MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b31cde99f0850f6f1e87ff1cb15014a26d87a22aed1e63c2bcfe423bc377dfd7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b31cde99f0850f6f1e87ff1cb15014a26d87a22aed1e63c2bcfe423bc377dfd7
SHA3-384 hash: 354b8225ce7d23c3cb8666c9ea91547e80e1a65ef4da711a12fe19929870fb12d1160f4f6a401d23534394b95aa39ecf
SHA1 hash: 31a28a85f6bed73a0379cc8fcc29d4543b8b09ec
MD5 hash: a24e66533b33574ce715598ff5d4f28c
humanhash: yellow-crazy-december-may
File name:DHL_119040 de recibo,pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:870'912 bytes
First seen:2021-09-18 06:25:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 96d68413d52ee291c9b444b7006f0bce (4 x RemcosRAT, 1 x BitRAT)
ssdeep 12288:mmnGyuE9fz9VBCY4Alz2MjbjBQHhazE2Mdvnk6LHC7WWnMvwfHVBPggseBnDz5ZE:mmnZbz9e0z12HZBngseBDz5ZE
Threatray 1'138 similar samples on MalwareBazaar
TLSH T1E7057C22D2826DF9F836263DACDE7B80591D3CF03D456D565E903D0659343E2BE3A88B
dhash icon 8ccc0c37e3969a68 (8 x RemcosRAT, 2 x NetWire, 1 x BitRAT)
Reporter abuse_ch
Tags:DHL exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
201
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL_119040 de recibo,pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-09-18 06:26:01 UTC
Tags:
installer rat remcos
Link:
https://app.any.run/tasks/290bedbd-1f3f-4651-a9a3-e8d24902513d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/188885/
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

SecuriteInfo.com.UDS.Backdoor.Win32.Remcos.gen.30130.2328.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/141db216-a316-469e-85d1-069a7b711e07
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/853135
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 485566 Sample: DHL_119040 de recibo,pdf.exe Startdate: 18/09/2021 Architecture: WINDOWS Score: 100 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 4 other signatures 2->63 8 DHL_119040 de recibo,pdf.exe 1 22 2->8         started        13 Jqzswwq.exe 15 2->13         started        15 Jqzswwq.exe 15 2->15         started        process3 dnsIp4 43 sn-files.fe.1drv.com 8->43 45 onedrive.live.com 8->45 47 augedw.sn.files.1drv.com 8->47 39 C:\Users\Public\Libraries\...\Jqzswwq.exe, PE32 8->39 dropped 73 Writes to foreign memory regions 8->73 75 Creates a thread in another existing process (thread injection) 8->75 77 Injects a PE file into a foreign processes 8->77 17 DpiScaling.exe 2 8->17         started        21 cmd.exe 1 8->21         started        23 cmd.exe 1 8->23         started        49 sn-files.fe.1drv.com 13->49 53 2 other IPs or domains 13->53 25 logagent.exe 13->25         started        51 sn-files.fe.1drv.com 15->51 55 2 other IPs or domains 15->55 79 Machine Learning detection for dropped file 15->79 file5 signatures6 process7 dnsIp8 41 ongod4ever.ddns.net 194.147.140.26, 3030 PTPEU unknown 17->41 65 Contains functionality to steal Chrome passwords or cookies 17->65 67 Contains functionality to inject code into remote processes 17->67 69 Contains functionality to register a low level keyboard hook 17->69 71 2 other signatures 17->71 27 reg.exe 1 21->27         started        29 conhost.exe 21->29         started        31 cmd.exe 1 23->31         started        33 conhost.exe 23->33         started        signatures9 process10 process11 35 conhost.exe 27->35         started        37 conhost.exe 31->37         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b31cde99f0850f6f1e87ff1cb15014a26d87a22aed1e63c2bcfe423bc377dfd7/
Threat name:
Win32.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2021-09-18 02:30:00 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wmon5gpqquhw6huh74olcuauujwypirk5upghqv47zbdxq3x37lq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
11f6a46954cdec78fec52771521926ff6917af81f79e3dc1198a38571b7d7519
RemcosRAT
204806f363e25b8caab19fade1152cbdef6d19a2ee0f122ce2a2aa3949154f1d
RemcosRAT
7eb677c1c5c60d34da90cab2b4ea019c500b5c3db6964cc14849dbe2f9f5fa30
RemcosRAT
b9384216a5aea20cd398e51c6549bb84d6b252f3fde114010e3cc0c60b1e2b13
RemcosRAT
bc6387778b4a0caf34719e4de78d1ea6ecd96ba40a2e1e0997ae91dfe221807e
RemcosRAT
dc1bb96ddee60e15d3344fc4b0413634a54974ef9e854628157800c9d695f028
RemcosRAT
e8fd9fa558e765a0a6273a0ba98195347c8c388491e4e6186fccf4d8a69baf84
RemcosRAT
+ 1'128 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/210918-g67c8abgar/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
519197f521aa39b7a7ab34b4500a304a7329d967115c2e48fe1b6eb201e39af1
MD5 hash:
3da921c9355d01d335cf03159a950030
SHA1 hash:
3be3f4ea8f289a123dcd1f6ac97c6f34a503c9cf
Link:
https://www.unpac.me/results/7f382780-e9b5-463b-ab7e-4602c3423b7b/
SH256 hash:
b31cde99f0850f6f1e87ff1cb15014a26d87a22aed1e63c2bcfe423bc377dfd7
MD5 hash:
a24e66533b33574ce715598ff5d4f28c
SHA1 hash:
31a28a85f6bed73a0379cc8fcc29d4543b8b09ec
Link:
https://www.unpac.me/results/7f382780-e9b5-463b-ab7e-4602c3423b7b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.50
Link:
https://yomi.yoroi.company/submissions/b31cde99f0850f6f1e87ff1cb15014a26d87a22aed1e63c2bcfe423bc377dfd7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/188885/

Comments