MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1adbdad4e1d0b04ddbac043a174b0b9e2731402fd9422085243c32c8e575fdf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a1adbdad4e1d0b04ddbac043a174b0b9e2731402fd9422085243c32c8e575fdf
SHA3-384 hash: 075a1a7f6cd37a0150b5c2262553ec9ee14b20f2cc4813a97ef86c01bf0c4765c2a8f7bc1cabcd3b1821e4049b7376de
SHA1 hash: 0caf24293195aa1f6e90f27be51fb23326a53acc
MD5 hash: 674739cd5807794ca477f7f9f43156ec
humanhash: equal-east-shade-oregon
File name:lista1678,PDF.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:718'848 bytes
First seen:2021-09-23 20:49:13 UTC
Last seen:2021-09-23 22:19:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9a7ebf1a69de9b324d0d1f73a7d054a0 (6 x RemcosRAT, 1 x Formbook)
ssdeep 12288:mftAn+lE3hGAJNmUaxoSThjc4mQgMM4PW:4uwEwomU1SFA3D
Threatray 199 similar samples on MalwareBazaar
TLSH T15FE47E1AF750A93EF2332838CCC562949927FE4639649C8D19713F257AAD6C07A0B1F7
File icon (PE):PE icon
dhash icon c4dcf8c6d6d0c8d4 (21 x RemcosRAT, 3 x Formbook, 1 x AveMariaRAT)
Reporter GovCERT_CH
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
lista1678,PDF.exe
Verdict:
Malicious activity
Analysis date:
2021-09-23 20:50:56 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/bdefca07-7b7b-4e17-9b67-6199dc9add9f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/190864/
Detection(s):
SecuriteInfo.com.Variant.Zusy.401770.18517.18716.UNOFFICIAL
Create hunting rule

Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8c3e1cf0-870c-49cb-be87-ce39666d030c
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/856895
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 489326 Sample: lista1678,PDF.exe Startdate: 23/09/2021 Architecture: WINDOWS Score: 100 44 vegospupm.ddns.net 2->44 62 Multi AV Scanner detection for domain / URL 2->62 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 4 other signatures 2->68 9 lista1678,PDF.exe 1 22 2->9         started        14 Dlwkldh.exe 15 2->14         started        16 Dlwkldh.exe 15 2->16         started        signatures3 process4 dnsIp5 48 ptukpw.db.files.1drv.com 9->48 56 2 other IPs or domains 9->56 42 C:\Users\Public\Libraries\...\Dlwkldh.exe, PE32 9->42 dropped 78 Writes to foreign memory regions 9->78 80 Creates a thread in another existing process (thread injection) 9->80 82 Injects a PE file into a foreign processes 9->82 18 DpiScaling.exe 2 9->18         started        22 cmd.exe 1 9->22         started        24 cmd.exe 1 9->24         started        50 ptukpw.db.files.1drv.com 14->50 58 2 other IPs or domains 14->58 26 DpiScaling.exe 14->26         started        52 192.168.2.1 unknown unknown 16->52 54 ptukpw.db.files.1drv.com 16->54 60 2 other IPs or domains 16->60 28 logagent.exe 16->28         started        file6 signatures7 process8 dnsIp9 46 vegospupm.ddns.net 185.140.53.129, 49758, 49760, 49761 DAVID_CRAIGGG Sweden 18->46 70 Contains functionality to steal Chrome passwords or cookies 18->70 72 Contains functionality to inject code into remote processes 18->72 74 Contains functionality to steal Firefox passwords or cookies 18->74 76 Delayed program exit found 18->76 30 reg.exe 1 22->30         started        32 conhost.exe 22->32         started        34 cmd.exe 1 24->34         started        36 conhost.exe 24->36         started        signatures10 process11 process12 38 conhost.exe 30->38         started        40 conhost.exe 34->40         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a1adbdad4e1d0b04ddbac043a174b0b9e2731402fd9422085243c32c8e575fdf/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-23 20:50:07 UTC
AV detection:
16 of 45 (35.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ugw33lkodufqjxn2ybb2c5fqxhrhgfac7wkceccsipbszdsxl7pq._file
Verdict:
malicious
Similar samples:
03811a474b07747d26379d33ee6788366f0d49bf993334d16607b361093463af
RemcosRAT
198a6c69303e222c1e37be51ff9cf68615b4879fb2b152f96aad90daf49c7df1
RemcosRAT
1ddb357041ae22e5c39f309d8432bf9b64e5b07ee9fcf578b7d94543005714fa
RemcosRAT
27bc88fd389ded5b1102d7ef23245aceeb4a516c7291afc954abb876898aa42f
RemcosRAT
5f14d3a74387554c330e7ee790f26fb55c5bfeb1dbefc6f2de93ba69d46383e8
RemcosRAT
68f59f9ceb6a93c4ce1cb450202bd0dd021543c5bf60d82f36c86252a5bd69e8
RemcosRAT
8bc32885f532e286073afa7781733d97338f3bab7b22f55680b38fe1926d103b
RemcosRAT
8fa72e87addead9671e573d7cb843ca784a10cfbf6acf5b6bc4830df66fe0bf0
RemcosRAT
b17c3b52340b1f33f4c2e5ce9eb6de617bd28c9525d12b56de031f5367bf7f9a
RemcosRAT
b8ff5642173ea1664b856f47468ebf4778be3154b7b0a6bfa6a0950f51973c69
RemcosRAT
+ 189 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:blessings persistence rat
Link:
https://tria.ge/reports/210923-zmllhsfcd6/
Behaviour
Modifies registry key
Suspicious use of WriteProcessMemory
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
vegospupm.ddns.net:5632
Unpacked files
SH256 hash:
18498f5add7c31c1af213a720891708124ce271e4a1f4eef7427ff9ceff44767
MD5 hash:
af315fe318bcbca468841006ccc57e0a
SHA1 hash:
9b18984c1d4fcafc7bde26250a937aff6c41a375
Link:
https://www.unpac.me/results/3e9edff0-3c75-4906-9be7-3c24ad5eed34/
SH256 hash:
a1adbdad4e1d0b04ddbac043a174b0b9e2731402fd9422085243c32c8e575fdf
MD5 hash:
674739cd5807794ca477f7f9f43156ec
SHA1 hash:
0caf24293195aa1f6e90f27be51fb23326a53acc
Link:
https://www.unpac.me/results/3e9edff0-3c75-4906-9be7-3c24ad5eed34/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a1adbdad4e1d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/a1adbdad4e1d0b04ddbac043a174b0b9e2731402fd9422085243c32c8e575fdf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe a1adbdad4e1d0b04ddbac043a174b0b9e2731402fd9422085243c32c8e575fdf

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/190864/

Comments