MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 936c820fd6780e9edb880cffc274c944ceb189e8f10915eb333fa5898d4e50be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 936c820fd6780e9edb880cffc274c944ceb189e8f10915eb333fa5898d4e50be
SHA3-384 hash: bfeec40d875943a046b2cb6ecd98bc1113455dcc0bc3c3854c35604e0cdf0d4c008c9b184a4f317912f810d4f36233fe
SHA1 hash: 6b9ee0c5efe2cc7f583802e3b484d96ddf081915
MD5 hash: 1583fdc3e1df94dfb1a3103eba791f2e
humanhash: four-nine-blue-august
File name:DHL invoice VNYI564714692.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'311'424 bytes
First seen:2020-11-28 09:18:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c7f986b767e22dea5696886cb4d7da70 (5 x ModiLoader, 2 x RemcosRAT, 1 x AveMariaRAT)
ssdeep 24576:FiLDfJXRq+fowpGG7By3Z72mwD8gKmX9hIbEIKn:FiLr5By3Z7NVgKAj
Threatray 1'487 similar samples on MalwareBazaar
TLSH AF55D023B1A28436C111A5BD9E1780EE2F75FD77799CB50E3BD0AD0C8E36A90E9150DB
Reporter abuse_ch
Tags:DHL exe RemcosRAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: slot0.deinflae.com
Sending IP: 45.85.90.138
From: billing.help@dhl.com
Subject: Your latest DHL invoice : VNYI564714692
Attachment: DHL invoice VNYI564714692.img (contains "DHL invoice VNYI564714692.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/105872/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Launching a process
Creating a file
Running batch commands
Creating a process with a hidden window
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Unauthorized injection to a system process
Result
Gathering data
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/549956
Signature
Allocates memory in foreign processes
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Fodhelper UAC Bypass
Sigma detected: Remcos
Sigma detected: Suspicious Svchost Process
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 324088 Sample: DHL invoice VNYI564714692.exe Startdate: 28/11/2020 Architecture: WINDOWS Score: 100 42 g.msn.com 2->42 50 Malicious sample detected (through community Yara rule) 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 Detected Remcos RAT 2->54 56 12 other signatures 2->56 9 Wfcudrv.exe 2->9         started        13 DHL invoice VNYI564714692.exe 1 2 2->13         started        16 Wfcudrv.exe 2->16         started        signatures3 process4 dnsIp5 58 Multi AV Scanner detection for dropped file 9->58 60 Machine Learning detection for dropped file 9->60 62 Writes to foreign memory regions 9->62 18 ieinstal.exe 9->18         started        46 cdn.discordapp.com 162.159.130.233, 443, 49721, 49740 CLOUDFLARENETUS United States 13->46 48 discord.com 162.159.135.232, 443, 49720, 49739 CLOUDFLARENETUS United States 13->48 40 C:\Users\user\AppData\Local\...\Wfcudrv.exe, PE32 13->40 dropped 64 Allocates memory in foreign processes 13->64 66 Creates a thread in another existing process (thread injection) 13->66 68 Injects a PE file into a foreign processes 13->68 20 svchost.exe 5 13->20         started        23 ieinstal.exe 2 13->23         started        26 ieinstal.exe 16->26         started        file6 signatures7 process8 dnsIp9 38 C:\Users\Public\WrKMptso.bat, ASCII 20->38 dropped 28 cmd.exe 1 20->28         started        30 cmd.exe 1 20->30         started        44 79.134.225.75, 1199, 49733 FINK-TELECOM-SERVICESCH Switzerland 23->44 file10 process11 process12 32 conhost.exe 28->32         started        34 reg.exe 1 1 28->34         started        36 conhost.exe 30->36         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/936c820fd6780e9edb880cffc274c944ceb189e8f10915eb333fa5898d4e50be/
Threat name:
Win32.PUA.Vigram
Create hunting rule
Status:
Malicious
First seen:
2020-11-27 21:04:24 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=snwied6wpahj5w4ibt74e5gjithldcpi6eerl2zth6sytdkokc7a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0561429ee93b0bc545689257b6cda0d43025317f9c890acb219c51d0f6e721e8
RemcosRAT
0965f63851a278a87bc8886a5b370b150af79d91fb0177a85e181555784ad114
RemcosRAT
1098c2e11043776815738d6f8abc818560c7516948d15f231a7018dfaeb279ed
RemcosRAT
16d05adbac66cd8607035590bf1efceeaa59aa2e1867f79737f0b6795da7dbd1
RemcosRAT
2f5d404fb3c493851a8c71f651f84c6c10ba0844efe334b907374540d35fed1c
RemcosRAT
41839aa5e4d72dfb5b544550588a3b18e83b45c64193e96236ddaca0527e303e
RemcosRAT
7f53893a9ce40e497ef34ecfc9c4f493b9d5dd7f989b60ffa248cbf289a1505a
RemcosRAT
a91a4674f844f5aa50396270e294341cbb2f87dbc5c9fc29d832efa2234eb9e9
RemcosRAT
ab9041fe7e0a4a439521d6eb01cc16d74c00a0427c86b067120ac453ba7329d9
RemcosRAT
db536ff2260adc1c6ff5182ecccf59c17d30ab7f014daa7aaa5347d4e5e50dc8
RemcosRAT
+ 1'477 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos persistence rat trojan
Link:
https://tria.ge/reports/201128-fxggyqg832/
Behaviour
Modifies registry key
Script User-Agent
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader First Stage
ServiceHost packer
ModiLoader, DBatLoader
Remcos
Unpacked files
SH256 hash:
936c820fd6780e9edb880cffc274c944ceb189e8f10915eb333fa5898d4e50be
MD5 hash:
1583fdc3e1df94dfb1a3103eba791f2e
SHA1 hash:
6b9ee0c5efe2cc7f583802e3b484d96ddf081915
Link:
https://www.unpac.me/results/3594d045-5f08-4362-837a-9c61dc90eee0/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

img c3ced03dc8a59d08326c4f754de11577508af5a55582da5cd6297845e6c70358

RemcosRAT

Executable exe 936c820fd6780e9edb880cffc274c944ceb189e8f10915eb333fa5898d4e50be

(this sample)

  
Dropped by
MD5 a72fc4da0c179f04d888c979f05a6b0a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 c3ced03dc8a59d08326c4f754de11577508af5a55582da5cd6297845e6c70358
Cape
Cape
https://www.capesandbox.com/analysis/105872/

Comments