MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 896d2dc1eab72419ab524333d3fba88c8ddf92b087f1c9af5d6ea402b0c77d89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 896d2dc1eab72419ab524333d3fba88c8ddf92b087f1c9af5d6ea402b0c77d89
SHA3-384 hash: c601eed4fa407c926c5ef0bd3913fcae5866578bdbac1f320de76a3d791f8e18045f874e5331cd713235b9a8fee01058
SHA1 hash: 7e8971f121c2b09dea8760c1f1edc5b9931d24f8
MD5 hash: 26382b4f3cc97798992f8c88c27febdd
humanhash: item-maryland-hydrogen-black
File name:Document.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:865'752 bytes
First seen:2021-04-04 08:23:57 UTC
Last seen:2021-04-06 19:10:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ae7338b3afd80640cfdf97dc6c436449 (2 x RemcosRAT)
ssdeep 24576:RL9xpvuy0SLIzpK8UflZVcFWwOfCFETO2XiL4Uj3q:R9xQRsIzuPBC+TOuf
Threatray 151 similar samples on MalwareBazaar
TLSH 6A05AF21E3C14473E1632F345C6EB6B51826BF622DE8A54967E81D4C5F3B782393D28B
Reporter abuse_ch
Tags:DHL exe RemcosRAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail.checkddelivery.com
Sending IP: 209.145.54.67
From: Dhl Customer Support <mail@checkddelivery.com>
Subject: Delivery Failed
Attachment: Attachment.iso (contains "Document.exe")

Intelligence

File Origin
# of uploads :
3
# of downloads :
335
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Document.exe
Verdict:
Malicious activity
Analysis date:
2021-04-04 08:25:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f878fdaf-f2b1-4dd1-a674-ee366b1d15f1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/132078/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Launching a process
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/be341fae-45e4-460c-ac10-66da0c9f18b0
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/665539
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
Win32.Trojan.Bingoml
Create hunting rule
Status:
Malicious
First seen:
2021-04-04 10:37:33 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rfws3qpkw4sbtk2simz5h65irsg57evqq7y4tl25n2safmghpweq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0499edd68518a172935fb984e9d97c72c50a00d5aff2cc7d5528cd38da42695c
RemcosRAT
42ef2a340b9b5ec88d5ab83584f07ecc76e7b3842640aecd328ad9d85ad745e8
RemcosRAT
46131c5f93779a7547011c983be113cbf561fee1f4cba59ce8dd8f0bfb4a48f7
RemcosRAT
604bc26afab3f25d1c4d98e45872e798eef3061cc8720be0db28d900bddb277c
RemcosRAT
610aec487270d875f4c6a5fb4f128d636f817a36e40dc4db55c52505258d785f
RemcosRAT
941d7828d89da175afca52906a1e519707a09685f30332937917505fa8999f87
RemcosRAT
b782581b1ca3da09fdf3ecbb173ee3ca1f313f5f325f407df976601cad8ce839
RemcosRAT
d6bb7d0218b0894bcc733065261069c1cb4e151b4ca367f37e888d2beacc0dd9
RemcosRAT
ef6ac1293cdfda22c8d940f96c5433f406a4c3666e6941e4f094a8cf50d04ac1
RemcosRAT
f8d06c20dc2af83af29551f384bbde4e5380911d8db0f9e56ca549bb5995d413
RemcosRAT
+ 141 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos persistence rat trojan
Link:
https://tria.ge/reports/210404-mybyxt4fj2/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
Bruno.camdvr.org:2404
Bruno1.camdvr.org:2404
Bruno2.camdvr.org:2404
Unpacked files
SH256 hash:
68247adf9c5d5961c0fc61a2af5bbfa7da927f36c0a9ae05003599b4b27e38b7
MD5 hash:
1b8ca94170420aee9e1609e419d7c2b0
SHA1 hash:
7c04b1b128246ab1421ca34fd7723a4a027d8510
Link:
https://www.unpac.me/results/90b41405-1469-41b6-87ee-82f8f00df823/
SH256 hash:
896d2dc1eab72419ab524333d3fba88c8ddf92b087f1c9af5d6ea402b0c77d89
MD5 hash:
26382b4f3cc97798992f8c88c27febdd
SHA1 hash:
7e8971f121c2b09dea8760c1f1edc5b9931d24f8
Link:
https://www.unpac.me/results/90b41405-1469-41b6-87ee-82f8f00df823/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_DLAgent07
Create hunting rule
Author:ditekSHen
Description:Detects delf downloader agent

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

iso a3ad9accd5a90ff0b315720cc84d2703397793d7a1957f6bf9f5d911bcb2e337

RemcosRAT

Executable exe 896d2dc1eab72419ab524333d3fba88c8ddf92b087f1c9af5d6ea402b0c77d89

(this sample)

  
Dropped by
MD5 0fc0b704b14e9e5c04c71b2f768740f3
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 a3ad9accd5a90ff0b315720cc84d2703397793d7a1957f6bf9f5d911bcb2e337
Cape
Cape
https://www.capesandbox.com/analysis/132078/

Comments