MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dbdfdfd7484f894b17543d60c28c96c570e5f4fb61fc26a7fa6d87b68b3d2831. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 16

Intelligence 16 IOCs YARA 2 File information Comments

SHA256 hash:	dbdfdfd7484f894b17543d60c28c96c570e5f4fb61fc26a7fa6d87b68b3d2831
SHA3-384 hash:	4e8848de681e7da0b5bfb1dc586216793b92fb800497aac8b6e5005696a3a5027c16742d1f01d6f725530f123abff8b8
SHA1 hash:	60118e4ec6d96c7e457c7c05b551c75c308fde21
MD5 hash:	16212924bc112b82654a2806e6f542b0
humanhash:	sixteen-alaska-massachusetts-arkansas
File name:	REQUEST FOR QUOTE 202209.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'223'680 bytes
First seen:	2022-09-17 08:17:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	24576:SXccphkaH2VglK0WsU3Sa/TXDOb2+xRyyVQ8MiqptB9:acOplKPdJy5j/m5rB9
Threatray	2'166 similar samples on MalwareBazaar
TLSH	T1F6456C0721D509A5C17290FC24CCC5B35BAA9E45E63BC946BFC9DCAFF592F3846D22A0
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	GovCERT_CH
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

393

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

REQUEST FOR QUOTE 202209.exe

Verdict:

Malicious activity

Analysis date:

2022-09-17 08:21:06 UTC

Tags:

trojan stealer keylogger remcos

Link:

https://app.any.run/tasks/5135664b-5369-4409-91fa-416a9f419d1c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/310898/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.42183.UNOFFICIAL

SecuriteInfo.com.Trojan.Inject4.42577.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed remcos

Link:

https://www.filescan.io/uploads/632582f81183046074aa8ca3/reports/aa085cc9-931f-4716-801a-b22cd8fe250a/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2985f396-f03a-43e7-ba89-93fbe042a827

Result

Threat name:

Remcos

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1072195

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Uses dynamic DNS services

Yara detected AntiVM3

Yara detected Remcos RAT

Yara detected WebBrowserPassView password recovery tool

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/dbdfdfd7484f894b17543d60c28c96c570e5f4fb61fc26a7fa6d87b68b3d2831/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-09-09 03:44:27 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

29 of 40 (72.50%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3pp57v2ij6euwf2uhvqmfdewyvyol5h3mh6cnj72nwd3ncz5fayq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

592f15fec50eda79baadcb6bc5c4cb79de60e5bb285f20fb8e8927477495f065

RemcosRAT

7544af0313e3be873eee7b54815dac5d0dece0bfd39b0c4e93bfe34516baa387

RemcosRAT

7f89f38c1c2a3e42e7fe2d1c286816361fe77aa49d1d474de200df6eb2dbda81

RemcosRAT

9d724226a2a3c8676d4a58b64b636d9dcc178c1d40fcf321309afa14505cf285

RemcosRAT

e1eb708f47303b831f6eb0ddc846e21782e8f727dcb0088fcb997c3bf0d4dbd3

RemcosRAT

e76cebc404b8a79e2ab806a3e501b9d2f7260ea1d12f804320c1130be205dff6

RemcosRAT

+ 2'156 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:new rem stub collection rat spyware stealer

Link:

https://tria.ge/reports/220917-j69vfshdg9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook accounts

Reads user/profile data of web browsers

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Remcos

Malware Config

C2 Extraction:

valvesco.duckdns.org:5050

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/dd071562-eb5a-4266-9407-bb9984227740

Unpacked files

SH256 hash:

8b533ffaed24e0351e489b14aaac6960b731db189ce7ed0c0c02d4a546af8e63

MD5 hash:

dbc7be56e6e32349315170599c8b333f

SHA1 hash:

d8e5840e3574b87d435e55a65ac648e040871aee

Link:

https://www.unpac.me/results/339657fa-eb42-4589-9f22-ab96187bf513/

SH256 hash:

bda62537056050d1feaa56b8457494f42fccd7dd5c897b55a0b09ba461ff8fef

MD5 hash:

62d1de7d4c81b358aa524baa91f08054

SHA1 hash:

c8db6e4d6546c794cdcf7a5bd1abe5276b80716d

Link:

https://www.unpac.me/results/339657fa-eb42-4589-9f22-ab96187bf513/

SH256 hash:

16bd669e64481f5598098786ce1f1d660463829a28de8f66e59c0150e87044fd

MD5 hash:

31071ddd414ccb031eae4d93deef0338

SHA1 hash:

c62526fdf5a320d9dc46ec19bbfa14fc39d8703b

Link:

https://www.unpac.me/results/339657fa-eb42-4589-9f22-ab96187bf513/

SH256 hash:

c289ec2f57b341220c33145c8b6474d1011d387ab39dacb7b17d69c359548448

MD5 hash:

bd2adeed00397e7545a539d761458af9

SHA1 hash:

b5a1cbca39c6923308f914accf611771996f7097

Detections:

win_remcos_auto

Link:

https://www.unpac.me/results/339657fa-eb42-4589-9f22-ab96187bf513/

Parent samples :

b6ebe092221b9cb70949480fbc97133fa1e408c657150bb50c41171321b2fb73
788a6a0d67e10a4235043d0f12cc5841ab77bac0518842aea964e720318f674d
dbdfdfd7484f894b17543d60c28c96c570e5f4fb61fc26a7fa6d87b68b3d2831
383f6ffeb727943af4e96cc93ab2615b14fd8b09c7e376aebc455ef82913f07f
d4bee566c89c0e8c89f0539d2d49279f844317c54ee3216c049f038b773de8dc
2fd70cf5a6097502fb9123e63b6674666134a56927943bc8b7d79dc00bb7c02d
f851ccd89ef8f8e28648ff600789364e9caf5c522a5e7238cee619a229cc821d
5542dd26db06cbc6b03f1323db7ff6792a69bcf3dcd6a6c978b91018c7f0a0ee
2068d6dc1ef76f480e3fefd9fb239555d5f136c6c94d35232c273414ef4531f6
d99b0d328a7e19981cc4e1dcfbdeb336c84577a020bd4a84d72d28a7930282ea
84eedf1c6f0b09177547e350d6bb53ee3b84aa48878f8f9d9135fdc69faa3535
0ac5715dbbb22286a1cc79fe33377cd2dcb71ac6ad5d876da8e938684e7d7cf8
8791b0b7f4a499d66dbbc5b41ea20cb13af614bdc62e62392bf041065e9ddb0f
d6ee6bb4bf80fe883da0a277b1f1f12fb40c00d4893cfff05060b1ebf4a5ca96
aeb68306ca8e87ec5421349055053758fe1dcb293f75aac568b6b1752c1ab631
72333871ff2e5b9a7ae7e7c11af0c2ccbac7ac53bb60976cf0bcdfabceb5059f
869b27dcb4475a95c0af50db49fad8c40730df5464a5c5482032ce5ffc578feb
7666415f1d2f03e6a14e4f058b012ec6ed4a77cd3ecd1398817b2ac97b25cbc5
8e2730f5984afe0586003190249b7c9e5c51a3ef2ba0c2194db5dcd21242c20b
1e48f5be58b577bc76423894dadf647800f1da1afab2f3c1c82c08f3b66b4981

SH256 hash:

9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034

MD5 hash:

93c6391d23c1aa1ed66fb13f82f2ee31

SHA1 hash:

220098c3047c32b51ae13a5cc1e9beeef3da6e18

Link:

https://www.unpac.me/results/339657fa-eb42-4589-9f22-ab96187bf513/

SH256 hash:

dbdfdfd7484f894b17543d60c28c96c570e5f4fb61fc26a7fa6d87b68b3d2831

MD5 hash:

16212924bc112b82654a2806e6f542b0

SHA1 hash:

60118e4ec6d96c7e457c7c05b551c75c308fde21

Link:

https://www.unpac.me/results/339657fa-eb42-4589-9f22-ab96187bf513/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/dbdfdfd7484f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Remcos

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/dbdfdfd7484f894b17543d60c28c96c570e5f4fb61fc26a7fa6d87b68b3d2831

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

exe dbdfdfd7484f894b17543d60c28c96c570e5f4fb61fc26a7fa6d87b68b3d2831

(this sample)

Dropped by

RemcosRAT

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/310898/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample