MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9433ec5758b48a6193b6b80ac03df0acf553d2ebeba04d84b6dbec9558a6e035. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9433ec5758b48a6193b6b80ac03df0acf553d2ebeba04d84b6dbec9558a6e035
SHA3-384 hash: 02099bf4de6f7dd4e33310fd5fbb03191a1fd0a39c13c821d1280bb95d853670df6f5ed35ba60d6a58291a027648d084
SHA1 hash: 2c8f02b4a0530457cbc633445bf9d11b8f12b81b
MD5 hash: 48d20d1c2a35604525157b95b44f4d3c
humanhash: bulldog-early-butter-enemy
File name:Payment Advice - Advice Ref[GLV404865688] Pr.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:820'736 bytes
First seen:2022-07-25 06:07:30 UTC
Last seen:2022-07-25 06:41:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 781d4553e908b497b062e7e382c7936c (5 x DBatLoader, 4 x AveMariaRAT, 2 x RemcosRAT)
ssdeep 24576:7WWH7k2z/m1uA7Zo4pdktVSn52pAf2rDNtl2aCHXKOe:7WrqMpduSn52KN1e
Threatray 2'617 similar samples on MalwareBazaar
TLSH T14305AE22F2904937C063197C8D5B57A1A9357E113E24D98ABBFA1E4C1FF9B903D292D3
TrID 26.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
24.5% (.SCR) Windows screen saver (13101/52/3)
19.7% (.EXE) Win64 Executable (generic) (10523/12/4)
8.4% (.EXE) Win32 Executable (generic) (4505/5/1)
5.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon 00d0b255687452a2 (5 x DBatLoader, 5 x AveMariaRAT, 2 x RemcosRAT)
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
87.251.79.109:2442

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
87.251.79.109:2442 https://threatfox.abuse.ch/ioc/839419/

Intelligence

File Origin
# of uploads :
2
# of downloads :
301
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/293881/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.5856.22746.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.W32.AIDetect.malware2.32576.25750.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Creating a file
Sending an HTTP GET request
Unauthorized injection to a recently created process
Reading critical registry keys
Creating a file in the %temp% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/27304/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint greyware keylogger obfuscated packed stealer
Link:
https://www.filescan.io/uploads/62de33838ef7740364ffd85e/reports/641426c8-f92b-442b-9b48-02cbe0aa8930/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8319ca3f-ec67-43ca-bcf2-759203f20f7c
Result
Threat name:
DBatLoader
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1040150
Signature
Detected unpacking (changes PE section rights)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses dynamic DNS services
Yara detected DBatLoader
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 672644 Sample: Payment Advice - Advice Ref... Startdate: 25/07/2022 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic 2->38 40 Multi AV Scanner detection for domain / URL 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 5 other signatures 2->44 6 Payment Advice - Advice Ref[GLV404865688]  Pr.exe 3 18 2->6         started        11 Kmfmpv.exe 14 2->11         started        13 Kmfmpv.exe 16 2->13         started        process3 dnsIp4 24 bestsuccess.ddns.net 87.251.79.109, 2442, 49749, 49750 RISS-ASRU Russian Federation 6->24 26 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49731, 49740 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 6->26 32 5 other IPs or domains 6->32 22 C:\Users\Public\Libraries\Kmfmpv.exe, PE32 6->22 dropped 46 Injects a PE file into a foreign processes 6->46 15 Payment Advice - Advice Ref[GLV404865688]  Pr.exe 1 6->15         started        18 Payment Advice - Advice Ref[GLV404865688]  Pr.exe 2 6->18         started        20 Payment Advice - Advice Ref[GLV404865688]  Pr.exe 1 6->20         started        28 onedrive.live.com 11->28 34 2 other IPs or domains 11->34 48 Multi AV Scanner detection for dropped file 11->48 30 onedrive.live.com 13->30 36 2 other IPs or domains 13->36 file5 signatures6 process7 signatures8 50 Tries to steal Instant Messenger accounts or passwords 15->50 52 Tries to steal Mail credentials (via file / registry access) 15->52 54 Tries to harvest and steal browser information (history, passwords, etc) 18->54
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9433ec5758b48a6193b6b80ac03df0acf553d2ebeba04d84b6dbec9558a6e035/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-07-25 00:06:18 UTC
File Type:
PE (Exe)
Extracted files:
47
AV detection:
13 of 26 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sqz6yv2ywsfgde5wxafmappqvt2vhuxl5oqe3bfw3pwjkwfg4a2q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
121dd806963977a4c80e98a91e1bccf577d74da295787f7d61ef22cc1026822e
RemcosRAT
22eb93bbc1e2fbfc6435a3e3514684d17c3577e4edae4bb76470212e72b70e89
RemcosRAT
38210d71449f0b7d9f390c954672147b155d7314bc0a045b8f256ae60495de3a
RemcosRAT
43f10078024b30fba173f3c40de4f2c2e98d0e879ad682f87bdc9e44ff03c655
RemcosRAT
52876d1726bf1657b61f1a2e7bf932ee15ca41ff84874fc769755ea233ea10ba
RemcosRAT
6d16f6ecb3a446d0c6bfa0fc7a47dabac2e63cebfa426f4502a5bcecf378c645
RemcosRAT
7a95dfe43a03318c0301489c77ecdb7f5da54842c4731a1f0c4214569155813e
RemcosRAT
9a6542e7da5c82465fd053f020d82161a8995c3353b58ac9b3e085d70d9ecf8d
RemcosRAT
ebcb09c56c09245ba10f231b7d4bfacdb5615ee6e3820f479f0a0d6488759668
RemcosRAT
+ 2'607 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos collection persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220725-gvwscaaafk/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Reads user/profile data of web browsers
ModiLoader Second Stage
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
ModiLoader, DBatLoader
Remcos
suricata: ET MALWARE Remocs 3.x Unencrypted Checkin
suricata: ET MALWARE Remocs 3.x Unencrypted Server Response
Unpacked files
SH256 hash:
e5cee39f56c43d207f40862077d5b015e62929ff21f9de4e45c3b958c8947770
MD5 hash:
0de7dbbda445e257c9169774b9a8000b
SHA1 hash:
23ab78a6fdd513f2b3877efc92a71fe7d44db0db
Link:
https://www.unpac.me/results/ff0e85f3-2c88-4498-bb81-a70a2ad89eb5/
SH256 hash:
9433ec5758b48a6193b6b80ac03df0acf553d2ebeba04d84b6dbec9558a6e035
MD5 hash:
48d20d1c2a35604525157b95b44f4d3c
SHA1 hash:
2c8f02b4a0530457cbc633445bf9d11b8f12b81b
Link:
https://www.unpac.me/results/ff0e85f3-2c88-4498-bb81-a70a2ad89eb5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/9433ec5758b48a6193b6b80ac03df0acf553d2ebeba04d84b6dbec9558a6e035

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/293881/

Comments