MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b484a4cb667f840e50d5fe91ed76752a5db90759ed1cac25ec965ce5751da9e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b484a4cb667f840e50d5fe91ed76752a5db90759ed1cac25ec965ce5751da9e2
SHA3-384 hash: 6ae777621d5fe75c7ae652ecac1f01244b3a51536e5d1adaa8f2d2572030cecc5f8fe2d0af133ea90b1e2ee846f5e407
SHA1 hash: b230f6d6c9afe11c7a88da8e6a8b87288d78fd10
MD5 hash: 7d5253655d6b9137193c9eb1876c1aa6
humanhash: social-cup-seven-timing
File name:SecuriteInfo.com.Trojan.Win32.DelfInject.6c9c1654.29864.26219
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:741'376 bytes
First seen:2021-09-19 01:00:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fb0fb50fc7c6eefdc89f28e9331a4c3f (1 x RemcosRAT)
ssdeep 12288:8ISLoNauMjmGZaHe3YCMFPitHq9U2dvnk6LHC7WWnMvwfHVBPggseBn5:8Iv4jmTHeoVKBq22BngseB
Threatray 1'121 similar samples on MalwareBazaar
TLSH T118F45C6A63424C76F427A43DCCEF5694223AFDF23D511C4A5E992B982B29BF13D0C187
File icon (PE):PE icon
dhash icon f8a5d39a443434c4 (2 x NetWire, 1 x Formbook, 1 x RemcosRAT)
Reporter SecuriteInfoCom
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
235
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.Win32.DelfInject.6c9c1654.29864.26219
Verdict:
Malicious activity
Analysis date:
2021-09-19 01:02:00 UTC
Tags:
installer rat remcos keylogger
Link:
https://app.any.run/tasks/63a98e04-f905-4a8a-ae18-dc8c4ae7c594

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/188990/
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

SecuriteInfo.com.Trojan.Win32.DelfInject.6c9c1654.29864.26219.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ff996e26-d136-43d6-b68d-f96860b6f8d0
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/853383
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 485814 Sample: SecuriteInfo.com.Trojan.Win... Startdate: 19/09/2021 Architecture: WINDOWS Score: 100 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 3 other signatures 2->59 6 SecuriteInfo.com.Trojan.Win32.DelfInject.6c9c1654.29864.exe 1 17 2->6         started        11 Reoqvsx.exe 15 2->11         started        13 Reoqvsx.exe 16 2->13         started        process3 dnsIp4 25 onedrive.live.com 6->25 27 drvpha.bl.files.1drv.com 6->27 29 bl-files.fe.1drv.com 6->29 23 C:\Users\Public\Libraries\...\Reoqvsx.exe, PE32 6->23 dropped 61 Writes to foreign memory regions 6->61 63 Creates a thread in another existing process (thread injection) 6->63 65 Injects a PE file into a foreign processes 6->65 15 logagent.exe 2 3 6->15         started        31 onedrive.live.com 11->31 35 2 other IPs or domains 11->35 67 Multi AV Scanner detection for dropped file 11->67 19 DpiScaling.exe 11->19         started        33 onedrive.live.com 13->33 37 2 other IPs or domains 13->37 21 DpiScaling.exe 13->21         started        file5 signatures6 process7 dnsIp8 39 remcosw11.mywire.org 5.181.234.154, 2404, 49745 M247GB Romania 15->39 41 Contains functionalty to change the wallpaper 15->41 43 Contains functionality to steal Chrome passwords or cookies 15->43 45 Contains functionality to inject code into remote processes 15->45 47 Contains functionality to register a low level keyboard hook 15->47 49 Contains functionality to steal Firefox passwords or cookies 19->49 51 Delayed program exit found 19->51 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b484a4cb667f840e50d5fe91ed76752a5db90759ed1cac25ec965ce5751da9e2/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-09-18 16:43:28 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wsckjs3gp6ca4ugv72i625tvfjo3sb2z5uokyjpmszook5i5vhra._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
04f483018f53c35976cfd9c4b5191279761a351b3e135a70ae9c5c2b53be154b
RemcosRAT
15851690d3cb99d95e82bb47d3f31db71688c69dd50b0a8367e97aa3b501b637
RemcosRAT
204806f363e25b8caab19fade1152cbdef6d19a2ee0f122ce2a2aa3949154f1d
RemcosRAT
62960caf3d007638be89631e502733f30c42a9ba0269e8c00457c9dec10e9136
RemcosRAT
6a96d22dec9171b154bb1a94c68fa02dda51713709dad161681a759f64cc3014
RemcosRAT
897e01eafce2598ea8af8d75f531b87118872fb82f101aa788fc987fdac0ff62
RemcosRAT
8cb9b0ac073c398ffc0147a1a84ffa9c2db217df67c5a89f34f4a5fb12be7cc3
RemcosRAT
a3d751c0554f2d36ae56987adeca6f9b8f7953fab4a5214ad913a9021fe168fc
RemcosRAT
b0f43b627353f91afa5e4a9c5eea655f5375e497933a6e37c3c0f8a5a29a2889
RemcosRAT
b9384216a5aea20cd398e51c6549bb84d6b252f3fde114010e3cc0c60b1e2b13
RemcosRAT
+ 1'111 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat
Link:
https://tria.ge/reports/210919-bc75rscgdk/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
remcosw11.mywire.org:2404
remcosw22.giize.com:2404
remcosw33.kozow.com:2404
remcosw44.freeddns.org:2404
remcosw55.freeddns.org:2404
remcosw66.freeddns.org:2404
remcosw77.freeddns.org:2404
Unpacked files
SH256 hash:
519197f521aa39b7a7ab34b4500a304a7329d967115c2e48fe1b6eb201e39af1
MD5 hash:
3da921c9355d01d335cf03159a950030
SHA1 hash:
3be3f4ea8f289a123dcd1f6ac97c6f34a503c9cf
Link:
https://www.unpac.me/results/884ebe73-7acb-4153-9190-f87193dd3a4a/
SH256 hash:
b484a4cb667f840e50d5fe91ed76752a5db90759ed1cac25ec965ce5751da9e2
MD5 hash:
7d5253655d6b9137193c9eb1876c1aa6
SHA1 hash:
b230f6d6c9afe11c7a88da8e6a8b87288d78fd10
Link:
https://www.unpac.me/results/884ebe73-7acb-4153-9190-f87193dd3a4a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.50
Link:
https://yomi.yoroi.company/submissions/b484a4cb667f840e50d5fe91ed76752a5db90759ed1cac25ec965ce5751da9e2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/188990/

Comments