MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a3aab02445dfa2ff67c27a8965fb2263965c2ad3f31475e6b6a4459b5c191827. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a3aab02445dfa2ff67c27a8965fb2263965c2ad3f31475e6b6a4459b5c191827
SHA3-384 hash: c1d8e6669beeded5ece0a729dbb9ece6687791718927b6813191aedb40b39a58299ffcadbd64f5781c778279c8e8da1d
SHA1 hash: d7530f423e518d980c61a21e8083f2b30d55f0d3
MD5 hash: 3bbc40e1ec9123bf7b0f827845f0e4a5
humanhash: harry-michigan-five-queen
File name:HP PREMIÈRE COMMANDE-O3131P4,pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'080'320 bytes
First seen:2021-09-21 08:00:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bc8cc1eea5c25ce2056d7da92bd98134 (9 x RemcosRAT, 3 x NetWire, 1 x AveMariaRAT)
ssdeep 12288:BSZPsJUL/MN/cen/VwTQBXcameDCnNmBeoAdrL7+o:bOQN/cu/VdBXKyCnEwrP
Threatray 1 similar samples on MalwareBazaar
TLSH T1FD356BE373C0DCA1ED24393ECD4671616A287FF839029C4DBD647B8A3A65A64F89C447
File icon (PE):PE icon
dhash icon 88a2b6b2aaaad4d4 (11 x RemcosRAT, 3 x Formbook, 2 x AveMariaRAT)
Reporter abuse_ch
Tags:exe FRA geo RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
HP PREMIÈRE COMMANDE-O3131P4,pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-09-21 08:04:09 UTC
Tags:
installer trojan rat remcos
Link:
https://app.any.run/tasks/914c2261-a061-45a1-a05b-ebd1398fff53

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Zusy.401426.12281.16827.UNOFFICIAL
Create hunting rule

Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6d4cf01e-df78-43eb-8a71-7055b1feb450
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/854656
Signature
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 487086 Sample: HP PREMI#U00c8RE COMMANDE-O... Startdate: 21/09/2021 Architecture: WINDOWS Score: 100 44 ongod4ever.ddns.net 2->44 70 Malicious sample detected (through community Yara rule) 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 Detected Remcos RAT 2->74 76 2 other signatures 2->76 9 Dmtuxml.exe 15 2->9         started        13 HP PREMI#U00c8RE COMMANDE-O3131P4,pdf.exe 1 22 2->13         started        16 Dmtuxml.exe 15 2->16         started        signatures3 process4 dnsIp5 48 sn-files.fe.1drv.com 9->48 58 2 other IPs or domains 9->58 78 Multi AV Scanner detection for dropped file 9->78 80 Writes to foreign memory regions 9->80 82 Creates a thread in another existing process (thread injection) 9->82 18 mobsync.exe 9->18         started        50 sn-files.fe.1drv.com 13->50 52 onedrive.live.com 13->52 54 morqkq.sn.files.1drv.com 13->54 42 C:\Users\Public\Libraries\...\Dmtuxml.exe, PE32 13->42 dropped 84 Injects a PE file into a foreign processes 13->84 21 DpiScaling.exe 2 13->21         started        24 cmd.exe 1 13->24         started        26 cmd.exe 1 13->26         started        56 sn-files.fe.1drv.com 16->56 60 2 other IPs or domains 16->60 28 logagent.exe 16->28         started        file6 signatures7 process8 dnsIp9 62 Contains functionality to steal Chrome passwords or cookies 18->62 64 Contains functionality to inject code into remote processes 18->64 66 Contains functionality to steal Firefox passwords or cookies 18->66 46 ongod4ever.ddns.net 194.147.140.26, 49753, 49756, 49757 PTPEU unknown 21->46 68 Delayed program exit found 21->68 30 reg.exe 1 24->30         started        32 conhost.exe 24->32         started        34 cmd.exe 1 26->34         started        36 conhost.exe 26->36         started        signatures10 process11 process12 38 conhost.exe 30->38         started        40 conhost.exe 34->40         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a3aab02445dfa2ff67c27a8965fb2263965c2ad3f31475e6b6a4459b5c191827/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-09-21 07:44:15 UTC
AV detection:
10 of 44 (22.73%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uovlajcf36rp6z6cpkewl6zcmolfykwt6mkhlzvwurczwxazdatq._file
Verdict:
malicious
Similar samples:
83db97610db35554df4061ac1370a10dcda2006d212f4d17e741cfdfdf6264cb
RemcosRAT
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:able god persistence rat
Link:
https://tria.ge/reports/210921-jwjkhsggf9/
Behaviour
Modifies registry key
Suspicious use of WriteProcessMemory
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
ongod4ever.ddns.net:5652
Unpacked files
SH256 hash:
9df5839fe41103d241af27c07ec4fce4adfb9129cb57fe6d3fd9a396a750fb49
MD5 hash:
36e70e671e5390c2363ea8803df1c84a
SHA1 hash:
8905d18a2eb8299c800331aee4bbd05afa8f5bcc
Link:
https://www.unpac.me/results/e99de8e0-0b17-4505-9834-ebb44d4c3dc4/
SH256 hash:
a3aab02445dfa2ff67c27a8965fb2263965c2ad3f31475e6b6a4459b5c191827
MD5 hash:
3bbc40e1ec9123bf7b0f827845f0e4a5
SHA1 hash:
d7530f423e518d980c61a21e8083f2b30d55f0d3
Link:
https://www.unpac.me/results/e99de8e0-0b17-4505-9834-ebb44d4c3dc4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/a3aab02445dfa2ff67c27a8965fb2263965c2ad3f31475e6b6a4459b5c191827

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments