MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0dbfce6d1904f32b39ef57d1f59595099171f5e038ad1003a9fc5f9c3ec92d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c0dbfce6d1904f32b39ef57d1f59595099171f5e038ad1003a9fc5f9c3ec92d2
SHA3-384 hash: a3effc917886984310affd8262eb6101cf09a74580a20d6c9a4b23863bfb9680d14df7a687139fde10b4536a37ac8a71
SHA1 hash: 5a35213b10e12b9cf16ca54c40178754d7896a6d
MD5 hash: b2c071e80fb3acd8026ad39fd542b723
humanhash: eleven-vegan-nebraska-winner
File name:PURCHASE ORDER - 3114U0-001,pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:795'648 bytes
First seen:2021-08-02 11:19:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9c955bfbaffe3626e1c455c4ade5d1b7 (4 x RemcosRAT)
ssdeep 12288:oakOZMeySruMg5l/NRD3yU5PAH29cOqYT9DeEFrxUtbYy8GkAQKxDOddp69:HZvySqMIlVRDn1AHCfpVlFr0u7
Threatray 2'148 similar samples on MalwareBazaar
TLSH T1CB059EF1FF80B676CD816E394457A1ED5AF0DE7E18D838C68BF0DE148B3A5A12424297
dhash icon 1130767864760841 (6 x RemcosRAT, 2 x Formbook, 1 x NetWire)
Reporter lowmal3
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
203
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PURCHASE ORDER - 3114U0-001,pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-08-02 11:19:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1f403f54-c62c-4a98-9d5a-00a429be9653

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175783/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Deleting a recently created file
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9f55ae3c-d05d-4d49-9590-b2fee6a1d5f6
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/825466
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c0dbfce6d1904f32b39ef57d1f59595099171f5e038ad1003a9fc5f9c3ec92d2/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2021-08-02 11:20:05 UTC
AV detection:
17 of 27 (62.96%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ydn7zzwrsbhtfm466v6r6wkzkcmroh26aofncab2t7c7tq7mslja._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1ed6cbc9b8af4e05e97a00b4c26fdd26194f9a554c4ef479b3ef029ec0fdaad8
RemcosRAT
226bf641e3522d95b79383218228ba7ed223e736cfc1e856a508db90a3df3c91
RemcosRAT
46a376d25369d059b1c149d8fb4821aa3ddb504bb381a02f3d5e4e019a41ed4d
RemcosRAT
67b2196fced6640cc43c05c44ea9ee22c004fce93f08c00768a0aba265c72bb6
RemcosRAT
7df259f7873239aee108522c3efd6fca233db83a268a3c9fad4766994c5a029d
RemcosRAT
84631c19d18475754bdfe649b0ff41d3adbaf473fa9c732833cf4f8942df291a
RemcosRAT
be63bed59267683057545aebde3e553ca5f270b6750ab9285b881fec0ddd5dac
RemcosRAT
bfe422f569af77aa4f5b1b9f1e85f6c89b7ca62540c368d5e5b152f68154a478
RemcosRAT
e65bff9943ab7ccc3713619a8d908f6caf5392c0c47defe3b66ca9009d2177ed
RemcosRAT
+ 2'138 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/210802-xch3kheh9a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Unpacked files
SH256 hash:
5c45bea48a21a63ad2d6bbd0a55abde77cf8747da3bacea57ba027666b60cba0
MD5 hash:
20055c627d6ef98bf3b4eb141b9e3099
SHA1 hash:
25f825d2753cbfa8643e5930b4e7e047ef41490f
Link:
https://www.unpac.me/results/ec255e6a-fa29-4dc8-9ccb-854993975599/
SH256 hash:
c0dbfce6d1904f32b39ef57d1f59595099171f5e038ad1003a9fc5f9c3ec92d2
MD5 hash:
b2c071e80fb3acd8026ad39fd542b723
SHA1 hash:
5a35213b10e12b9cf16ca54c40178754d7896a6d
Link:
https://www.unpac.me/results/ec255e6a-fa29-4dc8-9ccb-854993975599/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c0dbfce6d1904f32b39ef57d1f59595099171f5e038ad1003a9fc5f9c3ec92d2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe c0dbfce6d1904f32b39ef57d1f59595099171f5e038ad1003a9fc5f9c3ec92d2

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/175783/

Comments