MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9325090b7a2b8058a946f11388db15813a8927708aa54bf9aa6b5925f2b22d1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9325090b7a2b8058a946f11388db15813a8927708aa54bf9aa6b5925f2b22d1d
SHA3-384 hash: 71709add10dde892b2525cb205a12a2289cbd08cf09a5b95509e0eb73e253d8b3b36e8557b5d302f7e0e649b6fb612f3
SHA1 hash: eaee1819a3291b7d08ebcbf33101cc1a5195a082
MD5 hash: 7a06ee20a8cf9057c0313c2dd9b52dcd
humanhash: eleven-skylark-lima-sodium
File name:Ynt Sipariş Onayı-5309,pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:846'848 bytes
First seen:2021-08-16 12:09:05 UTC
Last seen:2021-08-16 12:53:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1abe4551dd4f8ef04deab38d0027e326 (4 x RemcosRAT, 1 x Smoke Loader, 1 x NetWire)
ssdeep 12288:WhxUck0fyI/Xv94r0umLKC+pvbIAsrxPz+o8wcF:WhGdkF4r0uvnDIFpP
Threatray 404 similar samples on MalwareBazaar
TLSH T17A058E62A1898437E5A316389F4F06FD9CB27F013539649E1BEE38894F76762383B447
dhash icon b0b0303a34363034 (4 x RemcosRAT, 1 x Smoke Loader, 1 x NetWire)
Reporter GovCERT_CH
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Ynt Sipariş Onayı-5309,pdf.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-16 12:11:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/299d6ff5-82d0-4541-bcc5-a797a0016b34

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PWS.Banker1.36771.17657.15231.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ed050842-dcc6-42ce-a32a-98984d4aa4ed
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/833484
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 465913 Sample: Ynt Sipari#U015f Onay#U0131... Startdate: 16/08/2021 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 4 other signatures 2->49 6 Kqgzvvv.exe 16 2->6         started        10 Ynt Sipari#U015f Onay#U0131-5309,pdf.exe 1 19 2->10         started        13 Kqgzvvv.exe 16 2->13         started        process3 dnsIp4 29 onedrive.live.com 6->29 39 2 other IPs or domains 6->39 51 Multi AV Scanner detection for dropped file 6->51 53 Machine Learning detection for dropped file 6->53 55 Writes to foreign memory regions 6->55 15 DpiScaling.exe 6->15         started        31 onedrive.live.com 10->31 33 fupqga.dm.files.1drv.com 10->33 35 dm-files.fe.1drv.com 10->35 23 C:\Users\Public\Libraries\...\Kqgzvvv.exe, PE32 10->23 dropped 57 Creates a thread in another existing process (thread injection) 10->57 59 Injects a PE file into a foreign processes 10->59 18 dialer.exe 2 10->18         started        37 onedrive.live.com 13->37 41 2 other IPs or domains 13->41 61 Allocates memory in foreign processes 13->61 21 dialer.exe 13->21         started        file5 signatures6 process7 dnsIp8 63 Contains functionality to steal Chrome passwords or cookies 15->63 65 Contains functionality to inject code into remote processes 15->65 67 Contains functionality to steal Firefox passwords or cookies 15->67 25 thankyoulord4real.ddns.net 185.19.85.140, 3030, 49726 DATAWIRE-ASCH Switzerland 18->25 27 192.168.2.1 unknown unknown 18->27 69 Delayed program exit found 18->69 signatures9
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9325090b7a2b8058a946f11388db15813a8927708aa54bf9aa6b5925f2b22d1d/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-08-16 08:36:14 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=smsqsc32foafrkkg6ejyrwyvqe5isj3qrksux6nknnmsl4vsfuoq._file
Verdict:
malicious
Similar samples:
46a376d25369d059b1c149d8fb4821aa3ddb504bb381a02f3d5e4e019a41ed4d
RemcosRAT
7e6b40371751970ec5b3b17f02a89ac6ff1b7f9ec20210144fd75f992c3af21e
RemcosRAT
8fb001ff8eff89d8c472579c21683a55aff13ff9599bef6a3e5571b2c919691b
RemcosRAT
c75eff07a3519dee7ab981166c1b6ff851d1e826e3ef5f0e36250b5983e3095c
RemcosRAT
e7aa9ed4edc37d0b7515085211d1107ff1a54f2ca2651bd6698ae345663b93c6
RemcosRAT
ebe0b8890392475537625aeefaec22b5f0115011e135117d7afd9325eb47fad8
RemcosRAT
ee3cd0b8ec089cdcec65b22189ecc9efb9f356afe0870e424cbdedcf19920e13
RemcosRAT
fad40e1841789cfbef3c9f09b4e557b928597506cd8b93d8eae51cef2ba3cf3f
RemcosRAT
+ 394 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210816-j223zcr2a6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
35dc1b7c1f1562578ef1db2896a647d706f749c67cd608feec049384a7b38895
MD5 hash:
08403a3dc9749684d5bc42d817f155ff
SHA1 hash:
2f21a709d39af3e6f21f8e0b353d7c81ea3bd136
Link:
https://www.unpac.me/results/554c57ee-d3ad-4a09-bc15-06d59aba1b8c/
SH256 hash:
795b2b5d6668147d7924ac96f90741ddc2a2b5003f455fb842b613a286fbf8fc
MD5 hash:
53011b69a7231aea23d66805a681144b
SHA1 hash:
e3d0d157e763c865e79ccc5bedc2fd5fd90413f7
Link:
https://www.unpac.me/results/554c57ee-d3ad-4a09-bc15-06d59aba1b8c/
SH256 hash:
9325090b7a2b8058a946f11388db15813a8927708aa54bf9aa6b5925f2b22d1d
MD5 hash:
7a06ee20a8cf9057c0313c2dd9b52dcd
SHA1 hash:
eaee1819a3291b7d08ebcbf33101cc1a5195a082
Link:
https://www.unpac.me/results/554c57ee-d3ad-4a09-bc15-06d59aba1b8c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9325090b7a2b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9325090b7a2b8058a946f11388db15813a8927708aa54bf9aa6b5925f2b22d1d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 9325090b7a2b8058a946f11388db15813a8927708aa54bf9aa6b5925f2b22d1d

(this sample)

  
Dropped by
RemcosRAT
  
Delivery method
Distributed via e-mail attachment

Comments