MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 916d4770ebe51677667bb3c11ae7e13799090f1410415cf33230bd97935e3e04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 916d4770ebe51677667bb3c11ae7e13799090f1410415cf33230bd97935e3e04
SHA3-384 hash: 1b64807e99058d978c67c498a344d2c6e8a08ff660cf715a3d66ee127a49d939ed3ebeeeef048688d92fba1e2ca3b505
SHA1 hash: 1e15c4cf819475e3fee0ab8f8425474293755fe1
MD5 hash: 28f058d7565ad0fd48759b3360161add
humanhash: one-fillet-lake-three
File name:SecuriteInfo.com.Variant.Jacard.210227.8640.8997
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:741'888 bytes
First seen:2022-04-25 16:07:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b53e45a7b24e46b53f5d5fb3ccf0cd21 (3 x RemcosRAT, 2 x ModiLoader, 1 x NetWire)
ssdeep 12288:uTl9N4dIdOjqnzIDq+Wef39aVQbvhq6nqT19/gk2NKzaRHr:uTlD4ezEdThrqTPPbz
Threatray 7'584 similar samples on MalwareBazaar
TLSH T1B1F49E63B2E04432D0271D785D5F93B859217E50FE68E94A2BF4EC4CBF362C5352A2A7
TrID 46.4% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
31.5% (.EXE) Win32 Executable Borland Delphi 5 (451463/56/28)
18.3% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
0.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
0.9% (.SCR) Windows screen saver (13101/52/3)
File icon (PE):PE icon
dhash icon ece0f3d692d3c4cc (3 x OskiStealer, 3 x RemcosRAT, 2 x Formbook)
Reporter SecuriteInfoCom
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
275
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Letter.exe
Verdict:
Malicious activity
Analysis date:
2022-04-26 12:47:56 UTC
Tags:
rat remcos keylogger trojan
Link:
https://app.any.run/tasks/d83a77d9-2392-4dd8-abac-38c8cc1485dd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/266482/
Detection(s):
SecuriteInfo.com.Variant.Jacard.210227.8640.8997.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the process to interact with network services
Launching a process
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm control.exe greyware keylogger
Link:
https://www.filescan.io/uploads/6266c77c79c6c1e67d2d6cff/reports/f65c72c4-1e08-439c-a60f-2799d281caea/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dafdc491-1d85-419a-a771-aadef48f5017
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/982590
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Program Location with Network Connections
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 615080 Sample: SecuriteInfo.com.Variant.Ja... Startdate: 25/04/2022 Architecture: WINDOWS Score: 100 55 Multi AV Scanner detection for domain / URL 2->55 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 5 other signatures 2->61 8 SecuriteInfo.com.Variant.Jacard.210227.8640.exe 1 23 2->8         started        13 Dohurlk.exe 16 2->13         started        15 Dohurlk.exe 16 2->15         started        process3 dnsIp4 41 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49768, 49770 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 8->41 43 onedrive.live.com 8->43 49 2 other IPs or domains 8->49 33 C:\Users\Public\Libraries\Dohurlk.exe, PE32 8->33 dropped 35 C:\Users\...\Dohurlk.exe:Zone.Identifier, ASCII 8->35 dropped 71 Writes to foreign memory regions 8->71 73 Allocates memory in foreign processes 8->73 75 Creates a thread in another existing process (thread injection) 8->75 17 logagent.exe 2 2 8->17         started        21 cmd.exe 1 8->21         started        45 onedrive.live.com 13->45 51 2 other IPs or domains 13->51 77 Multi AV Scanner detection for dropped file 13->77 79 Injects a PE file into a foreign processes 13->79 23 logagent.exe 13->23         started        47 l-0004.l-dc-msedge.net 13.107.43.13, 443, 49790, 49796 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 15->47 53 3 other IPs or domains 15->53 25 logagent.exe 15->25         started        file5 signatures6 process7 dnsIp8 37 generem1.hopto.org 94.46.246.30, 2404, 49782, 49798 UKSERVERS-ASUKDedicatedServersHostingandCo-Location United Kingdom 17->37 39 generem2022.hopto.org 17->39 63 Contains functionality to steal Chrome passwords or cookies 17->63 65 Contains functionality to inject code into remote processes 17->65 67 Contains functionality to steal Firefox passwords or cookies 17->67 69 Delayed program exit found 17->69 27 cmd.exe 1 21->27         started        29 conhost.exe 21->29         started        signatures9 process10 process11 31 conhost.exe 27->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/916d4770ebe51677667bb3c11ae7e13799090f1410415cf33230bd97935e3e04/
Threat name:
Win32.Trojan.Jacard
Create hunting rule
Status:
Malicious
First seen:
2022-04-25 13:18:15 UTC
File Type:
PE (Exe)
Extracted files:
39
AV detection:
11 of 42 (26.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sfwuo4hl4ulhozt3wparvz7bg6mqsdyucbavz4zsgc6zpe26hyca._file
Verdict:
malicious
Similar samples:
25f95bec948dd2f304c9a68b61e057d3f7ac656ec3b9849c87c0751949e858e8
RemcosRAT
50d0c37267fc4b803c156b1d494741bc9bdaa7b16d9dac19b8f8af4c9fd57e7f
RemcosRAT
6299e5f3946878e16130c6454bcd90bf319b3dcf8bd13d9a56bb867ba82eb655
RemcosRAT
870e8d111b67ac2aaa21010b2697028f606fcdf9f96baa8e005d7c58c5480737
RemcosRAT
9c9243f11dd44d1f1ac97716014be57244dca97a514e73d5f13da03392cba358
RemcosRAT
b2d45c9e0e80aa26cec7cfdd54a0bcd634de6233d68450374488b89ed3db47dc
RemcosRAT
b38e3f4e9eab9e141688e21fe37f15df19ffa73334a4cb9576419b7301d8d547
RemcosRAT
ba1b1f218d5236e121b68da9183c90e8e6640f91c77a5e8d0ea5eead270f2199
RemcosRAT
c16b9319edf591f4b75c3b69e09451de772816ed5a7915c9112bb8dd14e4aea3
RemcosRAT
f52b398d958c3ebda27ec4f40d4f788bdf6cb514cf43cdc5687d8ada61a0ea38
RemcosRAT
+ 7'574 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:remotehost persistence rat trojan
Link:
https://tria.ge/reports/220425-tk74vagghn/
Behaviour
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
generem2022.hopto.org:2404
generem1.hopto.org:2404
hendersonk1.hopto.org:2404
gene.ddnsgeek.com:2404
henderson.camdvr.org:2404
henderson1.camdvr.org:2404
hobbyhrs.zapto.org:2404
hobbyhrs2.zapto.org:2404
hobbyhrs1.zapto.org:2404
Unpacked files
SH256 hash:
f0b40f8f7e36da9257b6df7c2a2b6a008be050cf5fdcd477a0415c6c96b4b9f5
MD5 hash:
c1a72ee7162580adf97d03f8b7acaf29
SHA1 hash:
2e9f9d3f24cd773ac1ed82172292e88e799d177b
Detections:
win_dbatloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/c8ff8296-d04b-4eac-8570-9e9b68e7bfc5/
Parent samples :
2629af672d7f5ec9b0b7a7b6a96ff8af2d9eb7373db348c8b083445c50421112
6299e5f3946878e16130c6454bcd90bf319b3dcf8bd13d9a56bb867ba82eb655
24c74b5b6f19d272cab19ed5d4bb3c6b7fa9db43d2df3f9354def90775066b1e
072be58dfb68730e96a5b6486075247394bec03a30aec93c192164ccfd3785b2
6a388696745c133ba5ea711f6413c3c10c082df2d70ca70b2f015c5f83c53c75
092dc171cc93d9bb792de744ee8bb6abaa3356797037b9ac2303f275dcffbf6a
25f95bec948dd2f304c9a68b61e057d3f7ac656ec3b9849c87c0751949e858e8
044d1ec37b42a658ce379de6461deb9dda53c38b34a6220341fa0d7bfae5a023
fc0b13dfb3d15b6226be48c805de735bb642088787246e36cfc271544ace3bdf
cc584053d88f795417a45c3f1eec2ccd26d42187ee6363f765a9af5e3f8ab8f8
cfcb582f27759f71355afb97888cb83edf78c7a526e8d23eb850641ec74da153
f1d3084dca9df75e2d4bcffe18c1923ed5298b5dce5221b4d8201ee8c6b2dae4
02a4cf01a65e70746623eeef46cd1c31646c23f667a90dd7ad3823772364500d
87ffd4cb4adf6c300a521038f7309d0ed3194fa8da73da8237c7c500013ef0b4
3ff19b47194fe17cb6ca63ffb6b2f30e27b0c306d6645c0b9fcb8770bba157ab
50d0c37267fc4b803c156b1d494741bc9bdaa7b16d9dac19b8f8af4c9fd57e7f
870e8d111b67ac2aaa21010b2697028f606fcdf9f96baa8e005d7c58c5480737
dd05a4434fa1628a9aaec17768bb9f05c5d2d658b5d307e54cfa5fbc70d6aba4
a7fa9a27a755046bbe877013da9d3942a249119df07f13aaf10c4f5cb3ccbb64
daeb62156a7c6451ff54258c1ec83ec4870c9a506f0d6a2c1c6b338b1a411945
69506d94e34defa3a35ad549bcb235b2001579de3910a80565b114ea6db7f6d4
916d4770ebe51677667bb3c11ae7e13799090f1410415cf33230bd97935e3e04
207a1808479cbee739fbbda12d33d058df18012c5687482de24eb9d0ff6f705d
3a07d1cbc8052ba733faaacff6b69858057ad8efc52583a78fcd98f6e96be88f
984107429953e79b5635db4f49e63c0d0b3a9a03be60e5f48d5da2e1ee3fae64
9d2383ab12abb52a372d372a049ae4cd6f17f6952930c5e76a7e9618e2c7b43c
eac6427faa4ba824dda50c1c814dd4eb5cd6970aba9ddbefdf59d19625568934
5a116045f9e40be64ae46a63626844ed4dcc5a921485b681ebdbd217664e1342
149f35c9dccbb1f3118657af9168f338ad983a38f33a26a5691af1e763ef9376
9c0b72d2c38a900a44211ca320eca39ec1418398cdd502bf79eeebfd8651589a
f4d727c60299b2b64b39555050087d37cd4ab81ddc2f568985bbde562f8cbd66
150935662d729e862eaf1e72dc86f91c651cb993bd2c856181b036adc911fe23
7f32e1239c02178ac62a8d55cbf0c0676ca548f5324b80fe619146900ebae206
5408d35cb677b99fe0405b8397bed961e53124c62a7514dd303d5dab02964606
b27d35dd842dcd66106c110830710fd322d5a1ab012d7220ee4ab888719bc70d
ef01d3891c05f7aa29a855eebbe64ec94b5f81f44f891de1f3b4fecdbf0b836d
f45631af90cc92248765d036f48dc97b24475874b91d86b761d4aefb69c307fb
f4ec04cb1edb890bbc61499cb05c08c097af275e92c4902e82cac60b2a244f71
f6cae91cd0b80a4ac59a965baba0d156df61355ac69ea20cbd8273914663cdba
670dc6c50f025390d4664a37eed3b731a4fafa8f524396a08ca1993d2e700d4c
6a99b41ddd5b5461d9f2ee7771b34cbaf283e4ef1431b83b91d90d65079a8b6d
acb46b4fd93915d42ccc2362118807861186bd1d49de254ff450656ba079b11b
SH256 hash:
916d4770ebe51677667bb3c11ae7e13799090f1410415cf33230bd97935e3e04
MD5 hash:
28f058d7565ad0fd48759b3360161add
SHA1 hash:
1e15c4cf819475e3fee0ab8f8425474293755fe1
Link:
https://www.unpac.me/results/c8ff8296-d04b-4eac-8570-9e9b68e7bfc5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/916d4770ebe5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/916d4770ebe51677667bb3c11ae7e13799090f1410415cf33230bd97935e3e04

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:pdb2
Create hunting rule
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/266482/

Comments