MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df9d8b2795a0c694bc4109aa303ffd114d221cbfbeddcd2400b89d5fcc010e3c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df9d8b2795a0c694bc4109aa303ffd114d221cbfbeddcd2400b89d5fcc010e3c
SHA3-384 hash: 14c4cb4123b434b8a990fcee69861f6731904fc77ec3de635a1492a2b1440911badd96ed481f64be91102d759224e5e8
SHA1 hash: bcaa7b5f8399599cb3c98c0f3210729276b01a78
MD5 hash: 3b0856696acb8270f0b35cad85b0520e
humanhash: michigan-rugby-fish-maryland
File name:ENGEMED P.O OFF0027307,pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:588'288 bytes
First seen:2021-07-27 22:42:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b72347a2968bb32befc95cc909a67f1f (1 x NetWire, 1 x RemcosRAT, 1 x Formbook)
ssdeep 12288:0CyAqPpF+twTE3p37yjpRwn4d/x8cTX22ERKa4:0VOtwTSun7X
Threatray 311 similar samples on MalwareBazaar
TLSH T17CC49FA6BA5394B3D25273BC8C1B7769A911FC4029B82C8736F4FC785B7AF813215187
dhash icon 63311c0e4f3bffee (11 x Formbook, 7 x RemcosRAT, 3 x NetWire)
Reporter GovCERT_CH
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ENGEMED P.O OFF0027307,pdf.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-27 22:46:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a3cd3f03-694b-4bca-87b8-a062762fcfea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/174538/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46667981.28027.24884.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5aa537b5-1a41-4435-9afe-2b313ee5688f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/822795
Signature
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-07-22 21:46:22 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=36oywj4vuddjjpcbbgvdap75cfgsehf7x3o42jaaxcov7tabby6a._file
Verdict:
suspicious
Similar samples:
413c4d1e7f91baf3ea5e77ed4ce25fc092d6167dabe1076ddca27a377d6a8197
RemcosRAT
4757d64431cbf911d9a6cc5b1cd96ee7f733dd0eb05c41f1fa100ba3d354d4a5
RemcosRAT
747610321f9100e0dadd7c7728282b7403172ad1fc23e60eea12f4eaff28ce7e
RemcosRAT
79e4617ae582f1bb2d40997fc5acad76293cc91dfeacbf23145052b4a8487d26
RemcosRAT
7df259f7873239aee108522c3efd6fca233db83a268a3c9fad4766994c5a029d
RemcosRAT
82e96593173c1407d138cca5418a00b0f5cd9960b32d8f03052eca9b33e68b44
RemcosRAT
8fb001ff8eff89d8c472579c21683a55aff13ff9599bef6a3e5571b2c919691b
RemcosRAT
9d109cc4f855ab857f7bc081a7bd0e2be2a46d59282970f1a189a019b4467173
RemcosRAT
d8f95b86b00cd4ba851931bc543ea4c20a8629335ea04d85d2dbd4829d53a2d4
RemcosRAT
+ 301 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210727-mem9x1fhyn/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
d174ea83359cec0b0a35da88fa2a1791a1308e35a5e36e83f51a2723e48582a6
MD5 hash:
5c63077607b089e7045eb5e93d8324d9
SHA1 hash:
9ca12c4d6e4a97269d26fe6755aae441276bff42
Link:
https://www.unpac.me/results/b1e5c5e3-43f8-46d2-a413-f2e5f3d0f805/
SH256 hash:
df9d8b2795a0c694bc4109aa303ffd114d221cbfbeddcd2400b89d5fcc010e3c
MD5 hash:
3b0856696acb8270f0b35cad85b0520e
SHA1 hash:
bcaa7b5f8399599cb3c98c0f3210729276b01a78
Link:
https://www.unpac.me/results/b1e5c5e3-43f8-46d2-a413-f2e5f3d0f805/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/df9d8b2795a0c694bc4109aa303ffd114d221cbfbeddcd2400b89d5fcc010e3c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe df9d8b2795a0c694bc4109aa303ffd114d221cbfbeddcd2400b89d5fcc010e3c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/174538/

Comments