MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7510144ab7ab12ed58b249055cf818ae37c82f46d503086cd9933d456b58cb1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7510144ab7ab12ed58b249055cf818ae37c82f46d503086cd9933d456b58cb1
SHA3-384 hash: 261a4c87a143350e1edd4db329edeb37d44cddcb62d902428b6f9fe0a0f4c9d32db3758e40ffbfe1e74441b28dc2a239
SHA1 hash: 8c7e1efc34f92b57489b12723aa34727ea39b63e
MD5 hash: 30231f467095bc65028608424cfe45d4
humanhash: rugby-lithium-illinois-july
File name:DHL_5544312.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:747'520 bytes
First seen:2021-05-21 15:54:23 UTC
Last seen:2021-05-21 16:03:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ee65274bc19b4d848f45a22b7523accb (3 x RemcosRAT, 1 x BitRAT, 1 x NetWire)
ssdeep 12288:r+9Eot2ZQwPHyDc2sATUbJh0vgpz4KKoz5BW6Q4Ns:r+2oCPHyQ0TCyvCzXWKs
Threatray 222 similar samples on MalwareBazaar
TLSH FAF4AF33B2A24477C16B1979DC175718A836FD302E4439E23AF97E945E3E6C1392E2D2
Reporter abuse_ch
Tags:DHL exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL_5544312.exe
Verdict:
Malicious activity
Analysis date:
2021-05-21 16:03:24 UTC
Tags:
installer rat remcos keylogger
Link:
https://app.any.run/tasks/12c259fa-d999-46ca-841d-cbfb688ab25c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Unauthorized injection to a recently created process
Setting a keyboard event handler
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/787632
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Detected Remcos RAT
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e7510144ab7ab12ed58b249055cf818ae37c82f46d503086cd9933d456b58cb1/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-05-21 15:55:12 UTC
AV detection:
8 of 46 (17.39%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=45iqcrflpkys5vmlesiflt4brlrxzaxunvidbbwntez5ivvvrsyq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
481d9a1417683843ff3bf8936227f69dbb80cad91b0c408bf30a99f889c09659
RemcosRAT
4969dc5e2b7349e189cdc079c2e9e02014e559d1315564b6d6fd18eeb252c605
RemcosRAT
54b91d6b1324d8b3dec856922b4566b362535d84538297b612c5323e9230daf0
RemcosRAT
8017cf230cb7f4e72b6128a7e696821749c4990dbd446f8206d948c3ed6530ec
RemcosRAT
8c3a6d5b05325958afeb7885e7d4bbe59f7f5a849b5acdf0a8f7cbb8febc4a81
RemcosRAT
a0bb5a244b144a8e10087fd70a04580c3bb8c4c8add7da671a06f10020473004
RemcosRAT
a945b79aac37747c2662abfbddce86f26b20f3f789c05999ffae204a69115edd
RemcosRAT
bba34099de8e5e947f218de51e0f490f07ec6063bc22c39cf375785528cb3f90
RemcosRAT
c85d33153d768a2f98066c8ba07e58890cbac4c185e4ef45739fb03750e1088b
RemcosRAT
f0896ba259cc40a67474db857cbca2cd43099f5b49be45c3e3a3a34a06765b7f
RemcosRAT
+ 212 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat
Link:
https://tria.ge/reports/210521-ckj7gxqaza/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
rem.nerdpol.ovh:2288
rem1.nerdpol.ovh:2288
rem2.nerdpol.ovh:2288
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e7510144ab7ab12ed58b249055cf818ae37c82f46d503086cd9933d456b58cb1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-21 16:14:09 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
1) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
2) [F0002.002] Collection::Polling
4) [C0026.002] Data Micro-objective::XOR::Encode Data
6) [C0051] File System Micro-objective::Read File
7) [C0052] File System Micro-objective::Writes File
8) [C0007] Memory Micro-objective::Allocate Memory
9) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
10) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
11) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
12) [C0038] Process Micro-objective::Create Thread
13) [C0041] Process Micro-objective::Set Thread Local Storage Value
14) [C0018] Process Micro-objective::Terminate Process