MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ddfc4415217ec461350071b0965a1132ad43472bdc15980da23c46d8f1da188e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ddfc4415217ec461350071b0965a1132ad43472bdc15980da23c46d8f1da188e
SHA3-384 hash: 5db1dbc3b374da633f10118b1bae7b0a77754d8eee35fed6bd4571ec03592d21f264149acf4baf061ba02fde07ee37ff
SHA1 hash: 2e70c2033b5f07ff3ca69ba396080e10b240f810
MD5 hash: afd35e9511ec398191a4027c5db6e5a6
humanhash: mike-bulldog-thirteen-rugby
File name:IMG_4100047645799946532.scr
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:950'272 bytes
First seen:2022-01-20 10:26:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d571f528db93ab4c8d72c51955dc7b93 (1 x AveMariaRAT, 1 x Formbook, 1 x RemcosRAT)
ssdeep 12288:wHFymIc+xnYsoAFlK/st03JMAIliAhojhZBYf2WZsOvVyW7T3bnvwl2:wHeaAFlKYevUBb2yyKT7v
Threatray 1'473 similar samples on MalwareBazaar
TLSH T1C5156D23F1928432D5271E394C27E7B959297E117E29BA477AD47E0C4F3B2813929EC3
File icon (PE):PE icon
dhash icon 63111616171fffee (13 x Formbook, 5 x RemcosRAT, 3 x AveMariaRAT)
Reporter lowmal3
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
223
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/221033/
Detection(s):
SecuriteInfo.com.Trojan.Injector.24247.28060.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4902/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe keylogger replace.exe
Link:
https://www.filescan.io/uploads/61e938fbf81da814af924048/reports/a940cc71-3852-484b-a600-f2ea7e17b865/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4a782124-f1ba-45de-a1b7-48f07e930018
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/924345
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 556819 Sample: IMG_4100047645799946532.scr Startdate: 20/01/2022 Architecture: WINDOWS Score: 100 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for URL or domain 2->43 45 8 other signatures 2->45 6 IMG_4100047645799946532.exe 1 16 2->6         started        11 Nwcxcxffke.exe 13 2->11         started        13 Nwcxcxffke.exe 14 2->13         started        process3 dnsIp4 27 tothproject.hu 185.33.54.16, 443, 49742, 49743 SERVERGARDEN-ASServergardenKftHU Hungary 6->27 23 C:\Users\user\Contacts23wcxcxffke.exe, PE32 6->23 dropped 25 C:\Users\...25wcxcxffke.exe:Zone.Identifier, ASCII 6->25 dropped 47 Writes to foreign memory regions 6->47 49 Creates a thread in another existing process (thread injection) 6->49 51 Injects a PE file into a foreign processes 6->51 15 DpiScaling.exe 2 6->15         started        53 Antivirus detection for dropped file 11->53 55 Multi AV Scanner detection for dropped file 11->55 19 logagent.exe 11->19         started        21 logagent.exe 13->21         started        file5 signatures6 process7 dnsIp8 29 flatbar21004.duckdns.org 185.140.53.147, 49758, 7810 DAVID_CRAIGGG Sweden 15->29 31 Contains functionality to inject code into remote processes 15->31 33 Contains functionality to steal Firefox passwords or cookies 15->33 35 Delayed program exit found 15->35 37 Contains functionality to steal Chrome passwords or cookies 19->37 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ddfc4415217ec461350071b0965a1132ad43472bdc15980da23c46d8f1da188e/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2022-01-20 10:27:34 UTC
File Type:
PE (Exe)
Extracted files:
45
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3x6eifjbp3cgcniaogyjmwqrgkwugrzl3qkzqdnchrdnr4o2dcha._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
18f51c19c22914e634d9cfcd86018e676e91d1c4a9293c247a3c9da84dce3f60
RemcosRAT
3a7a42d1cb828cdb0f1ea382a8859052b7862414cdb3a5e2d623e922d4d00485
RemcosRAT
57e117773ebe7caaac7d1db9759f5c8313d15db896f7b736459c65164770a5f5
RemcosRAT
65c55c73382e84ea8a229ba4c65ce12c956b3e86916e343ed6e933a10735e9b1
RemcosRAT
7a25e7868a967540a3dc4c8fa89f07444c4b714c4d2f3add235a7f0c33099c57
RemcosRAT
ed57a7a3f8709be19e7451aa4fb7b7af9586df41f9d63aefc4b30b8b7a5de90a
RemcosRAT
+ 1'463 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat
Link:
https://tria.ge/reports/220120-mg376ahegr/
Behaviour
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Adds Run key to start application
Sets service image path in registry
Remcos
Malware Config
C2 Extraction:
flatbar21004.duckdns.org:7810
playtime40098.ddns.net:7810
Unpacked files
SH256 hash:
9cebbcef1bd6016dfebf4c69f4c49501d914d5a8607777eba952d7ad40346f9a
MD5 hash:
322f2da5c29542aaecc9ee17e1fe7f00
SHA1 hash:
734c432e2595d53c82ee28604f909d3390018dd8
Detections:
win_dbatloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/a0716dce-8a32-4c05-a83f-3d8c06542272/
Parent samples :
a7d0cff6a05994c0ae576fa842e44a101879317f62466923f1d96adee2c4a898
770c04c7c3a53d584af17e38e8e3fe5767d431e26ca59b4dc20de71045354295
c1bd90e8816e506f387b5552b7487423da84b9818cf4e94f175ed7206cffe4f5
b93811479bf82f08e97be19c596166482cdb2b31b8762c8c310307dfd6dab61e
bed2b6abf700b607d4f856c63832bae23f4120a8786b5af4cbdaa0d8525a47bc
0d9facf6b7073de4e3db19eb64e80589d98cfe35b66942191390a891bb8b241c
3add41c98717984fa6f6d1bff7b1506024e2d91932b60a43810498c44daaef86
ddfc4415217ec461350071b0965a1132ad43472bdc15980da23c46d8f1da188e
b5cea089bb899e75deef98dc1569dc3af17a070f6fa594377b49299d63bbbd8f
7b2232160ba59858c112d6dcb2252701cdb5c1e38b216fb046bd13718c2716ce
b83152fc7fc7aa9950add1de9c3d12e107e3b6eb481c1a368018ed26d3792cdc
0ba0cd39397ce42a5a678b0ef803f99267dc16de6383f61107e298633e23e436
f69c67cbf4e8f7e6d0f9157de994b80e6eb0f7b251dcc461940d51659055640f
5508d3fe5c41c4dec4a7570f0d60af3b6ba8cb9251ee1eae91e8fc061c3f58ef
cab0b398ecbf051d2fefcd25624c8f2b8119d52304c4e9836ede3b5391119fe6
4e837a08dd24b1f710c6fce10f974a49141decf103d6aeb290c0d36bba75121b
7a5846b1a7c0bbada0892d8b315bef3b4682192268da9ea779e98449681dd7ed
94ca0af32ea93d62fa355e450747ae9755c5dcd09e7b4186cd5bd04d7fc56565
0183d2fd44e215d6dc408bec45db9767a765767737b737032ff97e75adca46cd
5a04697834016e869389ef0d6a08656669cf5597fe0a6378a993250d311482e3
01e537ab28cea013b9a08939057369aa9369e8ff009231cb95101dc24348bb2e
76389098be8a410aaf6b21297912f6ef745db6e8a2f2aaaddda8685bd91091c3
662c7dc1c6b6fbc7cb4622876c0b0b2a42dba7081adede8a65182aef085f7082
7793e93512bcef7b9d90de59ef17b8771ecc9da854da2f4c8b3be8ba3c5a2c20
SH256 hash:
ddfc4415217ec461350071b0965a1132ad43472bdc15980da23c46d8f1da188e
MD5 hash:
afd35e9511ec398191a4027c5db6e5a6
SHA1 hash:
2e70c2033b5f07ff3ca69ba396080e10b240f810
Link:
https://www.unpac.me/results/a0716dce-8a32-4c05-a83f-3d8c06542272/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/ddfc4415217ec461350071b0965a1132ad43472bdc15980da23c46d8f1da188e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe ddfc4415217ec461350071b0965a1132ad43472bdc15980da23c46d8f1da188e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/221033/

Comments