MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2153ad12373ea7fab1232d8e957da465e2a7a6b5439f34d9ba6e3e177ab6c76. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d2153ad12373ea7fab1232d8e957da465e2a7a6b5439f34d9ba6e3e177ab6c76
SHA3-384 hash: 96ee1ed99fcf430d301f275f010c6254601e69de9c561b2741e9d706fe78865c440e6c4a6298e0b3df60f2931d6cc918
SHA1 hash: 6b9c78d3229db2196c0f11e11f952f932f71f4a2
MD5 hash: 579df0ab21381d2f0e9c8c4531fdc309
humanhash: utah-kilo-queen-wolfram
File name:Maria Sibirtseva Professional CV.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:579'778 bytes
First seen:2022-11-15 19:55:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 29b61e5a552b3a9bc00953de1c93be41 (174 x Formbook, 82 x AgentTesla, 81 x Loki)
ssdeep 12288:WAxIkpcsYd54kNJD5Rzl9WF5YK77ZOsiTEbjfDUSc8Cm:JflYdmkTDF9W5YK/AsiTKLJc8d
Threatray 2'210 similar samples on MalwareBazaar
TLSH T196C4231230F20C17DE81B53715F3E732C3F64C13094ABB7A97EA9E5AA8B9503B61754A
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f4f679b179698cd4 (17 x RemcosRAT, 4 x SnakeKeylogger, 2 x NanoCore)
Reporter James_inthe_box
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Maria Sibirtseva Professional CV.exe
Verdict:
Malicious activity
Analysis date:
2022-11-15 19:58:57 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/fb31abab-54ff-42c8-9a9e-6eccb2515f3a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/334478/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.17282.7977.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Setting a keyboard event handler
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook overlay packed remcos shell32.dll
Link:
https://www.filescan.io/uploads/6373eed465b4ed3de8c85cb4/reports/b87e366e-6a4d-4394-9e95-7af623f18268/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/311c2362-10d6-470d-8244-8ab1e8467861
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1114220
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Uses dynamic DNS services
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 746916 Sample: Maria Sibirtseva Profession... Startdate: 15/11/2022 Architecture: WINDOWS Score: 100 52 Malicious sample detected (through community Yara rule) 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 Yara detected Remcos RAT 2->56 58 4 other signatures 2->58 7 Maria Sibirtseva Professional CV.exe 18 2->7         started        10 gcryydej.exe 1 2->10         started        13 gcryydej.exe 1 2->13         started        process3 file4 34 C:\Users\user\AppData\Local\...\auizidp.exe, PE32 7->34 dropped 15 auizidp.exe 1 3 7->15         started        60 Maps a DLL or memory area into another process 10->60 19 conhost.exe 10->19         started        21 gcryydej.exe 10->21         started        23 conhost.exe 13->23         started        25 gcryydej.exe 13->25         started        signatures5 process6 file7 38 C:\Users\user\AppData\...\gcryydej.exe, PE32 15->38 dropped 44 Multi AV Scanner detection for dropped file 15->44 46 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 15->46 48 Contains functionality to steal Chrome passwords or cookies 15->48 50 3 other signatures 15->50 27 auizidp.exe 2 17 15->27         started        32 conhost.exe 15->32         started        signatures8 process9 dnsIp10 40 drremcoz1.ddns.net 185.246.220.39, 1307, 49685 LVLT-10753US Germany 27->40 42 geoplugin.net 178.237.33.50, 49686, 80 ATOM86-ASATOM86NL Netherlands 27->42 36 C:\ProgramData\remcos\logs.dat, data 27->36 dropped 62 Installs a global keyboard hook 27->62 file11 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d2153ad12373ea7fab1232d8e957da465e2a7a6b5439f34d9ba6e3e177ab6c76/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-11-15 02:28:58 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
22 of 25 (88.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2iktvujdopvh7kysglmosv62izpcu6tlkq47gtm3u3r6c55lnr3a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
2f53875cb56cc1a1f69655fcfca71ac0f952b8d582bda33e101d8b262e38d0f9
RemcosRAT
31edb5c9a0590d100f941cfcb0c142abf141fba4a90c6bddb6c7fc59b4475f28
RemcosRAT
3ab2ca682019279e28525a8ff1a72e08badba1c0f3012f926bad1528b2b0944a
RemcosRAT
68dc5714a90d2f0b2b91d22127aa518ce6667386b133777a0e36fac29d7a19af
RemcosRAT
7cfeccb31a610ee9b5e5501c712c380a2098a360eaaad0a15d7d5c23b3cc6830
RemcosRAT
8c2653e4d9998668579383d87f291afe6ba5740ec3bc6d8f44618c0f9af77189
RemcosRAT
d42107d756734247da36e67eb859e1ca7fefcdae69d5cd50730979d7b005e83d
RemcosRAT
f9dbb342e635717b55ef19c20e7943858acf892e6040a9a4f3609eaa41981bc9
RemcosRAT
+ 2'200 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat
Link:
https://tria.ge/reports/221115-ynnxlaff33/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
drremcoz1.ddns.net:1307
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9f7378dd-3b98-42e4-b771-16197a5dc2f3
Unpacked files
SH256 hash:
683efe74532bed30e1f0a73e9e7485e2d11e444b7766cd7d2611d84ecc79fa22
MD5 hash:
c5124d216e7b0f383ba7e05b69d84379
SHA1 hash:
9e07ed49d15d00e15d5b603e2b74902284cb560a
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/fe58c199-9c98-45bb-8c68-21c08ab30b66/
Parent samples :
d2153ad12373ea7fab1232d8e957da465e2a7a6b5439f34d9ba6e3e177ab6c76
45cd8dd797af4fd769eef00243134c46c38bd9e65e15d7bd2e9b834d5e8b3095
f23af58c2cf4e24dc720b940dfcbb7a12793de187354f892b8ee9cbec7c3332e
38e450e0f888c722ba57ed39900759397ede821614371832456b7fa29143aaba
f55af4e1b592a12334c4434887b9bfd7429b4218e9c4b3b7cef3e345f4489f06
a5d0f96c465bc9f36b29fb88333dc996f63c39ec6ed8cc2acb5a5b36ad31500f
SH256 hash:
270c9fbe00522f24e183f870b3b1c06ab8abaf47cd833a2f4647ba984a65cf35
MD5 hash:
e5c2a6d4d851e8c6eec55109888e00bf
SHA1 hash:
7d5f617fa20caeaf17ba9df4da61d586e89b2b34
Link:
https://www.unpac.me/results/fe58c199-9c98-45bb-8c68-21c08ab30b66/
SH256 hash:
d2153ad12373ea7fab1232d8e957da465e2a7a6b5439f34d9ba6e3e177ab6c76
MD5 hash:
579df0ab21381d2f0e9c8c4531fdc309
SHA1 hash:
6b9c78d3229db2196c0f11e11f952f932f71f4a2
Link:
https://www.unpac.me/results/fe58c199-9c98-45bb-8c68-21c08ab30b66/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d2153ad12373/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d2153ad12373ea7fab1232d8e957da465e2a7a6b5439f34d9ba6e3e177ab6c76

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/334478/

Comments