MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d414675059a6174a77594d50fd2b6c99ca6519e6371dac4912c91df01f4071f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d414675059a6174a77594d50fd2b6c99ca6519e6371dac4912c91df01f4071f6
SHA3-384 hash: 174410b4e89fa11a012a6c0a11fdf7f810344d9e4218b8833e123fbe24668b7a47645a5a6df6478f605b7549d6edccea
SHA1 hash: 929b319fc55961315f7c9c7d16cd8b0b6c6376fb
MD5 hash: ff5cda9e0f62d91b71fdf7d0a3b98de4
humanhash: golf-bacon-november-video
File name:Confirmación del pedido- No HD10103,pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:855'040 bytes
First seen:2021-09-13 20:29:06 UTC
Last seen:2021-09-13 22:19:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4ff77f39ae1ec37d413fa1e15e4c4ad3 (3 x RemcosRAT, 2 x NetWire, 1 x BitRAT)
ssdeep 12288:Kz9igLiYnwThUprpw7/+mxgL5xUpWFvGwEcY8jAbf9uD:KEAiZUprpw73KSMV//ifA
Threatray 710 similar samples on MalwareBazaar
TLSH T1BF057EA3F3C48872F03B1A39AC56E5895C3DFCE53A094C8E23A5BB47EA7176994C5017
dhash icon 274e4d3305010141 (7 x RemcosRAT, 2 x NetWire, 2 x Formbook)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
136
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Confirmación del pedido- No HD10103,pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-09-13 20:31:17 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/87f77596-be7c-43f2-a502-d3b6e427d8b7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm keylogger
Link:
https://www.filescan.io/uploads/6175055edb358dd15ed91d9c/reports/5738d79f-f280-42cc-8fa7-d9de0f0e0a96/overview
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0714d1ef-72b7-4744-86cd-a146cf96e2b9
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/850146
Signature
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 482577 Sample: Confirmaci#U00f3n del pedid... Startdate: 13/09/2021 Architecture: WINDOWS Score: 100 44 ongod4ever.ddns.net 2->44 62 Malicious sample detected (through community Yara rule) 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 Detected Remcos RAT 2->66 68 3 other signatures 2->68 9 Confirmaci#U00f3n del pedido- No HD10103,pdf.exe 1 21 2->9         started        14 Uddsiqlo.exe 15 2->14         started        16 Uddsiqlo.exe 16 2->16         started        signatures3 process4 dnsIp5 48 twp66a.dm.files.1drv.com 9->48 50 onedrive.live.com 9->50 52 dm-files.fe.1drv.com 9->52 42 C:\Users\Public\Libraries\Uddsiqlo.exe, PE32 9->42 dropped 78 Writes to foreign memory regions 9->78 80 Creates a thread in another existing process (thread injection) 9->80 82 Injects a PE file into a foreign processes 9->82 18 mobsync.exe 2 9->18         started        22 cmd.exe 1 9->22         started        24 cmd.exe 1 9->24         started        54 twp66a.dm.files.1drv.com 14->54 58 2 other IPs or domains 14->58 84 Multi AV Scanner detection for dropped file 14->84 26 mobsync.exe 14->26         started        56 twp66a.dm.files.1drv.com 16->56 60 2 other IPs or domains 16->60 28 DpiScaling.exe 16->28         started        file6 signatures7 process8 dnsIp9 46 ongod4ever.ddns.net 194.147.140.9, 49752, 49756, 49757 PTPEU unknown 18->46 70 Contains functionality to steal Chrome passwords or cookies 18->70 72 Contains functionality to inject code into remote processes 18->72 74 Contains functionality to steal Firefox passwords or cookies 18->74 76 Delayed program exit found 18->76 30 reg.exe 1 22->30         started        32 conhost.exe 22->32         started        34 cmd.exe 1 24->34         started        36 conhost.exe 24->36         started        signatures10 process11 process12 38 conhost.exe 30->38         started        40 conhost.exe 34->40         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d414675059a6174a77594d50fd2b6c99ca6519e6371dac4912c91df01f4071f6/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-09-13 20:30:07 UTC
AV detection:
7 of 43 (16.28%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2qkgouczuyluu52zjvip2k3mthfgkgpgg4o2ysiszeo7ah2aoh3a._file
Verdict:
malicious
Similar samples:
0ece37571329db1a83a8efeb0ed01d267ea7c2c349c235b2f4cc26bd07bb7df6
RemcosRAT
15851690d3cb99d95e82bb47d3f31db71688c69dd50b0a8367e97aa3b501b637
RemcosRAT
174d091dcf5a5b2c4af35b5df2e4094ddf31bc589208f7b79ff5fc0db2dde514
RemcosRAT
6b637314dc7b63dfce69d3efe9b792d8fb2fbb0d9f19ea70aa0ff83ae8dbd495
RemcosRAT
83080b8c4c08c8da536e213b6d03a7bff6541bb02aa95f804cd896567bfaeebf
RemcosRAT
a737c6bf1fe3e63d6d187d114d887c6c1e722579fc9caab72ce4451564e165f6
RemcosRAT
bb63c61554ccc2caa79eec3705c3e4ce41626e88f375a8a1bc5b514e489b0f04
RemcosRAT
e2293ae17fbdeb8e626efa388175c1144d82f12efe55990aa658f1c21445c47f
RemcosRAT
+ 700 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:able god persistence rat
Link:
https://tria.ge/reports/210913-y961ashddj/
Behaviour
Modifies registry key
Suspicious use of WriteProcessMemory
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
ongod4ever.ddns.net:5652
Unpacked files
SH256 hash:
519197f521aa39b7a7ab34b4500a304a7329d967115c2e48fe1b6eb201e39af1
MD5 hash:
3da921c9355d01d335cf03159a950030
SHA1 hash:
3be3f4ea8f289a123dcd1f6ac97c6f34a503c9cf
Link:
https://www.unpac.me/results/b67287cf-a51f-4837-bc11-6b39a36b0e9e/
SH256 hash:
d414675059a6174a77594d50fd2b6c99ca6519e6371dac4912c91df01f4071f6
MD5 hash:
ff5cda9e0f62d91b71fdf7d0a3b98de4
SHA1 hash:
929b319fc55961315f7c9c7d16cd8b0b6c6376fb
Link:
https://www.unpac.me/results/b67287cf-a51f-4837-bc11-6b39a36b0e9e/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d414675059a6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d414675059a6174a77594d50fd2b6c99ca6519e6371dac4912c91df01f4071f6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments