MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0f43b627353f91afa5e4a9c5eea655f5375e497933a6e37c3c0f8a5a29a2889. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b0f43b627353f91afa5e4a9c5eea655f5375e497933a6e37c3c0f8a5a29a2889
SHA3-384 hash: 0ee199ce88459fcad135f8bf3fb3da346d905976ada62c49068fda1c3e8c8ee2b93fc0c3c1c6ec469a3fd75a08b8bf96
SHA1 hash: b9005e605fac55df470cde2b1ab0a1441fb1527f
MD5 hash: ce5d381161004cbbd80eaf1f37089cb2
humanhash: thirteen-yankee-orange-sink
File name:ce5d381161004cbbd80eaf1f37089cb2
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:766'464 bytes
First seen:2021-09-03 02:02:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ee4f103a4bbb8328057c2211d7594d0a (2 x RemcosRAT)
ssdeep 12288:uEkuPF5S618CS6qkVdQOHvDc9aGKqa/yAXKQcj2SKI:uE/HS61uyswGKqXAzcR
Threatray 560 similar samples on MalwareBazaar
TLSH T151F47D22B640497AE0AB5AF44C0E72A9DC2ABD50367858E94BF07D0C5F7E3937726533
dhash icon daebe9240804a462 (7 x RemcosRAT, 1 x Formbook, 1 x AveMariaRAT)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
tud.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-03 01:48:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3d121566-e425-4546-9e33-eb8480fa67df

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/184982/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Deleting a recently created file
Launching a process
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/155b48ac-6549-40da-b883-f6611cebdc0f
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/844469
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 476900 Sample: aWJOIbEUw4 Startdate: 03/09/2021 Architecture: WINDOWS Score: 100 40 twistednerd.dvrlists.com 2->40 50 Multi AV Scanner detection for domain / URL 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 5 other signatures 2->56 9 aWJOIbEUw4.exe 1 22 2->9         started        14 Uogsnyk.exe 2->14         started        16 Uogsnyk.exe 2->16         started        signatures3 process4 dnsIp5 44 sn-files.fe.1drv.com 9->44 46 onedrive.live.com 9->46 48 nt5jww.sn.files.1drv.com 9->48 38 C:\Users\Public\Libraries\...\Uogsnyk.exe, PE32 9->38 dropped 66 Writes to foreign memory regions 9->66 68 Creates a thread in another existing process (thread injection) 9->68 70 Injects a PE file into a foreign processes 9->70 18 mshta.exe 2 9->18         started        22 cmd.exe 1 9->22         started        24 cmd.exe 1 9->24         started        72 Multi AV Scanner detection for dropped file 14->72 74 Machine Learning detection for dropped file 14->74 file6 signatures7 process8 dnsIp9 42 twistednerd.dvrlists.com 62.102.148.152, 8618 TEKNIKBYRANSE Sweden 18->42 58 Contains functionality to steal Chrome passwords or cookies 18->58 60 Contains functionality to inject code into remote processes 18->60 62 Contains functionality to steal Firefox passwords or cookies 18->62 64 Delayed program exit found 18->64 26 reg.exe 1 22->26         started        28 conhost.exe 22->28         started        30 cmd.exe 1 24->30         started        32 conhost.exe 24->32         started        signatures10 process11 process12 34 conhost.exe 26->34         started        36 conhost.exe 30->36         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b0f43b627353f91afa5e4a9c5eea655f5375e497933a6e37c3c0f8a5a29a2889/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-09-01 17:41:40 UTC
AV detection:
25 of 43 (58.14%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
5000f900d0d52fb1b6634d0437711ab10c9184d080c852f17b2fb114a35446a8
RemcosRAT
62960caf3d007638be89631e502733f30c42a9ba0269e8c00457c9dec10e9136
RemcosRAT
77ce24c903d75a340e3d5664091c7b72a2529640931e662b80b8dc3fb9226929
RemcosRAT
7eb677c1c5c60d34da90cab2b4ea019c500b5c3db6964cc14849dbe2f9f5fa30
RemcosRAT
860e16c192167d5dd823b8e533858cdada7aa9b3173254f2f57031af68b84e0c
RemcosRAT
87284733f84447db5f12697e7ce2fb44671cbf404e040cf85085b223eab02b95
RemcosRAT
a737c6bf1fe3e63d6d187d114d887c6c1e722579fc9caab72ce4451564e165f6
RemcosRAT
b9384216a5aea20cd398e51c6549bb84d6b252f3fde114010e3cc0c60b1e2b13
RemcosRAT
bb63c61554ccc2caa79eec3705c3e4ce41626e88f375a8a1bc5b514e489b0f04
RemcosRAT
dc1bb96ddee60e15d3344fc4b0413634a54974ef9e854628157800c9d695f028
RemcosRAT
+ 550 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:augusta persistence rat trojan
Link:
https://tria.ge/reports/210903-cgq8gsfaen/
Behaviour
Modifies registry key
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
twistednerd.dvrlists.com:8618
Unpacked files
SH256 hash:
1f5c2520d541b41af22ee4917c07e110a14b1509097459886dcf6d0290cfc869
MD5 hash:
f5a98486daa07622d3091142a9e42d5e
SHA1 hash:
44b6b9d1b0009f9c1b3e9662789030873b9908d7
Link:
https://www.unpac.me/results/ef6d4b1b-b114-4fbe-9eb8-05aef91f5722/
SH256 hash:
4e1202f3e7e04b0b3ca1df164bf5381f24063c142317e774d4e5d88b2b3ac744
MD5 hash:
aa23dee2c34813d67fe9c67ec784782a
SHA1 hash:
10b2e7af7cb9d6f852e6d607875a8c9613538930
Link:
https://www.unpac.me/results/ef6d4b1b-b114-4fbe-9eb8-05aef91f5722/
SH256 hash:
b0f43b627353f91afa5e4a9c5eea655f5375e497933a6e37c3c0f8a5a29a2889
MD5 hash:
ce5d381161004cbbd80eaf1f37089cb2
SHA1 hash:
b9005e605fac55df470cde2b1ab0a1441fb1527f
Link:
https://www.unpac.me/results/ef6d4b1b-b114-4fbe-9eb8-05aef91f5722/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b0f43b627353/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b0f43b627353f91afa5e4a9c5eea655f5375e497933a6e37c3c0f8a5a29a2889

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe b0f43b627353f91afa5e4a9c5eea655f5375e497933a6e37c3c0f8a5a29a2889

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1587643/
Cape
Cape
https://www.capesandbox.com/analysis/184982/

Comments


Avatar
zbet commented on 2021-09-03 02:02:11 UTC

url : hxxp://198.23.251.110/tud.exe