCes5gEGuGVCU+MM6xBslORFMEPUZ
Threatray 2'245 similar samples on MalwareBazaar
TLSH T166E4CF99FE4E5CBADA2271F044D2D76E133DF99097839B22E110C6728D0BA92BDDC705
TrID 32.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
20.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:DHL exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
251
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
DHL Shipping Documents PDF.exe
Verdict:
Malicious activity
Analysis date:
2022-11-22 09:37:48 UTC
Tags:
remcos
Link:
https://app.any.run/tasks/71b13af3-1429-48ff-aba6-1f0045267533

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/337143/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.13166.27267.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug anti-vm overlay packed spyeye
Link:
https://www.filescan.io/uploads/637c974f903ba0eaf36cfbb0/reports/2680bd3b-e748-4eb6-a896-3d3d5590b170/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b77d667b-8e82-4e54-a52e-3698076befda
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1118835
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Delayed program exit found
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/83d297c0de9846ebf9db06df45c0b09dd2751bbb2e487d9d6df1128a29da6d47/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-11-22 02:39:34 UTC
File Type:
PE (Exe)
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qpjjpqg6tbdox6o3a3pulqfqtxjhkg53fzeh3hln6ejiuko2nvdq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
2929451852384ac9f1b289746f767b752e04ec5d778b9538ac761cb175006948
RemcosRAT
45c02c7b7bcf92f477c2d62d4f65090f79cf0fc6e9ae3a0a8d1f9523613e6b9d
RemcosRAT
48d97367a91454e04e0161675bc323aaea552ef9335c57090e0d471d3d28c97e
RemcosRAT
5180dca560ce8ad4b5001b77e3da2897890c00bab9193d0bdbd294e6b5fc8b80
RemcosRAT
8043ea1eec1337542f54a3da01248f048588f43c2f5a434d425775dbb3ddd6b3
RemcosRAT
c230214b625b1602d90b804a4f1a80836d1b2839c226492419c53d7e642fcca0
RemcosRAT
d09e0e3cdb3fa52dcea7852176dc97aac0741e85b22bd088fd0bf0633e3f3bbb
RemcosRAT
d17de6f437033140a8197c29721e535e19cde342b211c3a0074fa54f79afb375
RemcosRAT
da94505a95c11c751468743c7eb6cef882f99c6c5ad4ca0b24b4c3e36d0ea11c
RemcosRAT
e7f968d64655db242cdc6330cf399c3b5e635b63b2ba734d5e2c2eee5986e9be
RemcosRAT
+ 2'235 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/221122-lh65rsgh38/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Remcos
Malware Config
C2 Extraction:
51.75.209.245:2404
Unpacked files
SH256 hash:
1459ade80dd19b04b8d0037ce88f8f020b6c9d730e39fca181465355562f4b15
MD5 hash:
2c8b1b939947b35d647eb87373316fcb
SHA1 hash:
ec7b924e02076e3f6f1ba70d6990f7946c661d27
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/e644bd4c-f32f-4dbe-bdf5-2c195fc911f0/
Parent samples :
e68ebc948356b0560fee06f52939504005fd848a93ccc41b4840c1db318a5409
733ec6405b43d9ac4a266a3bfae9df34185cbd8147819f17851dd9d13c3b733b
b9a0c1222bea7c7a90eb111e5101dd2ca3355966af79dbd7a490498a8f3d6a58
bdb57463a45449889f971cc8f16abf66f695b00dabf917280ec6e7389916a0a2
f5758ccee5820f19251721999da1f927572f00bc472113638f2fb134d6599b68
8f6954e1834b49a24b8e937ff093f1e534f89691ce805ce2f14553315a18e651
8f2f7e3c4fdafd040879abd0e8fc0bcd7c4055217a4fac63e348ff391da62878
238e7b87bd6d152fce3ae3dbe8ea4a9f3b56c883944cb93695c58fdc20aad6e8
dfca7ce647ee8994cba9317516ce7f58b2b175f815fd5336dbfed34ccad5c4de
6af23878112166b4f2b99b4a7af53cf8c71ee4d0e27eead7eba335832e9449b4
d299c8e1864ae2089e28301ed127b86d92c3aeac935f35822479a018b025da59
f7ac248e39e55ccbf0b79fbfd3bbad23f00dd3e595d6f58166a70dfd82adb951
734e077ffd2beb5e2808ce5bf2d27f03757257d133794acad69bf80bee2e7348
c1cc5ad08f2796e777ab3006a88c3cfa5dc84b0d0bc5f95cb72cb73436220b4c
83d297c0de9846ebf9db06df45c0b09dd2751bbb2e487d9d6df1128a29da6d47
ff4eaf31a3a0f4f99fd9c71caa01388cd50a9917fc16625d549c470cf23cd68f
fff14d27cfcfd3a46729a41bd6dcbb09e667f894e2c85b4e7eb5098faccfa6ab
9bbad0b231f56f22855746de8883bb11d5cfc3b0888760ab47620d0538af8962
123b988cf46a721c113799db30e360848a05941032871f87d1ea6a12bd8e7f0f
f306fefee8114c023ad5056b16a490a82466e8bbf50296f2ecdac6a75123bd2d
fdc9196c194b31f7b221c487affe3d815775a436b1c26133fa6b1e8a9c252a51
4713512f84ba1fbb43666e1e0c5ef8f02d681c0fef3c469a13759d51018d1f0f
aa512df0ca1a0462046446c14ca5aaaa5255dc12b6aa06ea7662aff9d1b2eb41
a6655fefe6b0b32d5c94627d3b83a0d446fa329b162ac7f8409a1b8827b63abc
679f0dec60e8ac08f75b8e2731c1689544b9ae1d08a26e9c6607a7bad3941ebb
a84ffc6423f9efc057fcffadbf537056debc6b79d3d81a7dc4b16bd61a87b6ba
7001538a3316bf0f86e9730d0a38992357f4669d3a4a85e77f1ec42293499ff5
c8ce7d7a1b3511466f838f2b09f1a644ac2ceaa09f508a81a601cc5c576e18d4
df5e690e3853c11de2a42d9a958ed8ca923c704b3ccf320c3c6c154377b3bd38
5251517c9a5cc925e00988f3d9aa30706271cfd0bd6d33d3794e03a92b13b946
8758be9f226102217b3f28ffc1d6093dac1c9d5e8b3de32d85d150204169c10d
f34b65f828707e189c6197c3605e4b25bcd493e93bdb498bc91eeee6ac349d0b
da6d125701d41e2b9d6d9931b4747bbf6b3b4a6c0ca26311c7983fad94e22ef5
98479f2d5e3f5147ddd504bcc7bd1a2b0a3b06ff5525f313a55ce81efc67fc28
SH256 hash:
83d297c0de9846ebf9db06df45c0b09dd2751bbb2e487d9d6df1128a29da6d47
MD5 hash:
b395c429aef5096df450c86e2e6ec810
SHA1 hash:
73ed323c58b8a1821b4c2dba28b1b288104bee52
Link:
https://www.unpac.me/results/e644bd4c-f32f-4dbe-bdf5-2c195fc911f0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/83d297c0de98/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/83d297c0de9846ebf9db06df45c0b09dd2751bbb2e487d9d6df1128a29da6d47

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 83d297c0de9846ebf9db06df45c0b09dd2751bbb2e487d9d6df1128a29da6d47

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/337143/

Comments