MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1c561c21720c4f1c3626276db6afc2c12b1aae9304c78518763eb78454f84b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a1c561c21720c4f1c3626276db6afc2c12b1aae9304c78518763eb78454f84b8
SHA3-384 hash: 517f76d4f4e51a8376748ae7e0c0c92888582521c093738bfcb6ab92c27238b7ef2d92b6783599f38cfcf123d5a4e1b7
SHA1 hash: f6c49a79b97dd6d6a8939bc46d7ac5fb68dab8ad
MD5 hash: b28c11943d0779aa8b2a118ebca7a52e
humanhash: sierra-steak-quebec-failed
File name:Scanxii_Signed_.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'117'440 bytes
First seen:2020-07-21 07:43:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5e381c455fbb563ca5f2237e8dff94bd (4 x RemcosRAT, 2 x Formbook, 1 x NetWire)
ssdeep 24576:+0vtfbdNzTnlj/jllmyXkybwEIVKGfHNBJV2jjFP0MqvfK:+0v9f/kxEIVRfHfJV2nFP0MP
Threatray 920 similar samples on MalwareBazaar
TLSH 1735AF13F3608D72D13315389C634ABD9B2BBF153625984D6AE6DF088F39181793A3A7
Reporter abuse_ch
Tags:exe GoDaddy RemcosRAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: p3plmtsmtp01.prod.phx3.secureserver.net
Sending IP: 184.168.131.12
From: Peybord Solutions <account@peybordco.com>
Subject: For Your Kind Attention (Ref ID: XIICBF)
Attachment: Scanxii_Signed_.img (contains "Scanxii_Signed_.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/29838/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/392801
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 248674 Sample: Scanxii_Signed_.exe Startdate: 21/07/2020 Architecture: WINDOWS Score: 100 83 Multi AV Scanner detection for dropped file 2->83 85 Multi AV Scanner detection for submitted file 2->85 87 Machine Learning detection for sample 2->87 89 2 other signatures 2->89 11 Scanxii_Signed_.exe 3 3 2->11         started        16 mshta.exe 19 2->16         started        18 mshta.exe 2->18         started        process3 dnsIp4 77 91.193.75.176, 49725, 5890 DAVID_CRAIGGG Serbia 11->77 79 cdn.discordapp.com 162.159.129.233, 443, 49724 CLOUDFLARENETUS United States 11->79 67 C:\Users\user\AppData\Local\...\Scanfck.exe, PE32 11->67 dropped 101 Writes to foreign memory regions 11->101 103 Allocates memory in foreign processes 11->103 105 Creates a thread in another existing process (thread injection) 11->105 107 Injects a PE file into a foreign processes 11->107 20 TapiUnattend.exe 7 11->20         started        109 DLL side loading technique detected 16->109 24 Scanfck.exe 16->24         started        file5 signatures6 process7 dnsIp8 59 C:\Users\Public\propsys.dll, PE32+ 20->59 dropped 61 C:\Users\Public\fodhelper.exe, PE32+ 20->61 dropped 93 Drops PE files to the user root directory 20->93 27 cmd.exe 5 20->27         started        30 cmd.exe 1 20->30         started        73 162.159.134.233, 443, 49727 CLOUDFLARENETUS United States 24->73 75 cdn.discordapp.com 24->75 95 Multi AV Scanner detection for dropped file 24->95 97 Machine Learning detection for dropped file 24->97 file9 signatures10 process11 file12 63 C:\Windows \System32\propsys.dll, PE32+ 27->63 dropped 65 C:\Windows \System32\fodhelper.exe, PE32+ 27->65 dropped 33 fodhelper.exe 27->33         started        36 conhost.exe 27->36         started        111 Uses cmd line tools excessively to alter registry or file data 30->111 38 reg.exe 1 30->38         started        40 conhost.exe 30->40         started        42 schtasks.exe 1 30->42         started        44 2 other processes 30->44 signatures13 process14 signatures15 81 Drops executables to the windows directory (C:\Windows) and starts them 33->81 46 cmd.exe 1 33->46         started        48 Scanfck.exe 38->48         started        process16 dnsIp17 51 cmd.exe 3 2 46->51         started        54 conhost.exe 46->54         started        69 162.159.135.233, 443, 49729 CLOUDFLARENETUS United States 48->69 71 cdn.discordapp.com 48->71 process18 signatures19 91 DLL side loading technique detected 51->91 56 wscript.exe 1 51->56         started        process20 signatures21 99 DLL side loading technique detected 56->99
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a1c561c21720c4f1c3626276db6afc2c12b1aae9304c78518763eb78454f84b8/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-07-21 07:45:07 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uhcwdqqxedcpdq3cmj3nw2x4fqjldkxjgbghqumhmpvxqrkpqs4a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
05eabdc668ca2295147294741ebfc75777c6453cee15fef08a8e9408030a4d41
RemcosRAT
4096056536154e1fa5a10e3495cd3ddadf7c01022b7b65b0c35a67b2eac2bc6b
RemcosRAT
4ea16682c6d48eb737c1857beceadc3d3077921c03fa62d9dad44d551d92729d
RemcosRAT
575c275cfe07d8be90d21a93cc1f651ceaa60b230e771c8c853d8370a221fe77
RemcosRAT
6274c01dd6783517a68267d2c6c2af38143ed35074cfc2372d8bc385a7c5f4e9
RemcosRAT
7720da8dd623a00812870efdb75c2f2571417599ebfabcff48d2bd95cd029ea2
RemcosRAT
a5f2366c498c4f33ec95d923ceef75d73855181b8bf3c2d28ac1407eadf1bbd1
RemcosRAT
c0b1ba178d886a9d71fb7ffd5b169bf023021e13c545e3cd8d15461221dd2006
RemcosRAT
c86bcfe4e22cb50054b44e38fc4fb79624c4ed5bf9a26174754dbb5c1a6baff8
RemcosRAT
d507ed9c29f7392e025b68e345b59961c392826aaf41a3992dbab7aff0253e6a
RemcosRAT
+ 910 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
persistence rat family:remcos
Link:
https://tria.ge/reports/200721-p9cc82877n/
Behaviour
Modifies registry key
Script User-Agent
Suspicious use of WriteProcessMemory
Adds Run key to start application
Executes dropped EXE
Remcos
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a1c561c21720c4f1c3626276db6afc2c12b1aae9304c78518763eb78454f84b8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

img 4f121e68bbc9b81930ad67d8dad0dcee64c09d55f3518f9b5fee098e590f9eda

RemcosRAT

Executable exe a1c561c21720c4f1c3626276db6afc2c12b1aae9304c78518763eb78454f84b8

(this sample)

  
Dropped by
MD5 f993e77df636e4ec2225238959d227d5
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/29838/
  
Dropped by
SHA256 4f121e68bbc9b81930ad67d8dad0dcee64c09d55f3518f9b5fee098e590f9eda

Comments