MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a945b79aac37747c2662abfbddce86f26b20f3f789c05999ffae204a69115edd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a945b79aac37747c2662abfbddce86f26b20f3f789c05999ffae204a69115edd
SHA3-384 hash: f3808c69115b04fa58a064864d0fadc505178585fa241ad27dffa3025a23b8fc4a50aea7546e040cd6b7081b501558e4
SHA1 hash: 37836287d2a2aa2d8bb812f14e79e15eec1a0ada
MD5 hash: 087f41af68a9d06f2a8e8c69ee03a0f2
humanhash: gee-kitten-single-saturn
File name:DHL_4422333.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:755'344 bytes
First seen:2021-05-21 15:54:48 UTC
Last seen:2021-05-21 16:02:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ee65274bc19b4d848f45a22b7523accb (3 x RemcosRAT, 1 x BitRAT, 1 x NetWire)
ssdeep 12288:2+9Eot2ZQwPHyDc2sATUbJh0vgpz4KKoz5BW6Q4NsS:2+2oCPHyQ0TCyvCzXWKsS
Threatray 220 similar samples on MalwareBazaar
TLSH 09F4BF32A2A2847BC1AB197D9C071F659936BD302D1429E237F93E985E3D6C1391F3D2
Reporter abuse_ch
Tags:DHL exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL_4422333.exe
Verdict:
Malicious activity
Analysis date:
2021-05-21 16:09:38 UTC
Tags:
installer rat remcos keylogger
Link:
https://app.any.run/tasks/7b16fa79-649c-43bb-a5c5-e7ed632992c3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Unauthorized injection to a recently created process
Running batch commands
Creating a process with a hidden window
Setting a keyboard event handler
Launching cmd.exe command interpreter
Launching a process
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/787599
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Contains functionality to steal Chrome passwords or cookies
Delayed program exit found
Detected Remcos RAT
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 420000 Sample: DHL_4422333.exe Startdate: 21/05/2021 Architecture: WINDOWS Score: 100 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 5 other signatures 2->45 8 DHL_4422333.exe 1 23 2->8         started        13 Ejvzxu.exe 13 2->13         started        15 Ejvzxu.exe 14 2->15         started        process3 dnsIp4 37 cdn.discordapp.com 162.159.135.233, 443, 49702, 49704 CLOUDFLARENETUS United States 8->37 33 C:\Users\Publicjvzxujvzxu.exe, PE32 8->33 dropped 49 Detected unpacking (creates a PE file in dynamic memory) 8->49 51 Contains functionality to steal Chrome passwords or cookies 8->51 53 Injects a PE file into a foreign processes 8->53 59 2 other signatures 8->59 17 DHL_4422333.exe 2 3 8->17         started        21 cmd.exe 1 8->21         started        55 Multi AV Scanner detection for dropped file 13->55 57 Machine Learning detection for dropped file 13->57 23 Ejvzxu.exe 13->23         started        25 Ejvzxu.exe 15->25         started        file5 signatures6 process7 dnsIp8 35 rem.nerdpol.ovh 104.208.31.182, 2288, 49717 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 17->35 47 Installs a global keyboard hook 17->47 27 cmd.exe 1 21->27         started        29 conhost.exe 21->29         started        signatures9 process10 process11 31 conhost.exe 27->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a945b79aac37747c2662abfbddce86f26b20f3f789c05999ffae204a69115edd/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-05-21 15:55:14 UTC
AV detection:
13 of 47 (27.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vfc3pgvmg52hyjtcvp553tug6jvsb47xrhaftgp7vyqeu2irl3oq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
01b1f2041aaba6815657a7a7409a0843868459fa3cabf0c377a83862ac88a27f
RemcosRAT
1fc8b21214b10720988c33582ca6415bf3d052a829ba4db3dcbd77655de4f95d
RemcosRAT
32c3d29676757629b7ceeafd699c33c14147a79fc07a54889e6f66cd5118b123
RemcosRAT
3c0df5607ab1e7bf906ce2be36ee0bb970c26baf19710f0c195ca9356a2d918f
RemcosRAT
3d263b6e2cdc6e43060faf06203a211ed5f716238157fc36f3f0d5b21777c0ac
RemcosRAT
5f06da67169389577ec237bfb0c3e0e9203833048f48081deed7b6201ad18c27
RemcosRAT
a5ae2e0f9a8f1c50e21ea93f4a195097753cd16436ffa4e946add38da873c8cb
RemcosRAT
b8ce8a49d849245023b3a5085b5309be738fb56797a31530ecf79d50aae8139f
RemcosRAT
d2d9b66c9aad0e6cc20a786a89299a8b4a65a5a344db369dfd7bfbad3fb40b55
RemcosRAT
f0896ba259cc40a67474db857cbca2cd43099f5b49be45c3e3a3a34a06765b7f
RemcosRAT
+ 210 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat
Link:
https://tria.ge/reports/210521-eaenlr8mqs/
Behaviour
Modifies registry key
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
rem.nerdpol.ovh:2288
rem1.nerdpol.ovh:2288
rem2.nerdpol.ovh:2288
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a945b79aac37747c2662abfbddce86f26b20f3f789c05999ffae204a69115edd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_56f008e69a7c4c3feb389c66eaf58259
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-21 16:09:07 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
1) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
2) [F0002.002] Collection::Polling
4) [C0026.002] Data Micro-objective::XOR::Encode Data
6) [C0051] File System Micro-objective::Read File
7) [C0052] File System Micro-objective::Writes File
8) [C0007] Memory Micro-objective::Allocate Memory
9) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
10) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
11) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
12) [C0038] Process Micro-objective::Create Thread
13) [C0041] Process Micro-objective::Set Thread Local Storage Value
14) [C0018] Process Micro-objective::Terminate Process