MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3b0ff3262302f0478cdc55f8d77d9d7c999255282a3181bd6cc09a252077ee9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d3b0ff3262302f0478cdc55f8d77d9d7c999255282a3181bd6cc09a252077ee9
SHA3-384 hash: 247e832e8014600f6eeedc6442571c62cd765c241ade24d97b2059a91bfe0d17e361ec4612e65c2e2fa90a6c9741575e
SHA1 hash: 5b47fc05cc642d3a1c5f89beecbd0006fdaeaf58
MD5 hash: 55a10da7b237a18eccfaffefbd4420ff
humanhash: sweet-tennessee-angel-kitten
File name:IMG_6100045478957000211.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'044'480 bytes
First seen:2022-05-24 15:37:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 25db551bacd3e47a5827f03f30f43ecb (4 x Formbook, 3 x RemcosRAT, 2 x AveMariaRAT)
ssdeep 12288:3sGDrsy7QD25IMRgmDBJzd4+vZiy80LlMXuuLp0rTXNlgPgBuLq:3sGnPIM9LpHVLspMQ4ML
Threatray 1'263 similar samples on MalwareBazaar
TLSH T18B2538B1B2E0D036C72216347D167D7847B56ED0DE34AA12AEECFCD88E35EA13B25146
TrID 68.5% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
27.0% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
1.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.3% (.SCR) Windows screen saver (13101/52/3)
0.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 10808a8c8c8a8010 (77 x Formbook, 51 x AgentTesla, 44 x RemcosRAT)
Reporter malwarelabnet
Tags:exe modiloader remcos RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
319
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
IMG_6100045478957000211.exe
Verdict:
Malicious activity
Analysis date:
2022-05-25 00:06:15 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/33aa7aa7-f594-4f49-b9d5-6b615f8625fa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/274165/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/19892/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe keylogger replace.exe
Link:
https://www.filescan.io/uploads/628cfbdb6eb3ff3263281d31/reports/fc9d679d-69a3-48c2-b381-8d218dfe3507/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d6123909-350f-4cf2-8fbd-12e703c284c0
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1000812
Signature
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d3b0ff3262302f0478cdc55f8d77d9d7c999255282a3181bd6cc09a252077ee9/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2022-05-24 09:54:16 UTC
File Type:
PE (Exe)
Extracted files:
77
AV detection:
19 of 25 (76.00%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
08c0273e2bd04a047d150303d4cd05076c2d2877afa82543ce43fc8296d86a7c
RemcosRAT
81b648fca4135b631044dd68aee71ee704dcc930ae635658b9438585c5dc6b90
RemcosRAT
99e39ef9a5267ed9790fbef614fa3a0054025c1cb866295e9e320bc95b128280
RemcosRAT
9c9243f11dd44d1f1ac97716014be57244dca97a514e73d5f13da03392cba358
RemcosRAT
b8df890fac057175f86dc5f301f1e1f6d45b2a1b36598934c3fc0144cf433137
RemcosRAT
d4729baa39aa4e1052e0999c90450a4cdcd4c4e3831c9a791fb99b94036103b4
RemcosRAT
f92693be20b760d1f24228bf91056368c06f33faeaf8fad6517115036d1f37c6
RemcosRAT
+ 1'253 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:remotehost persistence rat trojan
Link:
https://tria.ge/reports/220524-s22gysgbg4/
Behaviour
Modifies system certificate store
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
progesteron610.ddns.net:5330
billdropping9003.duckdns.org:5330
Unpacked files
SH256 hash:
cb4371c8bfd71e36a09b764720cdbe9f9e35661b97e1c781174242ad8a623b24
MD5 hash:
8f6b4ef81142cfb7e431083fcaa4632e
SHA1 hash:
39603d4bb7828285b2e7b45db99d3f08099f2615
Link:
https://www.unpac.me/results/9b3cc212-0d65-44e4-ac08-cff6e88e2fe1/
SH256 hash:
d3b0ff3262302f0478cdc55f8d77d9d7c999255282a3181bd6cc09a252077ee9
MD5 hash:
55a10da7b237a18eccfaffefbd4420ff
SHA1 hash:
5b47fc05cc642d3a1c5f89beecbd0006fdaeaf58
Link:
https://www.unpac.me/results/9b3cc212-0d65-44e4-ac08-cff6e88e2fe1/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d3b0ff326230/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DBatLoader
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d3b0ff3262302f0478cdc55f8d77d9d7c999255282a3181bd6cc09a252077ee9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/274165/

Comments