MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6bb7d0218b0894bcc733065261069c1cb4e151b4ca367f37e888d2beacc0dd9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d6bb7d0218b0894bcc733065261069c1cb4e151b4ca367f37e888d2beacc0dd9
SHA3-384 hash: 838efa34bdfcd04d850cca1c6e2bd005601a1167b45d37d926a542dafd60ef4b2322cbab03e4a94f8240abd0d2421212
SHA1 hash: 4641de772c6a17705cb4fbd8b679250da15c3aca
MD5 hash: 93c7ab460e0c4d7379228b5e5c90da60
humanhash: leopard-lactose-virginia-ohio
File name:Document.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'039'360 bytes
First seen:2021-03-06 05:59:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8c5647b86b09cfc0f1762d3113675fec (2 x RemcosRAT)
ssdeep 12288:ida++OCNr8oSF+g6BMe7dxnA47BFBcV4KPg7MK/WfjUMlVtUI3x:idt/yS/QNRA8CVxPi7ylC
Threatray 111 similar samples on MalwareBazaar
TLSH 8625F5B2E8568E32F01B103DDA1EE6354806BDF1391CD49A6FE87F05AB6774836158B3
Reporter abuse_ch
Tags:DHL exe RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: mail.postdelivery.xyz
Sending IP: 161.97.149.176
From: Dhl Customer Support <issue@postdelivery.xyz>
Subject: Delivery Failed
Attachment: Attachment.iso (contains "Document.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Document.exe
Verdict:
Malicious activity
Analysis date:
2021-03-06 06:00:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f3dfc918-b0a9-4dbe-a7d7-f80115d27f54

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/122574/
Detection(s):
Win.Dropper.Fareit-9838621-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/630402
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d6bb7d0218b0894bcc733065261069c1cb4e151b4ca367f37e888d2beacc0dd9/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-03-05 21:46:34 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=225x2aqywceuxtdtgbssmedjyhfu4fi3jsrwp436rcgsx2wmbxmq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
20fe5347a7254b7f5d75c7fce2542b88abdb8d1939afe621544c61d35e45bdee
RemcosRAT
604bc26afab3f25d1c4d98e45872e798eef3061cc8720be0db28d900bddb277c
RemcosRAT
6ebfb5f6ff23404832ee6380a09aee89b19186eccc66fea2512b2708ee00c329
RemcosRAT
71f60a985d2cc9fc47c6845a88eea4da19303a96a2ff69daae70276f70dcdae0
RemcosRAT
b0dad01939e09e869b27e59d7a7d7c79fdd31bb4a8c52153844c23c3c34bf368
RemcosRAT
b6e24ae319f72f87dbf9d5e6fc2394737b938f7eb391a39c5043114458f31733
RemcosRAT
b782581b1ca3da09fdf3ecbb173ee3ca1f313f5f325f407df976601cad8ce839
RemcosRAT
cbf5b54d5d1c70086efefea16f38b80a329cb96bb5a59e709b0ab2304acb157c
RemcosRAT
ef6ac1293cdfda22c8d940f96c5433f406a4c3666e6941e4f094a8cf50d04ac1
RemcosRAT
f436b8e7b214f3f56d0c62326e37653f87184760b406ab4f6eae79a5c34297b1
RemcosRAT
+ 101 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat
Link:
https://tria.ge/reports/210306-vsfykjkvsn/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
Bruno.camdvr.org:2404
Bruno1.camdvr.org:2404
Bruno2.camdvr.org:2404
127.0.0.1:2404
Unpacked files
SH256 hash:
f9f8a2abd0de5a2052dee5631163e4cd6124873fe5ee6e80089a6be9f2b209a3
MD5 hash:
2dadb1d18f8141233c7b74fd7bb31306
SHA1 hash:
5101e36d15db1f5592af8b05934b1854d9a93d8a
Link:
https://www.unpac.me/results/21eb81c0-f1fa-4dd7-ae62-dede7a17c90a/
SH256 hash:
d6bb7d0218b0894bcc733065261069c1cb4e151b4ca367f37e888d2beacc0dd9
MD5 hash:
93c7ab460e0c4d7379228b5e5c90da60
SHA1 hash:
4641de772c6a17705cb4fbd8b679250da15c3aca
Link:
https://www.unpac.me/results/21eb81c0-f1fa-4dd7-ae62-dede7a17c90a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d6bb7d0218b0894bcc733065261069c1cb4e151b4ca367f37e888d2beacc0dd9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

iso d73fc4300d5a131a8862d6991478148b128d18982a453a1dbd0f5482e1ccd340

RemcosRAT

Executable exe d6bb7d0218b0894bcc733065261069c1cb4e151b4ca367f37e888d2beacc0dd9

(this sample)

  
Dropped by
MD5 dfce3675f9131ad430634c4eaa7ea6ac
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/122574/
  
Dropped by
SHA256 d73fc4300d5a131a8862d6991478148b128d18982a453a1dbd0f5482e1ccd340

Comments