MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce4ca50b7ccb205ee84b76edbd4004d683fe14c69d9d9d102e6e9d89b53c33af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce4ca50b7ccb205ee84b76edbd4004d683fe14c69d9d9d102e6e9d89b53c33af
SHA3-384 hash: b8631ca150fe76db6756193018f83084d07a4cfe24d62e45c7e069426b975d5aa44a86db01c582c84cd25bf8a5f2214e
SHA1 hash: 0e4b8264409b09bb40a77dd3ae4d700b32b6fe92
MD5 hash: 6674bdaaf0eb28d84e30b9be5cffb1d5
humanhash: uncle-blossom-carpet-failed
File name:SecuriteInfo.com.Scr.MalPbsgen1.30982.12300
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'308'160 bytes
First seen:2022-07-11 05:36:28 UTC
Last seen:2022-07-11 06:32:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2058a4ea9eb099650cd6f436a659a4b5 (3 x RemcosRAT, 1 x Formbook)
ssdeep 24576:8aENYX5+iIn83T1pWmIdJmk/MtceWlzMcjATyYP7:8aEGTpwdlZeIMcU
Threatray 3'245 similar samples on MalwareBazaar
TLSH T15E55AE13F5C19036D172993C9CDE52E8E9E9BD90292B584F3BDA3C085E757C1382E2E6
TrID 41.7% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
28.3% (.EXE) Win32 Executable Borland Delphi 5 (451463/56/28)
16.5% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
7.3% (.OCX) Windows ActiveX control (116521/4/18)
2.7% (.EXE) InstallShield setup (43053/19/16)
File icon (PE):PE icon
dhash icon e0c4a2a6a4bcbcf8 (12 x RemcosRAT, 6 x DBatLoader, 4 x Formbook)
Reporter SecuriteInfoCom
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
329
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Scr.MalPbsgen1.30982.12300
Verdict:
Suspicious activity
Analysis date:
2022-07-11 23:30:54 UTC
Tags:
installer
Link:
https://app.any.run/tasks/58564e23-0aa3-46d0-b1cd-382f43c10ea3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/285991/
Detection(s):
SecuriteInfo.com.Scr.MalPbsgen1.30982.12300.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/24977/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger packed
Link:
https://www.filescan.io/uploads/62cbb7002f48e967395664b2/reports/7ee2a558-79ba-4028-9060-a3d933aa018a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3cd713a7-d32f-4407-a16d-aaf849ee9de0
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1028241
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Yara detected UAC Bypass using ComputerDefaults
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 660736 Sample: SecuriteInfo.com.Scr.MalPbs... Startdate: 11/07/2022 Architecture: WINDOWS Score: 100 46 Snort IDS alert for network traffic 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->50 52 7 other signatures 2->52 7 SecuriteInfo.com.Scr.MalPbsgen1.30982.exe 1 17 2->7         started        12 Ydlehtnhbl.exe 13 2->12         started        14 Ydlehtnhbl.exe 13 2->14         started        process3 dnsIp4 38 cdn.discordapp.com 162.159.134.233, 443, 49727, 49730 CLOUDFLARENETUS United States 7->38 32 C:\Users\Public\Libraries\Ydlehtnhbl.exe, PE32 7->32 dropped 34 C:\Users\...\Ydlehtnhbl.exe:Zone.Identifier, ASCII 7->34 dropped 54 Writes to foreign memory regions 7->54 56 Allocates memory in foreign processes 7->56 58 Creates a thread in another existing process (thread injection) 7->58 16 logagent.exe 2 7->16         started        40 162.159.133.233, 443, 49749 CLOUDFLARENETUS United States 12->40 60 Multi AV Scanner detection for dropped file 12->60 62 Injects a PE file into a foreign processes 12->62 20 DpiScaling.exe 12->20         started        22 logagent.exe 14->22         started        file5 signatures6 process7 dnsIp8 36 stronger.ddns.net 37.0.14.198, 3655, 49747, 49748 WKD-ASIE Netherlands 16->36 44 Injects a PE file into a foreign processes 16->44 24 logagent.exe 2 16->24         started        28 logagent.exe 16->28         started        30 logagent.exe 16->30         started        signatures9 process10 dnsIp11 42 192.168.2.1 unknown unknown 24->42 64 Tries to harvest and steal browser information (history, passwords, etc) 24->64 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ce4ca50b7ccb205ee84b76edbd4004d683fe14c69d9d9d102e6e9d89b53c33af/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-07-11 05:37:12 UTC
File Type:
PE (Exe)
Extracted files:
43
AV detection:
12 of 26 (46.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zzgkkc34zmqf52clo3w32qae22b74fggtwoz2ebon2oytnj4goxq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
54960f94810d9ce0b6edcdfb6abfe07a0b372422b51eb478881000c9cfda2091
RemcosRAT
628714308e23fcb40095b63c6822b08f8a9b90de2ac290ff1e8e01b6ccde1568
RemcosRAT
6f4628db14ddcff78f5b0ad2c62f6791e4b29901eb9ef8a3686a2b7019308a99
RemcosRAT
83f54b46a10ce36ac80d885c29cbf1c88c65250163961193916123c282d36784
RemcosRAT
bfa4daa95a303253a45cc02597d1fa404168fb88e627dc3afa4b3548a6ff893d
RemcosRAT
e03a40e689b0ce40227d155c33d3f9817534f0e1bd63e26bbfa80ee60755b783
RemcosRAT
e7c74f89332dcf4bf0ebaa50d960a8c82a521ca2c9608ecbb13e719e9744b5ca
RemcosRAT
fa3e1ea5a814915ffc65b8a94180aedccf3140f515f05737f3017d6ab6f10b89
RemcosRAT
+ 3'235 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:samy collection persistence rat trojan
Link:
https://tria.ge/reports/220711-ga5vhsegam/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
ModiLoader Second Stage
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
stronger.ddns.net:3655
Unpacked files
SH256 hash:
8d652f1f5121c682e1db6bdcee7b714b11fd98e38cbe35c2ea22df664b03d941
MD5 hash:
848934d2c678d1633771ce40851bec51
SHA1 hash:
c6b8856bc6ce256ce336314b111231dddd47373f
Link:
https://www.unpac.me/results/f56fc43f-6846-47e8-9165-89d53d492c64/
SH256 hash:
4ba7690603e72aaee1c59ded105ba448c1c5e5b39ff60ca619c39a57ce395910
MD5 hash:
0e131d755182a1745c7f06c006a4adbf
SHA1 hash:
64bb921de3cb068fc4a26519ee51acbaa782321e
Link:
https://www.unpac.me/results/f56fc43f-6846-47e8-9165-89d53d492c64/
SH256 hash:
ce4ca50b7ccb205ee84b76edbd4004d683fe14c69d9d9d102e6e9d89b53c33af
MD5 hash:
6674bdaaf0eb28d84e30b9be5cffb1d5
SHA1 hash:
0e4b8264409b09bb40a77dd3ae4d700b32b6fe92
Link:
https://www.unpac.me/results/f56fc43f-6846-47e8-9165-89d53d492c64/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ce4ca50b7ccb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.94
Link:
https://yomi.yoroi.company/submissions/ce4ca50b7ccb205ee84b76edbd4004d683fe14c69d9d9d102e6e9d89b53c33af

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/285991/

Comments