MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d79ba47a55b5dcb4cf6e76ac13bd3179e1523d5904483232d9ce9d39915dbc69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d79ba47a55b5dcb4cf6e76ac13bd3179e1523d5904483232d9ce9d39915dbc69
SHA3-384 hash: be2178e2610393a2ee914848cff6469cea716c804a6bdaf8e9c30bc4e2e71a9efc90851e886b01286ccf7dc582de6fbc
SHA1 hash: eae4825368e0ed56db5484012303add569cb98e9
MD5 hash: 9b8ae8edfe553edea6108dceebcc57b8
humanhash: bravo-nitrogen-nine-oxygen
File name:9b8ae8edfe553edea6108dceebcc57b8
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:811'520 bytes
First seen:2021-09-16 05:30:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 91f41270d021c09d2e59583bf5cdff98 (5 x RemcosRAT, 1 x Formbook)
ssdeep 24576:W0WE0AyOVWoKcwdZHGIZHrIzvlZwXI7Dyj3SaH+MJu:W0WEoQhudZS
Threatray 332 similar samples on MalwareBazaar
TLSH T1EF056D5AA1906872F01F7A305C55CBECE91ABD843E1ADC3A55FCC9B62F287D12C5C09B
dhash icon 88c7ce3cbddc2f31 (24 x RemcosRAT, 12 x Formbook, 8 x Loki)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BoFA Payment Advice_2021159.xls
Verdict:
Malicious activity
Analysis date:
2021-09-15 23:56:21 UTC
Tags:
macros macros-on-open loader maldoc-20 rat remcos
Link:
https://app.any.run/tasks/92d730dc-c767-4fda-9198-62bc4e4936d0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/188315/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.W32.AIDetect.malware2.29888.4200.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger
Link:
https://www.filescan.io/uploads/61751f399a5a1e91c5d2041e/reports/654c1bfb-82c2-463b-ac16-4cd39d9625b2/overview
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/97a0b947-4922-4bd5-9b31-1389ea05622c
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/851851
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 484282 Sample: IQl00lxPjo Startdate: 16/09/2021 Architecture: WINDOWS Score: 100 59 Multi AV Scanner detection for domain / URL 2->59 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 4 other signatures 2->65 8 IQl00lxPjo.exe 1 21 2->8         started        13 Dsqbhgvf.exe 15 2->13         started        15 Dsqbhgvf.exe 15 2->15         started        process3 dnsIp4 45 sn-files.fe.1drv.com 8->45 47 qclvzw.sn.files.1drv.com 8->47 49 onedrive.live.com 8->49 41 C:\Users\Public\Libraries\Dsqbhgvf.exe, PE32 8->41 dropped 75 Writes to foreign memory regions 8->75 77 Creates a thread in another existing process (thread injection) 8->77 79 Injects a PE file into a foreign processes 8->79 17 DpiScaling.exe 2 8->17         started        21 cmd.exe 1 8->21         started        23 cmd.exe 1 8->23         started        51 sn-files.fe.1drv.com 13->51 55 2 other IPs or domains 13->55 81 Multi AV Scanner detection for dropped file 13->81 83 Allocates memory in foreign processes 13->83 25 dialer.exe 13->25         started        53 sn-files.fe.1drv.com 15->53 57 2 other IPs or domains 15->57 27 dialer.exe 15->27         started        file5 signatures6 process7 dnsIp8 43 twistednerd.dvrlists.com 31.3.152.100, 49768, 8618 ALTUSNL Sweden 17->43 67 Contains functionalty to change the wallpaper 17->67 69 Contains functionality to steal Chrome passwords or cookies 17->69 71 Contains functionality to inject code into remote processes 17->71 73 3 other signatures 17->73 29 reg.exe 1 21->29         started        31 conhost.exe 21->31         started        33 cmd.exe 1 23->33         started        35 conhost.exe 23->35         started        signatures9 process10 process11 37 conhost.exe 29->37         started        39 conhost.exe 33->39         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d79ba47a55b5dcb4cf6e76ac13bd3179e1523d5904483232d9ce9d39915dbc69/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-09-16 03:43:57 UTC
AV detection:
22 of 42 (52.38%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0d182038f62a038b380a4d3c3769d5eb389b08b194b7dce13606252e7e1aff1c
RemcosRAT
3ff150613fc6d76d5634ae77e3c7bddde0361478d25d11a1830da71910b391da
RemcosRAT
4b989ceef83817dd4a14c9322a2b127a14f98d85dafb99625fe3483cd58dc6dc
RemcosRAT
7df259f7873239aee108522c3efd6fca233db83a268a3c9fad4766994c5a029d
RemcosRAT
960cd364b10841b71b638aca1807d5667cf340e76102389d45d7df4c17401ed2
RemcosRAT
9d109cc4f855ab857f7bc081a7bd0e2be2a46d59282970f1a189a019b4467173
RemcosRAT
9d71b356bc7e51729a4726433111be12297dd9403a82cff2e20902944c0af748
RemcosRAT
c5e3325814325c5f2f3d1df8c7d2885668afede1ea40c016266428a0e43b3d15
RemcosRAT
f4f27e005b5381e5d1eb3d1d95cd4ae5c963c7601934254ebe266f08cfaf78d2
RemcosRAT
+ 322 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:sept persistence rat trojan
Link:
https://tria.ge/reports/210916-f65zqaccd9/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
twistednerd.dvrlists.com:8618
Unpacked files
SH256 hash:
519197f521aa39b7a7ab34b4500a304a7329d967115c2e48fe1b6eb201e39af1
MD5 hash:
3da921c9355d01d335cf03159a950030
SHA1 hash:
3be3f4ea8f289a123dcd1f6ac97c6f34a503c9cf
Link:
https://www.unpac.me/results/96870358-bc3a-494e-af1e-76260e1bc999/
SH256 hash:
d79ba47a55b5dcb4cf6e76ac13bd3179e1523d5904483232d9ce9d39915dbc69
MD5 hash:
9b8ae8edfe553edea6108dceebcc57b8
SHA1 hash:
eae4825368e0ed56db5484012303add569cb98e9
Link:
https://www.unpac.me/results/96870358-bc3a-494e-af1e-76260e1bc999/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d79ba47a55b5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d79ba47a55b5dcb4cf6e76ac13bd3179e1523d5904483232d9ce9d39915dbc69

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe d79ba47a55b5dcb4cf6e76ac13bd3179e1523d5904483232d9ce9d39915dbc69

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/188315/
  
URLhaus
https://urlhaus.abuse.ch/url/1623978/

Comments


Avatar
zbet commented on 2021-09-16 05:30:01 UTC

url : hxxp://192.210.214.221/fig.exe