MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 938520cce11835b7bd6e0727bc6ae0a1e120ca0d6878308e3dd2b4daa9157145. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 938520cce11835b7bd6e0727bc6ae0a1e120ca0d6878308e3dd2b4daa9157145
SHA3-384 hash: a7882b7077fc0dff3935b01670572e475a4220a96021811369659f4286093b9df2e5c16fdac6b8d99ee5a27adb146a6c
SHA1 hash: 685c87b87d1550d76bcead526fd6df37baeaa64e
MD5 hash: dfd4e0d9397b50c55cefba868f3bfdbd
humanhash: maine-indigo-oscar-arkansas
File name:SecuriteInfo.com.Variant.Zusy.433412.11151.12756
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:751'616 bytes
First seen:2022-07-20 02:48:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a1fe30710cd81c908b0878e166e653d4 (2 x DBatLoader, 2 x RemcosRAT, 1 x Formbook)
ssdeep 12288:mDVyc7hRZ/ksbXlwv/qcAD/reQynzySzQrtVSX3x7FRSRjAf2rDNtl2aCHVVDHg:O9j1ksXev/qcADPyzySzWtVSn52pAf2s
Threatray 1'655 similar samples on MalwareBazaar
TLSH T1D6F48D71E6F0CE32D12A197F5C5BB1695C2D7E202D25F8862AE8394C5FF874138292E7
TrID 26.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
24.5% (.SCR) Windows screen saver (13101/52/3)
19.7% (.EXE) Win64 Executable (generic) (10523/12/4)
8.4% (.EXE) Win32 Executable (generic) (4505/5/1)
5.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon 27d0d8d6d6d8d023 (11 x RemcosRAT, 6 x DBatLoader, 5 x ModiLoader)
Reporter SecuriteInfoCom
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/292313/
Detection(s):
SecuriteInfo.com.Variant.Zusy.433412.11151.12756.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Variant.Zusy.433412.11119.31541.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching the process to interact with network services
Launching a process
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/26802/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger obfuscated packed
Link:
https://www.filescan.io/uploads/62d76d9c8fbcdde3605ed319/reports/f6c29ff3-3ec9-4240-a79f-afc7a3bebdb7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/867737ab-8d4c-4b55-8b03-bd269b9af796
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1038144
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Remcos RAT
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 670639 Sample: SecuriteInfo.com.Variant.Zu... Startdate: 21/07/2022 Architecture: WINDOWS Score: 100 69 Multi AV Scanner detection for domain / URL 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 Antivirus detection for URL or domain 2->73 75 4 other signatures 2->75 9 SecuriteInfo.com.Variant.Zusy.433412.11151.exe 1 21 2->9         started        14 Znnbkb.exe 15 2->14         started        16 Znnbkb.exe 15 2->16         started        process3 dnsIp4 55 onedrive.live.com 9->55 57 jugjbw.db.files.1drv.com 9->57 59 db-files.fe.1drv.com 9->59 45 C:\Users\Public\Libraries\Znnbkb.exe, PE32 9->45 dropped 47 C:\Users\Public\Libraries\ZnnbkbO.bat, ASCII 9->47 dropped 49 C:\Users\...\Znnbkb.exe:Zone.Identifier, ASCII 9->49 dropped 85 Writes to foreign memory regions 9->85 87 Allocates memory in foreign processes 9->87 89 Creates a thread in another existing process (thread injection) 9->89 18 DpiScaling.exe 2 2 9->18         started        22 cmd.exe 1 9->22         started        61 onedrive.live.com 14->61 65 2 other IPs or domains 14->65 91 Multi AV Scanner detection for dropped file 14->91 93 Injects a PE file into a foreign processes 14->93 24 DpiScaling.exe 14->24         started        63 onedrive.live.com 16->63 67 2 other IPs or domains 16->67 26 DpiScaling.exe 16->26         started        file5 signatures6 process7 dnsIp8 51 dash.3utilities.com 185.191.231.249, 2404, 49774 UNREAL-SERVERSUS Netherlands 18->51 53 dash1.3utilities.com 185.176.220.74, 2404, 49776, 49780 LV-2CLOUD-ASN16LV Latvia 18->53 77 Found stalling execution ending in API Sleep call 18->77 79 Contains functionality to steal Chrome passwords or cookies 18->79 81 Contains functionality to inject code into remote processes 18->81 83 3 other signatures 18->83 28 DpiScaling.exe 18->28         started        31 DpiScaling.exe 2 18->31         started        33 DpiScaling.exe 1 18->33         started        35 cmd.exe 1 22->35         started        37 conhost.exe 22->37         started        signatures9 process10 signatures11 95 Tries to steal Instant Messenger accounts or passwords 28->95 97 Tries to steal Mail credentials (via file / registry access) 28->97 99 Tries to harvest and steal browser information (history, passwords, etc) 31->99 39 net.exe 1 35->39         started        41 conhost.exe 35->41         started        process12 process13 43 net1.exe 1 39->43         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/938520cce11835b7bd6e0727bc6ae0a1e120ca0d6878308e3dd2b4daa9157145/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-07-20 02:49:11 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=socsbthbda23pploa4t3y2xauhqsbsqnnb4dbdr52k2nvkivofcq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
3880fb052955a0a189467378cdfa76b830a23417a89265eb347918a99ca3ca65
RemcosRAT
48d05f98dc0e107ca09492b3f4e3728464d8c844870057c0aabc728f0043b2f7
RemcosRAT
5846f8d9e5caeb811b302cf2742e0747b436d891d4803d8ea9f98e6e8125a94a
RemcosRAT
6353828ddb8f70dd9a535d3314ac328b044539563334f093173b86fd96e24707
RemcosRAT
6a4b5aab71a352d6ae6140f99a28b0c38df78a8985b3383f1bc424ca74e046fe
RemcosRAT
83a1ca1bc7363633b8e514a8c2b79ff0e223fc578b0a20e4e088a3daf5424a61
RemcosRAT
bd09b7f6ad0ca7e7c74eee9ecab5fd3de92f24529c708370710161847d0861be
RemcosRAT
db5a12184d9b6acdf484a88b3e65aa9435f8a9d7eda48418aef2d028b98913d4
RemcosRAT
fd4e5f6c6b0e764dd7c0bb64e65985a4304d0a8f3103ea22656549f0b00508d5
RemcosRAT
+ 1'645 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:remotehost persistence rat trojan
Link:
https://tria.ge/reports/220720-da1n1sbba6/
Behaviour
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
dash.3utilities.com:2404
dash1.3utilities.com:2404
dash2.ddns.net:2404
bash.mywire.org:2404
bash1.accesscam.org:2404
dash3.ddns.net:2404
dash4.ddns.net:2404
bash2.accessscam.org:2404
Unpacked files
SH256 hash:
e5cee39f56c43d207f40862077d5b015e62929ff21f9de4e45c3b958c8947770
MD5 hash:
0de7dbbda445e257c9169774b9a8000b
SHA1 hash:
23ab78a6fdd513f2b3877efc92a71fe7d44db0db
Link:
https://www.unpac.me/results/0515269c-6480-430d-84f5-981d7d12df9b/
SH256 hash:
938520cce11835b7bd6e0727bc6ae0a1e120ca0d6878308e3dd2b4daa9157145
MD5 hash:
dfd4e0d9397b50c55cefba868f3bfdbd
SHA1 hash:
685c87b87d1550d76bcead526fd6df37baeaa64e
Link:
https://www.unpac.me/results/0515269c-6480-430d-84f5-981d7d12df9b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/938520cce11835b7bd6e0727bc6ae0a1e120ca0d6878308e3dd2b4daa9157145

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/292313/

Comments