MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84f9e8abd4682870a94655c297e283b12de8162454217deb5d56d33603a04b35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84f9e8abd4682870a94655c297e283b12de8162454217deb5d56d33603a04b35
SHA3-384 hash: 66f535a2e776ea6f7fdddec5b2743275c44bfab0e3a26a6425aa3e46d03037956cf8ee3ab77ba5495657a1a185e5aa52
SHA1 hash: 7a81008442ccad66e42cf1a7f1ed4d7a5cc29ee7
MD5 hash: 2b087560bc75a3f809da01876c3410dd
humanhash: ten-enemy-berlin-diet
File name:Document.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'077'248 bytes
First seen:2021-04-08 15:50:11 UTC
Last seen:2021-04-09 04:57:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 574a58eecf1d4826e17fc203dfbffb06 (1 x RemcosRAT, 1 x FormBook)
ssdeep 12288:zAbYaqS0wo6olyeUHL6j1vgoHg0XWidwuRIKYd6pKWeWdTcYWGlddHlgU/OyV:zS8wo6oljrBneWKPIddHlgUDV
Threatray 163 similar samples on MalwareBazaar
TLSH 8435AF12B293D032D06217395C6AF2BC8822BFA17DD4644B76E43F4F9F761D17829A87
Reporter abuse_ch
Tags:DHL exe RemcosRAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail.orderissued.xyz
Sending IP: 75.119.154.209
From: Dhl Customer Support <mail@orderissued.xyz>
Subject: Delivery Failed
Attachment: Attachment.iso (contains "Document.exe")

Intelligence

File Origin
# of uploads :
3
# of downloads :
230
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Document.exe
Verdict:
Malicious activity
Analysis date:
2021-04-08 15:55:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/52988aa5-ffb8-482c-893d-dce9724eaf62

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/133249/
Detection(s):
SecuriteInfo.com.Variant.Zusy.375555.14244.3356.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Launching a process
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/670461
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/84f9e8abd4682870a94655c297e283b12de8162454217deb5d56d33603a04b35/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-04-08 16:01:29 UTC
AV detection:
16 of 48 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qt46rk6unauhbkkgkxbjpyudwew6qfrekqqx3225k3jtma5ajm2q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0499edd68518a172935fb984e9d97c72c50a00d5aff2cc7d5528cd38da42695c
RemcosRAT
1009dfd8b0678ec363efae43da9bb4eac2f44ae77a7f7f89ccc120a592f20a78
RemcosRAT
2d8d2fd56753dde1e4b495c73f4d1b68e4b347633d8cd79a687b9cb98573f189
RemcosRAT
604bc26afab3f25d1c4d98e45872e798eef3061cc8720be0db28d900bddb277c
RemcosRAT
896d2dc1eab72419ab524333d3fba88c8ddf92b087f1c9af5d6ea402b0c77d89
RemcosRAT
b782581b1ca3da09fdf3ecbb173ee3ca1f313f5f325f407df976601cad8ce839
RemcosRAT
c3d5cfa19bb7af77abe161135bd85506171d67dca3f86fa6a68340d05e203f64
RemcosRAT
d6bb7d0218b0894bcc733065261069c1cb4e151b4ca367f37e888d2beacc0dd9
RemcosRAT
e418958dc7d42216f8f151aef40df718df0a6a20d7d70c9954f7bd82953707a7
RemcosRAT
ef6ac1293cdfda22c8d940f96c5433f406a4c3666e6941e4f094a8cf50d04ac1
RemcosRAT
+ 153 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos persistence rat trojan
Link:
https://tria.ge/reports/210408-wm83221ph6/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
Bruno.camdvr.org:2404
Bruno1.camdvr.org:2404
Bruno2.camdvr.org:2404
Unpacked files
SH256 hash:
31ffb1d8050b158b4c432cbb831f9da9b918443b7ed3ecca7e3d7a18a531e3f9
MD5 hash:
406f0b9cc6dacbdd1b715c557b941343
SHA1 hash:
77387463c87215e20a8592430665820cbb146660
Link:
https://www.unpac.me/results/f24b4811-33b1-4bc8-a4b2-8af97e22ad5e/
SH256 hash:
84f9e8abd4682870a94655c297e283b12de8162454217deb5d56d33603a04b35
MD5 hash:
2b087560bc75a3f809da01876c3410dd
SHA1 hash:
7a81008442ccad66e42cf1a7f1ed4d7a5cc29ee7
Link:
https://www.unpac.me/results/f24b4811-33b1-4bc8-a4b2-8af97e22ad5e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/84f9e8abd4682870a94655c297e283b12de8162454217deb5d56d33603a04b35

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_DLAgent07
Create hunting rule
Author:ditekSHen
Description:Detects delf downloader agent

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

iso 24f4cf4250300c826fb80e2aebdd9e413f56d9ec5eda5fd5214e4dad9b517002

RemcosRAT

Executable exe 84f9e8abd4682870a94655c297e283b12de8162454217deb5d56d33603a04b35

(this sample)

  
Dropped by
MD5 4b01efab6972b7898af7e0eb62716a77
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 24f4cf4250300c826fb80e2aebdd9e413f56d9ec5eda5fd5214e4dad9b517002
Cape
Cape
https://www.capesandbox.com/analysis/133249/

Comments