MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5f79bde8290898a804457c994f654e33758135263c724c6b1c6fa44959e06b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e5f79bde8290898a804457c994f654e33758135263c724c6b1c6fa44959e06b4
SHA3-384 hash: 2a4d5537632203268764d2ebfc97add8dfda50d96c9644e8e5cc8dda4681784bb631db2e0db154c85196d8529801941b
SHA1 hash: 2b0b6da260c381e4ae15b7dd60511c98bdb7c80f
MD5 hash: d1c95c0acf80a1600a595da3194c0159
humanhash: fish-mobile-item-kentucky
File name:Attachment.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:708'608 bytes
First seen:2021-08-06 13:33:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a09d64195bff556eb90ba4781b170ac7 (4 x RemcosRAT, 2 x Formbook)
ssdeep 12288:NlyPhGe3nf8jHmf/3AwhgFn33DdzQwcApa56Q0uGPxNfXA:NAPbaHLwh2nBZ6oukA
Threatray 406 similar samples on MalwareBazaar
TLSH T108E47C52F3904837D663BA7CCC0B97BCA9667E012E24B5452FF93D488F79781352A18E
dhash icon 616110152b2b5130 (12 x RemcosRAT, 5 x Formbook, 4 x BitRAT)
Reporter abuse_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Attachment.exe
Verdict:
Malicious activity
Analysis date:
2021-08-06 13:39:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6a28ee3d-dcf0-4cd1-afd3-fe5836f35db3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/177017/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.19282.1328.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Deleting a recently created file
Launching a process
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Sending a UDP request
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cdddb836-8583-460c-ae4e-d10a58bee993
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/828309
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses dynamic DNS services
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 460740 Sample: Attachment.exe Startdate: 06/08/2021 Architecture: WINDOWS Score: 80 59 Detected Remcos RAT 2->59 61 Machine Learning detection for sample 2->61 63 Uses dynamic DNS services 2->63 8 Attachment.exe 1 24 2->8         started        13 Ogiyluh.exe 16 2->13         started        15 Ogiyluh.exe 16 2->15         started        process3 dnsIp4 45 peoslg.dm.files.1drv.com 8->45 53 2 other IPs or domains 8->53 41 C:\Users\Public\Libraries\...\Ogiyluh.exe, PE32 8->41 dropped 67 Writes to foreign memory regions 8->67 69 Creates a thread in another existing process (thread injection) 8->69 71 Injects a PE file into a foreign processes 8->71 17 DpiScaling.exe 2 3 8->17         started        21 cmd.exe 1 8->21         started        23 cmd.exe 1 8->23         started        47 peoslg.dm.files.1drv.com 13->47 55 2 other IPs or domains 13->55 73 Machine Learning detection for dropped file 13->73 75 Allocates memory in foreign processes 13->75 25 mshta.exe 13->25         started        49 192.168.2.1 unknown unknown 15->49 51 peoslg.dm.files.1drv.com 15->51 57 2 other IPs or domains 15->57 27 secinit.exe 15->27         started        file5 signatures6 process7 dnsIp8 43 theshooter09.duckdns.org 5.181.234.138, 3839, 49727 M247GB Romania 17->43 65 Delayed program exit found 17->65 29 reg.exe 1 21->29         started        31 conhost.exe 21->31         started        33 cmd.exe 1 23->33         started        35 conhost.exe 23->35         started        signatures9 process10 process11 37 conhost.exe 29->37         started        39 conhost.exe 33->39         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e5f79bde8290898a804457c994f654e33758135263c724c6b1c6fa44959e06b4/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2021-08-06 13:33:22 UTC
AV detection:
11 of 28 (39.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4x3zxxucsceyvacek7ezj5su4m3vqe2smpdsjrvry35ejfm6a22a._file
Verdict:
malicious
Similar samples:
0b10f51931ebadefe515c5db78b89095df9ff47ad1bd042eace9d47047c5a09d
RemcosRAT
388049273cb20d101193c3f9655123e42ba9a58593f2e1bf8818aacf6b689b22
RemcosRAT
3bcaf191db8de9ae0926e3cc6c1e64b20187b1acdda8498c7856ac569e125204
RemcosRAT
4c0c348d5fe6d35084087f5df83a5d5f15aa75a30b1dc37204f701383a7685eb
RemcosRAT
75b6c107ad6001f2588229fbfdb96dc998fe9f3e44f8df69c98096aceea9aa73
RemcosRAT
cb5bbf44295f0df808a863306cff28a7237ceda45a417d90f7eaa6176b0d6047
RemcosRAT
e1686c75b6d0982c533063557289dd24d66ba74a9dd37cd5d328c3451035a01f
RemcosRAT
e805423ef1971ad60f2cf93dd0845f3bc13fb5bce5dc3b3b3e39f56c4f9142e7
RemcosRAT
e982ae5ea3e7d8b92372076442bd0f96a572d974a2265c609a0cc5e4b4eac9cb
RemcosRAT
+ 396 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:remotehost persistence rat trojan
Link:
https://tria.ge/reports/210806-gj6gkzhzvs/
Behaviour
Modifies registry key
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
theshooter09.duckdns.org:3839
shooter99.duckdns.org:2404
theshooter09.duckdns.org:37729
Unpacked files
SH256 hash:
795b2b5d6668147d7924ac96f90741ddc2a2b5003f455fb842b613a286fbf8fc
MD5 hash:
53011b69a7231aea23d66805a681144b
SHA1 hash:
e3d0d157e763c865e79ccc5bedc2fd5fd90413f7
Link:
https://www.unpac.me/results/5ff6a011-3cc4-4882-922b-94737bf6e6a1/
SH256 hash:
e5f79bde8290898a804457c994f654e33758135263c724c6b1c6fa44959e06b4
MD5 hash:
d1c95c0acf80a1600a595da3194c0159
SHA1 hash:
2b0b6da260c381e4ae15b7dd60511c98bdb7c80f
Link:
https://www.unpac.me/results/5ff6a011-3cc4-4882-922b-94737bf6e6a1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e5f79bde8290/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.44
Link:
https://yomi.yoroi.company/submissions/e5f79bde8290898a804457c994f654e33758135263c724c6b1c6fa44959e06b4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/177017/

Comments