MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ded1412f9509d9fbc0c48687c3611d6cd8356ff0f00a9a2c5836890a5df03925. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ded1412f9509d9fbc0c48687c3611d6cd8356ff0f00a9a2c5836890a5df03925
SHA3-384 hash: d313c9778cd5150c6e2117f2a808073aee4d18469d9210749d1400cdac1d6cc59bdb4173736484b5190fa9526aad8a1e
SHA1 hash: ba08ac0d87b829b49277efcd3cbd2a345338ad00
MD5 hash: 6a1e010d4b1a7f82ebf0dd330155fe77
humanhash: three-summer-emma-helium
File name:6a1e010d4b1a7f82ebf0dd330155fe77
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:608'256 bytes
First seen:2021-08-05 06:06:14 UTC
Last seen:2021-08-05 07:21:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:byTwAFw8YWw+oIPFJnUUvNu9wGl87Dl3hUCwHpyZcmfvdEi/oGjYF7XyQLV8:ewAi6foIdJnUUvkwwkl3AHYZ3ndEco/5
Threatray 1'134 similar samples on MalwareBazaar
TLSH T1B5D423A0E6D5FDA3FB1A0478213AC6F97A332F1D2848DB0D8440BE277A17B534B52D95
dhash icon b168eae46c39d928 (9 x AgentTesla, 8 x SnakeKeylogger, 6 x BitRAT)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Remittance Advice.doc
Verdict:
Malicious activity
Analysis date:
2021-08-04 22:47:51 UTC
Tags:
encrypted
Link:
https://app.any.run/tasks/69eef62d-ec18-4f40-b2ee-027531d892e0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/176525/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.55766.17780.17970.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Setting a keyboard event handler
Launching a process
Creating a process with a hidden window
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1c4d3dcf-f4f7-42cc-b888-131a62fd3893
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/827863
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Contains functionality to steal Firefox passwords or cookies
Creates an undocumented autostart registry key
Delayed program exit found
Detected Remcos RAT
Detected unpacking (creates a PE file in dynamic memory)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Sigma detected: WScript or CScript Dropper
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 460316 Sample: YWXnwYYJj3 Startdate: 06/08/2021 Architecture: WINDOWS Score: 100 58 github.com 2->58 60 avatars.githubusercontent.com 2->60 74 Malicious sample detected (through community Yara rule) 2->74 76 Multi AV Scanner detection for dropped file 2->76 78 Multi AV Scanner detection for submitted file 2->78 80 8 other signatures 2->80 10 YWXnwYYJj3.exe 3 9 2->10         started        signatures3 process4 file5 48 C:\Users\user\AppData\Roaming\...\outlook.exe, PE32 10->48 dropped 50 C:\Users\user\AppData\...\YWXnwYYJj3.exe, PE32 10->50 dropped 52 C:\Users\user\...\_Bbmzsbjgqtrphzjybyx.vbs, ASCII 10->52 dropped 54 2 other malicious files 10->54 dropped 82 Creates an undocumented autostart registry key 10->82 84 Writes to foreign memory regions 10->84 86 Injects a PE file into a foreign processes 10->86 14 YWXnwYYJj3.exe 10->14         started        17 YWXnwYYJj3.exe 3 3 10->17         started        20 wscript.exe 1 10->20         started        signatures6 process7 dnsIp8 88 Multi AV Scanner detection for dropped file 14->88 90 Detected unpacking (creates a PE file in dynamic memory) 14->90 92 Contains functionality to inject code into remote processes 14->92 104 2 other signatures 14->104 56 eter101.dvrlists.com 79.134.225.76, 2050, 49732 FINK-TELECOM-SERVICESCH Switzerland 17->56 94 Writes to foreign memory regions 17->94 96 Allocates memory in foreign processes 17->96 98 Installs a global keyboard hook 17->98 100 Injects a PE file into a foreign processes 17->100 22 svchost.exe 12 17->22         started        24 svchost.exe 17->24         started        102 Wscript starts Powershell (via cmd or directly) 20->102 26 powershell.exe 19 20->26         started        signatures9 process10 process11 28 chrome.exe 397 22->28         started        31 chrome.exe 22->31         started        33 chrome.exe 24->33         started        35 chrome.exe 24->35         started        37 conhost.exe 26->37         started        dnsIp12 68 192.168.2.1 unknown unknown 28->68 70 192.168.2.3 unknown unknown 28->70 72 239.255.255.250 unknown Reserved 28->72 39 chrome.exe 28->39         started        42 chrome.exe 31->42         started        44 chrome.exe 33->44         started        46 chrome.exe 35->46         started        process13 dnsIp14 62 accounts.google.com 142.250.186.173, 443, 49734 GOOGLEUS United States 39->62 64 clients.l.google.com 142.250.186.46, 443, 49735, 58456 GOOGLEUS United States 39->64 66 8 other IPs or domains 39->66
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ded1412f9509d9fbc0c48687c3611d6cd8356ff0f00a9a2c5836890a5df03925/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-08-05 06:07:08 UTC
AV detection:
13 of 47 (27.66%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
11b16ba733f2f4f10ac58021eecaf5668551a73e2a1acfae99745c50bfccbb44
RemcosRAT
138fa2cd5e89767fd71e4e32719550f54910e3ecc3f81fea5341321cc1b5d429
RemcosRAT
40ef0ea8d499ef74760da82a71c8cf548149e01826b62767c75431cc4cdad67f
RemcosRAT
46131c5f93779a7547011c983be113cbf561fee1f4cba59ce8dd8f0bfb4a48f7
RemcosRAT
995f29caf80a4902430611c45e0619adbcd60e3a9f283a562fce6bd7baebc075
RemcosRAT
a2b745b8a979a49f8f7361caff58117a45e9da4149042299b96f68e3ff3998b1
RemcosRAT
ba4b51ae64c68b32d126322b51b41dce7c300c01faed97aca35ff142e121a914
RemcosRAT
c032e316eefbacca4b3ddfe7fc2ee9ac5f86daea767232d2322f7fdfe4b18993
RemcosRAT
cbe42b277b9e2d8ad915917a6c9a6cca9858efb70c342462a0a6701b39dda1fc
RemcosRAT
e86d9b9cdf1f341e2c2f811a31d371204d181385f6c32282057b976d25f53591
RemcosRAT
+ 1'124 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:august build rat spyware stealer
Link:
https://tria.ge/reports/210805-7nvx5xpmvn/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
eter101.dvrlists.com:2050
eter103.dvrlists.com:2050
Unpacked files
SH256 hash:
f8e95001df7f3d178ceaaba1e4e642cd997bb459cb3adfb59abe9c923825917f
MD5 hash:
7b24d565a624405613b1eca548838899
SHA1 hash:
b35618d2efefb47914df4b4a8ff2ca881a7755e9
Link:
https://www.unpac.me/results/ad67b094-f70c-4404-be59-6dee817c6e98/
SH256 hash:
d0b625301ce80409e087b5259f491b5edb02e617ddd99e224ca06fbe8ef98f79
MD5 hash:
a05a9f5e0c347dcb80d4358dc421ee32
SHA1 hash:
c29864ede8dbb770af7ff52b6ed069ed6368ed77
Link:
https://www.unpac.me/results/ad67b094-f70c-4404-be59-6dee817c6e98/
SH256 hash:
3f611ac94429a8b670f5e8abb555d39959bbdf13ea786cda19d49f9bab3fc6e8
MD5 hash:
95dc82570418075210510226389f2154
SHA1 hash:
48205d3aeb0545682a7ea93c3e4b98e50bea22e1
Detections:
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/ad67b094-f70c-4404-be59-6dee817c6e98/
Parent samples :
ded1412f9509d9fbc0c48687c3611d6cd8356ff0f00a9a2c5836890a5df03925
730cad1b268ed70bf04cd6b94439813a6483b69732420a6748a868376c08bea2
SH256 hash:
60833bef0bfcfff42b6036b6080c9bdea8f3f898d4300a680260e72dc8ed4793
MD5 hash:
804872029d55abdd7b47df5a4c9e4fe7
SHA1 hash:
c042bab0dc7529ddd54caf450de29fee9be6413d
Link:
https://www.unpac.me/results/ad67b094-f70c-4404-be59-6dee817c6e98/
SH256 hash:
ded1412f9509d9fbc0c48687c3611d6cd8356ff0f00a9a2c5836890a5df03925
MD5 hash:
6a1e010d4b1a7f82ebf0dd330155fe77
SHA1 hash:
ba08ac0d87b829b49277efcd3cbd2a345338ad00
Link:
https://www.unpac.me/results/ad67b094-f70c-4404-be59-6dee817c6e98/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ded1412f9509/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ded1412f9509d9fbc0c48687c3611d6cd8356ff0f00a9a2c5836890a5df03925

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe ded1412f9509d9fbc0c48687c3611d6cd8356ff0f00a9a2c5836890a5df03925

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1506968/
Cape
Cape
https://www.capesandbox.com/analysis/176525/

Comments


Avatar
zbet commented on 2021-08-05 06:06:15 UTC

url : hxxp://augustair.com/log/remit/edi.exe