MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9584f63d38c2dec8fa79a9f0e1d9d2c30d8afdd84bea99e2139ff65898f0df8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9584f63d38c2dec8fa79a9f0e1d9d2c30d8afdd84bea99e2139ff65898f0df8
SHA3-384 hash: e9569324226cf86cdeba9bab8ad9ddc474e3f87aeb2fb9994520fd6999e3f952d1f3948090aface5f1d5fdb2d528376c
SHA1 hash: 03a2aa1c198960d16fd83f94a5553aa8238d1b4f
MD5 hash: 8c7183dda2641762c505f644e4d60a00
humanhash: fifteen-mobile-nebraska-kilo
File name:Microsoft Excel 2010 siparişi WJO-1460911120343.xlxs.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'219'584 bytes
First seen:2021-08-17 08:48:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7b3d39f86bce9836a8fcdf7d5c6f7f87 (2 x RemcosRAT, 1 x AveMariaRAT, 1 x Formbook)
ssdeep 24576:0h4WI1DOj6P0hFORupCAzQUedKPIddHlen0F:8ej+XQUeET0
Threatray 860 similar samples on MalwareBazaar
TLSH T1FB457C8FBE92AD37C50A1AB31F1E5668851EBE603C25684A77E4FB4F25732C1780494F
dhash icon 12093cbab83c0912 (4 x RemcosRAT, 1 x AveMariaRAT, 1 x Formbook)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Microsoft Excel 2010 siparişi WJO-1460911120343.xlxs.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-17 08:50:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f6c7a6a9-7b91-46f6-92af-42c24cee4461

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.MachineLearning.Anomalous.96.16387.14295.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f02a9ed9-de18-45ed-9cd2-fddfaca1188d
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/834190
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 466620 Sample: Microsoft Excel 2010 sipari... Startdate: 17/08/2021 Architecture: WINDOWS Score: 100 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Detected Remcos RAT 2->53 55 2 other signatures 2->55 6 Microsoft Excel 2010 sipari#U015fi WJO-1460911120343.xlxs.exe 1 19 2->6         started        11 Kridxus.exe 16 2->11         started        13 Kridxus.exe 16 2->13         started        process3 dnsIp4 25 twprrg.dm.files.1drv.com 6->25 27 onedrive.live.com 6->27 29 dm-files.fe.1drv.com 6->29 23 C:\Users\Public\Libraries\...\Kridxus.exe, PE32 6->23 dropped 57 Writes to foreign memory regions 6->57 59 Allocates memory in foreign processes 6->59 61 Creates a thread in another existing process (thread injection) 6->61 15 mshta.exe 2 3 6->15         started        31 twprrg.dm.files.1drv.com 11->31 35 2 other IPs or domains 11->35 63 Injects a PE file into a foreign processes 11->63 19 logagent.exe 11->19         started        33 twprrg.dm.files.1drv.com 13->33 37 2 other IPs or domains 13->37 21 mobsync.exe 13->21         started        file5 signatures6 process7 dnsIp8 39 willofgod.hopto.org 79.134.225.11, 4903 FINK-TELECOM-SERVICESCH Switzerland 15->39 41 Contains functionality to steal Chrome passwords or cookies 15->41 43 Contains functionality to inject code into remote processes 15->43 45 Contains functionality to steal Firefox passwords or cookies 15->45 47 Delayed program exit found 19->47 signatures9
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a9584f63d38c2dec8fa79a9f0e1d9d2c30d8afdd84bea99e2139ff65898f0df8/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2021-08-17 08:49:20 UTC
AV detection:
9 of 46 (19.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vfme6y6trqw6zd5htkpq4hm5fqynrl65qs7kthrbhh7wlcmpbx4a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0b10f51931ebadefe515c5db78b89095df9ff47ad1bd042eace9d47047c5a09d
RemcosRAT
3e7e6d13bdd1a095fb9e1647e4f13514976e7a27c3e99b9e06ac7535bd4d1a71
RemcosRAT
4c0c348d5fe6d35084087f5df83a5d5f15aa75a30b1dc37204f701383a7685eb
RemcosRAT
5dd2f8347b2c2a334231ec2167d38514868ebbeede5311ace774c9a4b5375fff
RemcosRAT
7a97f05df11f826ba1d973f260a565584d9db207a8130cf2769d0156078cc944
RemcosRAT
88b1766ff9c749387b51b47bde3e387393a01d10133a04c5afb763fd9670926a
RemcosRAT
9a8c41228b0c201d956ec0c6612e978438c403759d6e1fa0b33e63c3375e3c56
RemcosRAT
e1686c75b6d0982c533063557289dd24d66ba74a9dd37cd5d328c3451035a01f
RemcosRAT
f74e5e77ee6f64654fb912f76a8b5095d783bf3af22dea186ef7b5730c4a868e
RemcosRAT
+ 850 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210817-ncblf9zr6a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
795b2b5d6668147d7924ac96f90741ddc2a2b5003f455fb842b613a286fbf8fc
MD5 hash:
53011b69a7231aea23d66805a681144b
SHA1 hash:
e3d0d157e763c865e79ccc5bedc2fd5fd90413f7
Link:
https://www.unpac.me/results/af5633f1-df43-4e05-8d8a-c59a3adaa8d0/
SH256 hash:
e1c646bdf678748242976ce003a09c57f41153da300fe352165ef3d4172f7075
MD5 hash:
fdec8518d8a9e278ed5a71141132e30a
SHA1 hash:
b788b0c45fc8a34e2a21337f6224a20f50022296
Link:
https://www.unpac.me/results/af5633f1-df43-4e05-8d8a-c59a3adaa8d0/
SH256 hash:
a9584f63d38c2dec8fa79a9f0e1d9d2c30d8afdd84bea99e2139ff65898f0df8
MD5 hash:
8c7183dda2641762c505f644e4d60a00
SHA1 hash:
03a2aa1c198960d16fd83f94a5553aa8238d1b4f
Link:
https://www.unpac.me/results/af5633f1-df43-4e05-8d8a-c59a3adaa8d0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a9584f63d38c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.98
Link:
https://yomi.yoroi.company/submissions/a9584f63d38c2dec8fa79a9f0e1d9d2c30d8afdd84bea99e2139ff65898f0df8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments