MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 deeeb57609c406b43e7e77a38726a357ab063d110c06e4f1c56eb491c20659ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: deeeb57609c406b43e7e77a38726a357ab063d110c06e4f1c56eb491c20659ce
SHA3-384 hash: 4d6b3876b7da3fb032a0351c8beda0a7eef8fbc2bb679c857b4a1d32240c7b5d4948071d27d3fbb160c675e3a2437e7f
SHA1 hash: 4e9dc52869a2a2494e75b9d470f24e30f2a74899
MD5 hash: b341b8e8a0716c39749dd2950d409fb0
humanhash: mirror-september-north-texas
File name:DHL_736526.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'038'856 bytes
First seen:2020-10-02 16:51:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 92aa4f34f0346c8f5f1a6dd46f621676 (1 x RemcosRAT)
ssdeep 12288:KSrVlG/k3LaSj6RvgQ3Uy9cMm5Jmvc4AC84dlWnVOUWEzQraerDZm+GbO:KUOyLa06SGb6Mm5Av8C8yWnmE8rTtmg
Threatray 874 similar samples on MalwareBazaar
TLSH CF259DC22EA15471E0326979DD5753AD1826BE30391C8D0F2EEACA8C5E3D9D3792718B
Reporter James_inthe_box
Tags:exe RemcosRAT

Code Signing Certificate

Organisation:Symantec Time Stamping Services CA - G2
Issuer:Thawte Timestamping CA
Algorithm:sha1WithRSAEncryption
Valid from:Dec 21 00:00:00 2012 GMT
Valid to:Dec 30 23:59:59 2020 GMT
Serial number: 7E93EBFB7CC64E59EA4B9A77D406FC3B
Intelligence: 85 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 0625FEE1A80D7B897A9712249C2F55FF391D6661DBD8B87F9BE6F252D88CED95
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/67785/
Detection(s):
PUA.Win.Trojan.Generic-6629273-0
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Sending a TCP request to an infection source
Unauthorized injection to a system process
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/480479
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Fodhelper UAC Bypass
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 292679 Sample: DHL_736526.exe Startdate: 02/10/2020 Architecture: WINDOWS Score: 100 42 g.msn.com 2->42 56 Multi AV Scanner detection for domain / URL 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 3 other signatures 2->62 9 DHL_736526.exe 1 15 2->9         started        14 Mvnbnek.exe 13 2->14         started        16 Mvnbnek.exe 13 2->16         started        signatures3 process4 dnsIp5 46 cdn.discordapp.com 162.159.133.233, 443, 49748, 49767 CLOUDFLARENETUS United States 9->46 48 discord.com 162.159.135.232, 443, 49745, 49747 CLOUDFLARENETUS United States 9->48 40 C:\Users\user\AppData\Local\...\Mvnbnek.exe, PE32 9->40 dropped 64 Writes to foreign memory regions 9->64 66 Allocates memory in foreign processes 9->66 68 Creates a thread in another existing process (thread injection) 9->68 18 notepad.exe 4 9->18         started        21 ieinstal.exe 2 3 9->21         started        50 162.159.128.233, 443, 49765, 49766 CLOUDFLARENETUS United States 14->50 70 Multi AV Scanner detection for dropped file 14->70 72 Injects a PE file into a foreign processes 14->72 24 ieinstal.exe 14->24         started        52 162.159.130.233, 443, 49771 CLOUDFLARENETUS United States 16->52 54 162.159.137.232, 443, 49769, 49770 CLOUDFLARENETUS United States 16->54 26 ieinstal.exe 16->26         started        file6 signatures7 process8 dnsIp9 38 C:\Users\Public38atso.bat, ASCII 18->38 dropped 28 cmd.exe 1 18->28         started        30 cmd.exe 1 18->30         started        44 boot.awsmppl.com 185.165.153.126, 2266, 49762, 49768 DAVID_CRAIGGG Netherlands 21->44 file10 process11 process12 32 conhost.exe 28->32         started        34 reg.exe 1 1 28->34         started        36 conhost.exe 30->36         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/deeeb57609c406b43e7e77a38726a357ab063d110c06e4f1c56eb491c20659ce/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-10-02 16:51:30 UTC
File Type:
PE (Exe)
Extracted files:
161
AV detection:
25 of 29 (86.21%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=33xlk5qjyqdlipt6o6ryojvdk6vqmpirbqdoj4ofn22jdqqglhha._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0965f63851a278a87bc8886a5b370b150af79d91fb0177a85e181555784ad114
RemcosRAT
1c517ddebb6f5893d52918c51a70e56f68b50dd65e0460a673cce3625a0f8a2b
RemcosRAT
37c2608ad09b3f6d0cd33476b8f6bf6fefd1a0f2408657072da80a0454da7e6f
RemcosRAT
53136d19559089e0674af4ad81621b99a031741edcc486eb3d402fd180b1b77e
RemcosRAT
54cdc9b1ede5661104e61f012de44e010500744c2b3003a6ffaff2f3f6eded34
RemcosRAT
96359e31d13a327a3d1de808c5420193be3691628da4f409d8d5ed14be35b038
RemcosRAT
a1c561c21720c4f1c3626276db6afc2c12b1aae9304c78518763eb78454f84b8
RemcosRAT
c2109f44d6d608cb821ea28489e75dbf7c7c18731918f8171bab7445db6e8599
RemcosRAT
c86bcfe4e22cb50054b44e38fc4fb79624c4ed5bf9a26174754dbb5c1a6baff8
RemcosRAT
daca967edea399a394a8fc24d5ee647d95dc6dadd9dd21e2945ae7a742b3aed8
RemcosRAT
+ 864 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
persistence trojan family:modiloader rat family:remcos
Link:
https://tria.ge/reports/201002-zq57bhdh1n/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Unpacked files
SH256 hash:
4c6f5ed41abb00551b234f84dcd997a753dc6ea771af9904319f52bab799a42f
MD5 hash:
ff2394ba740f6fc1c4f67dd4c9a4e2bd
SHA1 hash:
1be082ab7c9bf41f779b213153d2bb4f2a14502f
Detections:
win_dbatloader_g0
Create hunting rule
Link:
https://www.unpac.me/results/4b77b55d-a413-4376-b306-2b69c3a80923/
SH256 hash:
deeeb57609c406b43e7e77a38726a357ab063d110c06e4f1c56eb491c20659ce
MD5 hash:
b341b8e8a0716c39749dd2950d409fb0
SHA1 hash:
4e9dc52869a2a2494e75b9d470f24e30f2a74899
Detections:
win_dbatloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/4b77b55d-a413-4376-b306-2b69c3a80923/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/deeeb57609c406b43e7e77a38726a357ab063d110c06e4f1c56eb491c20659ce

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/67785/

Comments