MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f4dcda8ef498f0d5f7dbbf978a3e9588bef94f5ee91a3659349d60b1f2447ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f4dcda8ef498f0d5f7dbbf978a3e9588bef94f5ee91a3659349d60b1f2447ec
SHA3-384 hash: c6eee4f4efb2cf0ab2cc5d0e9f1155a6b6c4e605ea183fa89e34752f89ca1a78c29390ffd2a7ef55ae232d1ef5bb570e
SHA1 hash: 7bfc94e15847093d2f9afbb7dd1fe3529e1f6d27
MD5 hash: 135ebf3d3b9eaf21ffdffc9465340011
humanhash: march-artist-romeo-nebraska
File name:Acerimallas_ORDER 5676-SEPT1721,pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:870'912 bytes
First seen:2021-09-17 17:16:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 96d68413d52ee291c9b444b7006f0bce (4 x RemcosRAT, 1 x BitRAT)
ssdeep 12288:mmnGyuE9fz9VBCY4Alz2MjbjBQHhazE2Advnk6LHC7WWnMvwfHVBPggseBnDz5ZE:mmnZbz9e0z12HFBngseBDz5ZE
Threatray 635 similar samples on MalwareBazaar
TLSH T1E5056C365BC58CF5F1750834ACCFA660197F7CF5BCAA1C861EA43D08D6643A2796A08F
dhash icon 8ccc0c37e3969a68 (8 x RemcosRAT, 2 x NetWire, 1 x BitRAT)
Reporter GovCERT_CH
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Acerimallas_ORDER 5676-SEPT1721,pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-09-17 17:19:33 UTC
Tags:
installer rat remcos
Link:
https://app.any.run/tasks/65612031-63b0-4078-8431-b093f6091cc0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/188753/
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger
Link:
https://www.filescan.io/uploads/61752d9ea9d585e6d537130e/reports/d2a2ef3d-90a6-4a0a-be94-52db4906c4a6/overview
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/43de95ad-211b-46af-ae7c-4c25a7d48e21
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/852882
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 485313 Sample: Acerimallas_ORDER 5676-SEPT... Startdate: 17/09/2021 Architecture: WINDOWS Score: 100 44 zion6.ddns.net 2->44 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 Detected Remcos RAT 2->68 70 4 other signatures 2->70 9 Acerimallas_ORDER 5676-SEPT1721,pdf.exe 1 22 2->9         started        14 Fnzbqmi.exe 15 2->14         started        16 Fnzbqmi.exe 16 2->16         started        signatures3 process4 dnsIp5 50 zion6.ddns.net 9->50 52 ztoepg.sn.files.1drv.com 9->52 58 2 other IPs or domains 9->58 42 C:\Users\Public\Libraries\...\Fnzbqmi.exe, PE32 9->42 dropped 80 Writes to foreign memory regions 9->80 82 Creates a thread in another existing process (thread injection) 9->82 84 Injects a PE file into a foreign processes 9->84 18 mobsync.exe 2 9->18         started        22 cmd.exe 1 9->22         started        24 cmd.exe 1 9->24         started        54 ztoepg.sn.files.1drv.com 14->54 60 2 other IPs or domains 14->60 86 Machine Learning detection for dropped file 14->86 26 secinit.exe 14->26         started        56 ztoepg.sn.files.1drv.com 16->56 62 2 other IPs or domains 16->62 28 DpiScaling.exe 16->28         started        file6 signatures7 process8 dnsIp9 46 zion6.ddns.net 91.193.75.133, 2815, 49744, 49745 DAVID_CRAIGGG Serbia 18->46 48 192.168.2.1 unknown unknown 18->48 72 Contains functionality to steal Chrome passwords or cookies 18->72 74 Contains functionality to inject code into remote processes 18->74 76 Contains functionality to steal Firefox passwords or cookies 18->76 78 Delayed program exit found 18->78 30 reg.exe 1 22->30         started        32 conhost.exe 22->32         started        34 cmd.exe 1 24->34         started        36 conhost.exe 24->36         started        signatures10 process11 process12 38 conhost.exe 30->38         started        40 conhost.exe 34->40         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8f4dcda8ef498f0d5f7dbbf978a3e9588bef94f5ee91a3659349d60b1f2447ec/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2021-09-17 17:17:08 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r5g43khpjghq2x35xp4xri7jlcf67fhv52i2gzmtjhlawhzei7wa._file
Verdict:
malicious
Similar samples:
078025707e0069438637644d4b57c0ab3f20c21fc738117589b15716d4e429d5
RemcosRAT
0840ac6a8ee445eed007f29220dad3dd03e59cf161524623c831596673c7e8d0
RemcosRAT
1b1eb8f42b0b48cf428e19c9c8b21676c41faca886e392c6d6f05de3120297c9
RemcosRAT
4611b180e4173882dba3e08aaa44ae28ce14d2f2709b2017082d57bcdecfb352
RemcosRAT
6780919c60b1e4b3f1ef9cfb03bdd492f51ebc505ccddbd47be023d66d429eaf
RemcosRAT
688f62abf01d9eba0c4557f284290a119ee887c1d7f2d5da48014447404cacb9
RemcosRAT
6dca812163e8e3bf8cfc6a82fd8f14b6cb3cc3c8b72c0b4a0a4dc549f3dc3202
RemcosRAT
930ad6fbbfbac743f4097748a7af399d3fbb61b1ba36bc6230803dcdfb357640
RemcosRAT
b0a0d1d399e98e48cae6a87c280339bc1b0d1c22f84ae589e0c3dca78e76d108
RemcosRAT
ff5c1829e2ad044ec148a71766e4cd62ca12a528062e7da001c787cfb37be27d
RemcosRAT
+ 625 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:ok man persistence rat
Link:
https://tria.ge/reports/210917-vtpjjaaggp/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Blocklisted process makes network request
Remcos
Malware Config
C2 Extraction:
zion6.ddns.net:2815
Unpacked files
SH256 hash:
519197f521aa39b7a7ab34b4500a304a7329d967115c2e48fe1b6eb201e39af1
MD5 hash:
3da921c9355d01d335cf03159a950030
SHA1 hash:
3be3f4ea8f289a123dcd1f6ac97c6f34a503c9cf
Link:
https://www.unpac.me/results/4f411a69-2e36-49f9-9b0f-dac6024ef767/
SH256 hash:
8f4dcda8ef498f0d5f7dbbf978a3e9588bef94f5ee91a3659349d60b1f2447ec
MD5 hash:
135ebf3d3b9eaf21ffdffc9465340011
SHA1 hash:
7bfc94e15847093d2f9afbb7dd1fe3529e1f6d27
Link:
https://www.unpac.me/results/4f411a69-2e36-49f9-9b0f-dac6024ef767/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.50
Link:
https://yomi.yoroi.company/submissions/8f4dcda8ef498f0d5f7dbbf978a3e9588bef94f5ee91a3659349d60b1f2447ec

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 8f4dcda8ef498f0d5f7dbbf978a3e9588bef94f5ee91a3659349d60b1f2447ec

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/188753/

Comments