MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9378e7d749031db44b0ba686cfaf2bb02011e7877f688f4edd601fb48fdbdd7e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 15

Intelligence 15 IOCs 1 YARA 4 File information Comments

SHA256 hash:	9378e7d749031db44b0ba686cfaf2bb02011e7877f688f4edd601fb48fdbdd7e
SHA3-384 hash:	d4723cd812b0588e94f83fc458d451f2afd45f9e92c04c2046d8a22b76034b2b6aa07d3695584d1cd0409374737f6de1
SHA1 hash:	cf3385ace9db058b4498d04953ee62f99f545ce0
MD5 hash:	b1a34ab7fc8b1c6e0e92929ac4fbc4e5
humanhash:	east-nine-may-triple
File name:	Evotec-Swiss Documenti PO TY43882#7,pdf.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	861'219 bytes
First seen:	2022-10-06 09:30:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	56a78d55f3f7af51443e58e0ce2fb5f6 (719 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep	12288:8NbJ39hUKjmv00JRtunrLT0D3+5nCi/jzJlAZ:8NF392SmvpuwDO5CiL/AZ
TLSH	T1F405CFE0ED34E98DC11955F0DB9E8FD6C6646C492B911CBA23EBB319017220CCDDE6E9
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	7cdad8accc9ca4d4 (4 x RemcosRAT, 3 x Formbook, 1 x AgentTesla)
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

abuse_ch

RemcosRAT C2:
178.162.204.238:7913

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
178.162.204.238:7913	https://threatfox.abuse.ch/ioc/871851/

Intelligence

File Origin

# of uploads :

# of downloads :

224

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/317201/

Detection(s):

SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.6896.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Creating a process from a recently created file

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Unauthorized injection to a recently created process by context flags manipulation

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/41495/overview

Behaviour

MalwareBazaar

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/633ea058c9e2f3435432ea0e/reports/76977816-aa3b-403e-9b89-158a11c32f92/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/95771565-58c0-49bc-b5b9-e88379827b82

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1085256

Signature

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Found hidden mapped module (file has been removed from disk)

Initial sample is a PE file and has a suspicious name

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/9378e7d749031db44b0ba686cfaf2bb02011e7877f688f4edd601fb48fdbdd7e/

Threat name:

Win32.Trojan.Remcos

Status:

Malicious

First seen:

2022-10-06 08:46:17 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=sn4opv2jamo3isylu2dm7lzlwaqbdz4hp5ui6tw5map3jd633v7a._file

Verdict:

malicious

Label(s):

remcos

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/221006-lg2tnagha2/

Behaviour

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/6ba5d6cd-d283-4fbc-b583-09d3c69ea773

Unpacked files

SH256 hash:

9e965f970db921ff880befb4a857d58b8a4e3d79fcc4d7d49ba8ce3be93e791c

MD5 hash:

a4ab5ad0b2d68fc8fee8ed370cfcff5a

SHA1 hash:

534dc2ac8ce11f906ed322581059ed0871cecc2b

Detections:

win_remcos_auto

Link:

https://www.unpac.me/results/72b0cbb7-98fb-4170-8d72-d4fdefbc5bab/

Parent samples :

9378e7d749031db44b0ba686cfaf2bb02011e7877f688f4edd601fb48fdbdd7e
364ab1a879982bc878274fc91e14df0e1805da1cea30db8a7189ae9829746783
d2eb7b17e7070b164d5e4549bfc9f3b38fc1fa566b67cb2d34105910bce95788

SH256 hash:

5b0d097a98e3b4d04bd23cd47b0572a2a3d663208d03f76a903bf4f86f4bbb62

MD5 hash:

8be46b48ce99c999c2473d80f6915604

SHA1 hash:

5df674a6babc813dd4a4f74eb05c237209c6be10

Link:

https://www.unpac.me/results/72b0cbb7-98fb-4170-8d72-d4fdefbc5bab/

SH256 hash:

9378e7d749031db44b0ba686cfaf2bb02011e7877f688f4edd601fb48fdbdd7e

MD5 hash:

b1a34ab7fc8b1c6e0e92929ac4fbc4e5

SHA1 hash:

cf3385ace9db058b4498d04953ee62f99f545ce0

Link:

https://www.unpac.me/results/72b0cbb7-98fb-4170-8d72-d4fdefbc5bab/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9378e7d74903/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9378e7d749031db44b0ba686cfaf2bb02011e7877f688f4edd601fb48fdbdd7e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/317201/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample