MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91dfebe2d0d1f9ac3e495529066a6cd987ad302d33be7fb7fc744f5905daf832. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 91dfebe2d0d1f9ac3e495529066a6cd987ad302d33be7fb7fc744f5905daf832
SHA3-384 hash: 125dadd64896ab2d9a7cb98949e09bd7bc415d1f9460c66bc0275b1b8267f23450b0d76aa80641e99479d94d24bdd77f
SHA1 hash: 8b0ac8e822ec99fa0408e3aa5e62e06603f35c42
MD5 hash: 2c67b40f05f68d9f20c02cf310e8dea6
humanhash: beer-spring-king-minnesota
File name:parcel.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:765'440 bytes
First seen:2022-07-10 22:24:45 UTC
Last seen:2022-07-10 22:43:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e74c01b0209b28198b8ce302510ff038 (1 x RemcosRAT)
ssdeep 12288:QaexxgGok/cdMNUycHy/ADb3FusZew0jYSm0LdJJGEU+Eq8XMMtL7W:cDgY/caWycHdLFuu0jfmIdJmk/Mtn
TLSH T18EF49D21FAE045F6CD77DA784D0B53A8D929BE113D1C988F6BE5BDC85F36240342B292
TrID 64.7% (.OCX) Windows ActiveX control (116521/4/18)
7.8% (.EXE) Win32 Executable Delphi generic (14182/79/4)
7.2% (.SCR) Windows screen saver (13101/52/3)
5.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
File icon (PE):PE icon
dhash icon c730d4c4c4d430c7 (4 x RemcosRAT, 2 x Formbook)
Reporter 0xToxin
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
377
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/285956/
Detection(s):
PUA.Win.Packer.Ep-9
Create hunting rule

PUA.Win.Packer.Ep-4
Create hunting rule

PUA.Win.Packer.PrivateExeProte-11
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/24953/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger
Link:
https://www.filescan.io/uploads/62cb51c17d5b150059f0ae3d/reports/d812bba2-0040-45ea-98a1-eadadcae756b/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/74219225-0814-42e0-a3cc-9cc930e78357
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1028162
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Remcos RAT
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 660657 Sample: parcel.exe Startdate: 11/07/2022 Architecture: WINDOWS Score: 100 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus detection for URL or domain 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 3 other signatures 2->59 6 parcel.exe 1 17 2->6         started        11 Jacvurjrie.exe 14 2->11         started        13 Jacvurjrie.exe 16 2->13         started        process3 dnsIp4 27 onedrive.live.com 6->27 35 2 other IPs or domains 6->35 23 C:\Users\Public\Libraries\Jacvurjrie.exe, PE32 6->23 dropped 25 C:\Users\...\Jacvurjrie.exe:Zone.Identifier, ASCII 6->25 dropped 61 Writes to foreign memory regions 6->61 63 Allocates memory in foreign processes 6->63 65 Creates a thread in another existing process (thread injection) 6->65 15 DpiScaling.exe 2 13 6->15         started        29 192.168.2.1 unknown unknown 11->29 31 onedrive.live.com 11->31 37 2 other IPs or domains 11->37 67 Multi AV Scanner detection for dropped file 11->67 69 Injects a PE file into a foreign processes 11->69 19 logagent.exe 11->19         started        33 onedrive.live.com 13->33 39 2 other IPs or domains 13->39 21 DpiScaling.exe 13->21         started        file5 signatures6 process7 dnsIp8 41 cobeckconstruction5430.camdvr.org 207.32.217.125, 2404, 49747 1GSERVERSUS United States 15->41 43 geoplugin.net 178.237.33.50, 49748, 80 ATOM86-ASATOM86NL Netherlands 15->43 45 Contains functionality to steal Chrome passwords or cookies 15->45 47 Contains functionality to inject code into remote processes 15->47 49 Contains functionality to steal Firefox passwords or cookies 15->49 51 Delayed program exit found 15->51 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/91dfebe2d0d1f9ac3e495529066a6cd987ad302d33be7fb7fc744f5905daf832/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-07-10 14:40:38 UTC
File Type:
PE (Exe)
Extracted files:
45
AV detection:
13 of 26 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=shp6xywq2h42ypsjkuuqm2tm3gd22mbngo7h7n74orhvsbo27aza._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:remotehost persistence rat trojan
Link:
https://tria.ge/reports/220710-2bx7aafgc2/
Behaviour
Modifies system certificate store
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
cobeckconstruction5430.camdvr.org:2404
cobeckconstruction5430317.camdvr.org:2404
nullhacker001.camdvr.org:2404
Unpacked files
SH256 hash:
4ba7690603e72aaee1c59ded105ba448c1c5e5b39ff60ca619c39a57ce395910
MD5 hash:
0e131d755182a1745c7f06c006a4adbf
SHA1 hash:
64bb921de3cb068fc4a26519ee51acbaa782321e
Link:
https://www.unpac.me/results/0402b4b0-4862-455e-bc32-9c315e114e96/
SH256 hash:
91dfebe2d0d1f9ac3e495529066a6cd987ad302d33be7fb7fc744f5905daf832
MD5 hash:
2c67b40f05f68d9f20c02cf310e8dea6
SHA1 hash:
8b0ac8e822ec99fa0408e3aa5e62e06603f35c42
Link:
https://www.unpac.me/results/0402b4b0-4862-455e-bc32-9c315e114e96/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/91dfebe2d0d1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.74
Link:
https://yomi.yoroi.company/submissions/91dfebe2d0d1f9ac3e495529066a6cd987ad302d33be7fb7fc744f5905daf832

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:aPLib_decompression
Create hunting rule
Author:@r3c0nst
Description:Detects aPLib decompression code often used in malware
Reference:https://ibsensoftware.com/files/aPLib-1.1.1.zip

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 91dfebe2d0d1f9ac3e495529066a6cd987ad302d33be7fb7fc744f5905daf832

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/285956/

Comments