MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b230ecb2de41faed1f6977799a2e7e03f4411fefbcf2e8b2e92a989f6bdd685. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b230ecb2de41faed1f6977799a2e7e03f4411fefbcf2e8b2e92a989f6bdd685
SHA3-384 hash: 288bf8eb64e626051a7bfe7d2ce8c38997a7e48962de9403a1f44dc2c00e10e461e20e4ad76a0fcd90ca1f391d1c1509
SHA1 hash: 96d4139816ca2c6bda73d32d2cb875ce2214e983
MD5 hash: 25fbd65bf5c530521de378c27f794a14
humanhash: angel-xray-angel-mars
File name:Urgent RFQ_AP65425652_032421,pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:757'760 bytes
First seen:2021-08-25 10:22:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 95ca75521f0d84796bcc75c19eb91d03 (4 x RemcosRAT, 1 x AveMariaRAT)
ssdeep 12288:HG0z7gLLMuRN/tMvdEAwM3nrkaoUfpACXDoVttivrl45g1+yVt:HfzMzRxtMEqAP0iCXDvvrlQ8xV
Threatray 475 similar samples on MalwareBazaar
TLSH T1C1F47CA7FCAD45FBD25715368C569FA89473AE127A09A84227F4780CEF7C321743422B
dhash icon f8e88ea482a8a888 (8 x RemcosRAT, 1 x AveMariaRAT, 1 x Formbook)
Reporter lowmal3
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Urgent RFQ_AP65425652_032421,pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-08-25 10:25:07 UTC
Tags:
installer trojan rat remcos
Link:
https://app.any.run/tasks/c3caf980-1b28-4584-83da-ccbbcba97fc6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/182260/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Inject.4c.1673.6265.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Deleting a recently created file
Launching a process
Connection attempt to an infection source
Sending a UDP request
Reading critical registry keys
Creating a file in the %temp% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Sending a TCP request to an infection source
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dfc9b525-e2b0-456d-880a-130f2af5e7ec
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/838950
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9b230ecb2de41faed1f6977799a2e7e03f4411fefbcf2e8b2e92a989f6bdd685/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-08-25 09:15:44 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tmrq5szn4qp25upws53ztixh4a7uiep67phs5czoskuyt5v522cq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0b10f51931ebadefe515c5db78b89095df9ff47ad1bd042eace9d47047c5a09d
RemcosRAT
3e7e6d13bdd1a095fb9e1647e4f13514976e7a27c3e99b9e06ac7535bd4d1a71
RemcosRAT
4c0c348d5fe6d35084087f5df83a5d5f15aa75a30b1dc37204f701383a7685eb
RemcosRAT
67b3bc26efd46beadbf2f5fceb0e8ef2c8fad2e13e304f0536b6db305854cfd0
RemcosRAT
7a97f05df11f826ba1d973f260a565584d9db207a8130cf2769d0156078cc944
RemcosRAT
88b1766ff9c749387b51b47bde3e387393a01d10133a04c5afb763fd9670926a
RemcosRAT
9a8c41228b0c201d956ec0c6612e978438c403759d6e1fa0b33e63c3375e3c56
RemcosRAT
9f0c13034df95e3af02c98c025e517e4648c5a229217533f936cf811f61995e9
RemcosRAT
a9584f63d38c2dec8fa79a9f0e1d9d2c30d8afdd84bea99e2139ff65898f0df8
RemcosRAT
d89a39469a38c622ff6d1c36603491bedfc5d5dcc92cf629aa50057eda35f563
RemcosRAT
+ 465 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:gr8est persistence rat suricata trojan
Link:
https://tria.ge/reports/210825-jrkcpv7we2/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader, DBatLoader
Remcos
suricata: ET MALWARE Remocs 3.x Unencrypted Checkin
suricata: ET MALWARE Remocs 3.x Unencrypted Server Response
Malware Config
C2 Extraction:
manneedmoney.ddns.net:6642
Unpacked files
SH256 hash:
69b43f764e65daf8af6feec1aaceae822fc6705587d86a9eb490ebcd23c157eb
MD5 hash:
1ba17c2bbea2acdefc2e510c70936486
SHA1 hash:
3a753d99891da45886d265760db33d9e06d9c9e9
Link:
https://www.unpac.me/results/fd30c33f-f95c-43fc-8410-81766853b941/
SH256 hash:
9b230ecb2de41faed1f6977799a2e7e03f4411fefbcf2e8b2e92a989f6bdd685
MD5 hash:
25fbd65bf5c530521de378c27f794a14
SHA1 hash:
96d4139816ca2c6bda73d32d2cb875ce2214e983
Link:
https://www.unpac.me/results/fd30c33f-f95c-43fc-8410-81766853b941/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9b230ecb2de4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9b230ecb2de41faed1f6977799a2e7e03f4411fefbcf2e8b2e92a989f6bdd685

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 9b230ecb2de41faed1f6977799a2e7e03f4411fefbcf2e8b2e92a989f6bdd685

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/182260/

Comments