MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d09e0e3cdb3fa52dcea7852176dc97aac0741e85b22bd088fd0bf0633e3f3bbb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d09e0e3cdb3fa52dcea7852176dc97aac0741e85b22bd088fd0bf0633e3f3bbb
SHA3-384 hash: 73301634b2289da7bd0933cf672ed1e1303d6a589186d321a1461f4f80bb0fc08aca2c3982c311b9ce9891d7ce7602cf
SHA1 hash: 5f05b7aeedc66a7aaca412cc5ea5d5155c589b94
MD5 hash: fb503b1d93dbbc110d11391978b00569
humanhash: bacon-harry-video-two
File name:scan_31900047565799095.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'106'944 bytes
First seen:2022-08-09 18:36:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5dc555aba1bcf8cc83a1840dd1f96bfd (6 x DBatLoader, 2 x RemcosRAT)
ssdeep 24576:o6JOY7Bt7MeZCRzqwYGrX9KWIvf4nSzH:o2vFGJK5WSz
Threatray 2'030 similar samples on MalwareBazaar
TLSH T1C7358E33B2A3DC32D27699BBDF07E2689C6A7E006A78A58527F42F5C1F7494079191C3
TrID 28.5% (.SCR) Windows screen saver (13101/52/3)
22.9% (.EXE) Win64 Executable (generic) (10523/12/4)
14.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.8% (.EXE) Win32 Executable (generic) (4505/5/1)
6.5% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon 33d0d89696d8d033 (14 x ModiLoader, 9 x DBatLoader, 6 x Formbook)
Reporter johnk3r
Tags:exe Lokibot RemcosRAT


Avatar
johnk3r
https://a.pomf[.]cat/rrscyb.zip
https://onedrive.live[.]com/download?cid=A55488035D4CB5A3&resid=A55488035D4CB5A3%21114&authkey=AHhugu3fUNgS1Us

Intelligence

File Origin
# of uploads :
1
# of downloads :
535
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
scan_31900047565799095.exe
Verdict:
Malicious activity
Analysis date:
2022-08-09 18:49:13 UTC
Tags:
remcos
Link:
https://app.any.run/tasks/609f870b-1d27-4f14-b2ce-abc91965ea84

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/297502/
Detection(s):
SecuriteInfo.com.generic.ml.28883.3843.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Launching cmd.exe command interpreter
Creating a process with a hidden window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/28472/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger
Link:
https://www.filescan.io/uploads/62f2a966e4e65a67c499b191/reports/89e0d5f4-fa4e-46b4-83f0-a570fb44b12a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d0bd0cb6-6aca-4740-9752-a2459cbb63d5
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1048790
Signature
Multi AV Scanner detection for submitted file
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d09e0e3cdb3fa52dcea7852176dc97aac0741e85b22bd088fd0bf0633e3f3bbb/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-08-09 12:07:20 UTC
File Type:
PE (Exe)
Extracted files:
72
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2cpa4pg3h6ss3tvhquqxnxexvlahihufwiv5bch5bpyggpr7ho5q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1015aaf219bd6c756e9e5224d219ed551795585e383fb4a6d2a566e7c8dabad5
RemcosRAT
41dbd50dec8697c71e8feea9912873500ae7061955e1331ac9e657041b7b57f8
RemcosRAT
437e444fdf417fa35390eec589e380b8d5c70b5418a4554ee19cb706470a7edc
RemcosRAT
7c46360bc0f882b7d7a6603ce5f141914e645b4afb7f4951cc3e29d76908c518
RemcosRAT
8043ea1eec1337542f54a3da01248f048588f43c2f5a434d425775dbb3ddd6b3
RemcosRAT
9c9243f11dd44d1f1ac97716014be57244dca97a514e73d5f13da03392cba358
RemcosRAT
cd06021301a3677a02936aa5820f303d7aa650f63366266b75e553c669be08f5
RemcosRAT
cfddcbf0a97a326f7a26683f817e7d42082c30f28113bef76e3c3b491c094c69
RemcosRAT
d4729baa39aa4e1052e0999c90450a4cdcd4c4e3831c9a791fb99b94036103b4
RemcosRAT
+ 2'020 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos persistence rat trojan
Link:
https://tria.ge/reports/220809-w9gdjagaf6/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
ModiLoader, DBatLoader
Remcos
Unpacked files
SH256 hash:
6e4aba5f91f4d01295db6a25820bccf96e982c11dc19eac820ec094e8bc5b5b2
MD5 hash:
32cd4b21204a9e867088e41a0be8f6aa
SHA1 hash:
21f622535ca5ed8c0670382c420d380ba4a41799
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/8af62ae7-e3e7-4a74-95d1-428467cc70cd/
Parent samples :
925e3fe8b8f4fa60dcfc261154c3fc8a6d296efcdb83ab1a18e710fa150090f1
7d5c7b03dcc7496b6dfb7f5726b3901d48da7ed3dd8e6d171db278e7ba9902b0
8043ea1eec1337542f54a3da01248f048588f43c2f5a434d425775dbb3ddd6b3
6b8b620534b94530ba467af917e0365640b83b1edd8a39eaa00ebf441e2e34c0
d09e0e3cdb3fa52dcea7852176dc97aac0741e85b22bd088fd0bf0633e3f3bbb
0454c0078d232502c16596fb561e698d11c2d68c1905d68a9578385a6a116a00
bc061c3fc38da5c64b98ca941334021a3588891eed56ba0458f5f3ca6b364081
c7046054dfa14ba59f91b14d7039a7d4bff88e62cb0b9bfaf6b3eb247662d5ce
9e58ee070798a5d3826b827e575d87746ffc1c10c1d07240263b35cf95a9f449
8b7641fa594fce9205916ac35de0c043177580e9469770f5e39adf0a72b858c4
da94505a95c11c751468743c7eb6cef882f99c6c5ad4ca0b24b4c3e36d0ea11c
e0b0ea6e18a229592ade98b150d52359b60a7169fc60952e4b5e098ce83a563a
ccf73ee5de39b84ab80990fc250259b3262abe80c2ed84c4284f78d05b0f5e4e
6a147da6ac0eec13aeaf08e385f27f58132562980c1ff628f4a4dc98ed70e202
efe38e24a3e9e5e0b6728cd3c25e36b51dee90ec0587b908a03335cf0f6757cb
3752b7276189f276a42e2ee99480c513f8a57554991644a98c7460671ec9d3c8
c830a445d79d79573e7da5f3a94fe72aa74d07fbcbb84d759915461202be06d8
bb51ea0bd2ae770fb729c3e84f1dd896e65312768893412fec620847a98cd8b5
a1ab4430d2f436338e690327acc1869f2d0717d63093281337c33c6b99c602f9
0c32394238d4d1a1865110e6f226475422a241176c28f909f114204bf9af9a92
3366a4efc3ab34464c6372c24a2d10c4919cab1d75223f4d7ab9d03299f68ed7
58bbb797b31decdd5f9d260a27fc96728c8151753b7533263f692c9ea8f0c349
4637f2930df07d5ed81ccc672ca39782c5ec2d8e77e9aba269128986a2fda5ea
81b969f8c2a9ced7707abce96338c925995da376e96841727982c59362f0eb30
SH256 hash:
d09e0e3cdb3fa52dcea7852176dc97aac0741e85b22bd088fd0bf0633e3f3bbb
MD5 hash:
fb503b1d93dbbc110d11391978b00569
SHA1 hash:
5f05b7aeedc66a7aaca412cc5ea5d5155c589b94
Link:
https://www.unpac.me/results/8af62ae7-e3e7-4a74-95d1-428467cc70cd/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d09e0e3cdb3f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d09e0e3cdb3fa52dcea7852176dc97aac0741e85b22bd088fd0bf0633e3f3bbb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropping
LokiBot
  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/297502/

Comments