MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b198849b0a7a1ce934d8388e1b2b6d03e8d6fce5972c5ea4b108d8e1364090e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	b198849b0a7a1ce934d8388e1b2b6d03e8d6fce5972c5ea4b108d8e1364090e7
SHA3-384 hash:	1ecbf59104253c403cd6463c67c2a999acb92f5e98688be6e47556dff2069b9f200fc1fa3ffe237f61d41add01923950
SHA1 hash:	27c439b6dd7de1ca0dab352e041db0f00a7a1db5
MD5 hash:	09b84961bbd62164637102577767dcbd
humanhash:	princess-alpha-iowa-maine
File name:	DHL_102021 alış irsaliyesi belgesi,pdf.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	867'328 bytes
First seen:	2021-10-20 07:54:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3ffe5a9a24da83fb277b548d938597c8 (5 x Formbook, 3 x RemcosRAT, 1 x BitRAT)
ssdeep	12288:oHPNFplQQTfQAEpHxdE3Jc9AYPeyqY99j9gqmCGVIJN7B:Wx+OkpHxdKJc4yp99j9gSwIJh
Threatray	475 similar samples on MalwareBazaar
TLSH	T1F4059E7375A4843FC43BEB314C4BD5696B31FD616B1F148BAAD62A040C717A0372EADA
File icon (PE):
dhash icon	fedcbb4d750f4c4c (9 x Formbook, 5 x RemcosRAT, 2 x NetWire)
Reporter	GovCERT_CH
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

1

# of downloads :

247

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/198773/

Detection(s):

SecuriteInfo.com.UDS.Trojan-Downloader.Win32.Formbook.gen.581.8468.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Launching the default Windows debugger (dwwin.exe)

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

keylogger

Link:

https://www.filescan.io/uploads/616fcb5adb358dd15ec5de82/reports/af7bb76a-5fb3-475f-92d2-30177b895124/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/27b85c05-f729-45b0-93bc-61c60cec9ed6

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b198849b0a7a1ce934d8388e1b2b6d03e8d6fce5972c5ea4b108d8e1364090e7/

Threat name:

Win32.Downloader.FormBook

Status:

Malicious

First seen:

2021-10-20 07:55:08 UTC

AV detection:

3 of 44 (6.82%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wgmijgykpioosngyhchbwk3napunn7hfs4wf5jfrbdmocnsasdtq._file

Verdict:

malicious

Similar samples:

1cb6deac4e20e2a13002d118fc863a0757409bab2f45a9390529f1e6ad5217fc

3f032c4e18eced05282ae0a19f738dfef527c2281ce7bebaa28ca028941903f4

3fcc98cda3b1b88eea1619bea29091902d8e9fee91040d3a335215d14bd68bbf

49cb5b15b21ecd89b7462da8008c6c49d32310858912344f11fa04dab67f1f3a

8de4526e450e002bac649a1c6c8f0923ecc64b9813b7abeff0f754a5ee6db0ae

9648341f475d3cb186c9e64fc5685eb3b42e6956a331b00a4e9a01377cfe2dda

b8b54b232ca4f2ee4362d0d66218e77fbd950922221ab00676d43877904e249b

ba1285343924cfcb7e2f5e6b609e0cb6c1f055cc93fccdf7b7d34940967560ea

ca8c414d4473af6d57e24c15fbdaa982f3f1cc35cdcede216544b430460337c1

fbaf103427e20432a3dcf19733b5f447bb6f0b2e5c700c76df55c2d977d080ae

+ 465 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/211020-jrmflsggc6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

651d2f39c341c86341babbf45e367c1fe183f49348f3816f91920e08ed057d2a

MD5 hash:

100b966ad7ecd1ba763f069d4f1c27d6

SHA1 hash:

630ce76fda48fa229e41cf3e5b70f21af8288af0

Detections:

win_temple_loader_w0

Link:

https://www.unpac.me/results/73909256-5077-4034-b0da-ca6e05e0e169/

Parent samples :

b198849b0a7a1ce934d8388e1b2b6d03e8d6fce5972c5ea4b108d8e1364090e7
fc9ba22e8b90dbfe7b8b4b8450f2a93227c949d57395f59a0cedd30c78f05697
df80a9ac733001005f97d181473cd67a5c4a9f6804fce2c0da911e728b7690d1
6402f4385282298774063f11374e0162643b5d2eaa42b5a5878755b7f97e9e24
c66278e7c7a5ccb279d55d3dc1b3ef42188e47f276f09d5a8f686a5ba2ab3dd7
efd1897cf1232815bb1f1fbe8496804186d7c48c6bfa05b2dea6bd3bb0b67ed0
891ff9447dec210b5897080666b8281d7387206c14dba7587465e16bd2efa117
d90b2ee420fc51d84a0c3c3fe2ae4e13b6313cd030be264440538a396dfe7956
a192572433f8f1a41f0035e040f0f455608b6eb9695cbb87c9734f3a4bf7d4cc
0f795e11fe7833c1dbe5c9f2f4aba409fa6acab6e408def8a4543cf6d6a825be
583dd77ec5f198782e75d7c7286fabb741051c88e32b862dfad56f9b2f46bf0d
e78db46391cadbbffb7825a2144ca2c8cbbf8afedf91b9d3575d48eede2b9cce
7080315530bc6d7ead65034c1587e4596d9dbf0fc17107fbb28f84bf016009f9
deb410973549a5ec310fe689d56d44952df151506278c66a07bcf07a41b4898a
19b95be1b0c890804845c8c6e19cef972c89bfc8156201c3490f047ebfc42ed4
3bfb18b65c870e3c012f8d38fa70ea7441d6b09530e5f77d837d636c0e2abd0d
e7de0f165f8c5b38c60cf57edf5277ce09ea31bf46aa31f1b6bdc011a5e248e3
b3bc74c1f3673da08a95775af5f39dd116a249d8a7e597fcd8bb56e07ae3bcd2
6aa1329fc1a0a21844c1f75d779154833278f42adb7d7c3a8d760ad465951d07
967143d314abcb1ad4cab1133dc0b296ae38580511b9cd412fdf3a7c282160e9
473b2f6c5dd078673de5cdf099c1c983a826537d0a6cca0e35f79af7eee471a0
fc7cb61d2d3af49d228b2aa554255b5c0401090684cf4336485499af4b6ae2bb
c6dae6493723d83bbbad1d1c66384aea85bc0664ca2bb6f796a6ce02b7a85a33

SH256 hash:

b198849b0a7a1ce934d8388e1b2b6d03e8d6fce5972c5ea4b108d8e1364090e7

MD5 hash:

09b84961bbd62164637102577767dcbd

SHA1 hash:

27c439b6dd7de1ca0dab352e041db0f00a7a1db5

Link:

https://www.unpac.me/results/73909256-5077-4034-b0da-ca6e05e0e169/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/b198849b0a7a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b198849b0a7a1ce934d8388e1b2b6d03e8d6fce5972c5ea4b108d8e1364090e7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

exe b198849b0a7a1ce934d8388e1b2b6d03e8d6fce5972c5ea4b108d8e1364090e7

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/198773/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample