MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c9243f11dd44d1f1ac97716014be57244dca97a514e73d5f13da03392cba358. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c9243f11dd44d1f1ac97716014be57244dca97a514e73d5f13da03392cba358
SHA3-384 hash: fcbfbbff1e9222177f0f654d293e5619fecaff02f37a170f6b4041ddce8dfa9a54f47195b5ca5adfddab7d695033b27e
SHA1 hash: 8bdf3cb8adb97c401f53051b2f44e55f385e930c
MD5 hash: dc456dc489e1067d10f6ea3785899c37
humanhash: coffee-kansas-west-yellow
File name:DOCUMENT.EXE
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:931'328 bytes
First seen:2022-04-16 19:59:07 UTC
Last seen:2022-04-20 10:22:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a8e2943a34c0346218989c0b4df2333f (1 x AveMariaRAT, 1 x RemcosRAT)
ssdeep 12288:PlQI+DaXFl8aTz6ruQfM+CIj3BYAB58mwP3CXnJnXnG8VCNsFKzaRHr:NnFlDH6dfM+CIdzB58r0JnXnG1xz
Threatray 8'446 similar samples on MalwareBazaar
TLSH T1C2159E23B2904433D1771F788D6B5799682ABE113E29AD463BF0FE0C5F392C1752A297
TrID 92.5% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
1.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.8% (.SCR) Windows screen saver (13101/52/3)
1.4% (.EXE) Win64 Executable (generic) (10523/12/4)
0.6% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 7cf6b6aa8ed8e8b4 (18 x Formbook, 8 x DBatLoader, 7 x AveMariaRAT)
Reporter cocaman
Tags:DHL exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
420
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
DOCUMENT.EXE
Verdict:
Malicious activity
Analysis date:
2022-04-16 19:59:57 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/d88a63f2-9fe2-4620-8aec-ca1864ccae82

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/264126/
Detection(s):
SecuriteInfo.com.Downloader-FCIV038C156EB3A7.17740.1397.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/14038/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe keylogger remote.exe replace.exe
Link:
https://www.filescan.io/uploads/625b2044482f2f41cabe86bc/reports/6479c99e-8156-4ca2-ac3b-e6f9c3c5ac7d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/80b59a78-31dc-49fc-8d7e-7ed3e3bc17a7
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/977729
Signature
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9c9243f11dd44d1f1ac97716014be57244dca97a514e73d5f13da03392cba358/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-04-15 14:42:19 UTC
File Type:
PE (Exe)
Extracted files:
71
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tsjeh4i52rgr6gwjo4lacs7fojcnzkl2kfhhhvprhwqdhewlunma._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
48d05f98dc0e107ca09492b3f4e3728464d8c844870057c0aabc728f0043b2f7
RemcosRAT
6353828ddb8f70dd9a535d3314ac328b044539563334f093173b86fd96e24707
RemcosRAT
6a4b5aab71a352d6ae6140f99a28b0c38df78a8985b3383f1bc424ca74e046fe
RemcosRAT
83a1ca1bc7363633b8e514a8c2b79ff0e223fc578b0a20e4e088a3daf5424a61
RemcosRAT
99e39ef9a5267ed9790fbef614fa3a0054025c1cb866295e9e320bc95b128280
RemcosRAT
a02d52f23eb9e8a857c9ed01d81e6220e787a1e2838d42c2734e99bc73cff250
RemcosRAT
a3792b703dde1aa5a935183c6696ce91cdea54579e9045b55848df91e6b312f9
RemcosRAT
bd09b7f6ad0ca7e7c74eee9ecab5fd3de92f24529c708370710161847d0861be
RemcosRAT
db5a12184d9b6acdf484a88b3e65aa9435f8a9d7eda48418aef2d028b98913d4
RemcosRAT
+ 8'436 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:remotehost persistence rat trojan
Link:
https://tria.ge/reports/220416-yqzf4sgagp/
Behaviour
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
harveyautos110.ddns.net:2404
harveyautos111.hopto.org:2404
harveyautos112.ddns.net:2404
harvey205.camdvr.org:2404
harvey206.casacam.net:2404
harvey207.accesscam.org:2404
Unpacked files
SH256 hash:
c15cc72bba4eb7def1e1f7f3cd827bb64fe178642b98603731c2dc4cce1e9103
MD5 hash:
b39856eb54a849251edc8231cbe41510
SHA1 hash:
2d463e795dff6d1d8513c62b13b54fa41eb3d0ad
Link:
https://www.unpac.me/results/157f8568-e3a1-4cec-94fe-33ac44fee907/
Parent samples :
5cd30e5f4506a7dc4f2cc8e0c9ce2a2061bcb3da3095c0861d88af07cbdf7f8c
7819c052ad3f9625bc7b6eca291433efed6f782447a0dee078f077605b3a289b
SH256 hash:
9c9243f11dd44d1f1ac97716014be57244dca97a514e73d5f13da03392cba358
MD5 hash:
dc456dc489e1067d10f6ea3785899c37
SHA1 hash:
8bdf3cb8adb97c401f53051b2f44e55f385e930c
Link:
https://www.unpac.me/results/157f8568-e3a1-4cec-94fe-33ac44fee907/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9c9243f11dd4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9c9243f11dd44d1f1ac97716014be57244dca97a514e73d5f13da03392cba358

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

iso f19cdd09fd443703d9cf267b2c5af8434cad4b351cbc6083e109f34a0c256983

RemcosRAT

Executable exe 9c9243f11dd44d1f1ac97716014be57244dca97a514e73d5f13da03392cba358

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 f19cdd09fd443703d9cf267b2c5af8434cad4b351cbc6083e109f34a0c256983
Cape
Cape
https://www.capesandbox.com/analysis/264126/

Comments