MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e98459447d40bb2a0917db99a3b9a99f22ee66234bfece9bba40f4fea3851201. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e98459447d40bb2a0917db99a3b9a99f22ee66234bfece9bba40f4fea3851201
SHA3-384 hash: 0cccfbf9ee90d797578b82e1effe1744e7cefd40fb2cf6a5b3ab91dbf62294a263d8b5e83fa3dd126ac5b35f436385b9
SHA1 hash: 7e8fe85d19821bcfebae3cd3a083481b1fdd687c
MD5 hash: dff186097bdb9bbd26ba111344e08f89
humanhash: tennis-kentucky-jersey-sierra
File name:P1001094.EXE
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'214'144 bytes
First seen:2020-11-28 09:26:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 23de31c260a4b45c8d1ef99329fb5969 (2 x RemcosRAT, 1 x ModiLoader, 1 x AveMariaRAT)
ssdeep 24576:DLHLdu/OaH5JS1H6OkN5HYybBl8gKmX9hIbEIKF:DLrd08kN5HYY0gKAh
Threatray 1'491 similar samples on MalwareBazaar
TLSH 8B45CF23B1B28436C12275BD9E1B41ED6EB5FD717878750E37E0A90CCF3AA9179250A3
Reporter abuse_ch
Tags:exe RemcosRAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: slot0.deinflae.com
Sending IP: 45.85.90.138
From: overseassales@hotmail.com.cn
Subject: P100109049 new order of MNRR270 16800pcs
Attachment: P100109441 soundbars TH-S320B 1200qty, TH-S430B 1134qty, TH-S560B 1000qty - vendor confirm draft Nov (contains "P1001094.EXE")

Intelligence

File Origin
# of uploads :
1
# of downloads :
189
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/105880/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/549949
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e98459447d40bb2a0917db99a3b9a99f22ee66234bfece9bba40f4fea3851201/
Threat name:
Win32.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2020-11-26 22:21:31 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5gcfsrd5ic5sucix3om2honjt4ro4zrdjp7m5g52id2p5i4fciaq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0561429ee93b0bc545689257b6cda0d43025317f9c890acb219c51d0f6e721e8
RemcosRAT
0d233d14dd5333614b0521a887e1917ab36649531c8aaaf96a3660e72ac8c463
RemcosRAT
1098c2e11043776815738d6f8abc818560c7516948d15f231a7018dfaeb279ed
RemcosRAT
21691425c52cf7a77c0e3a65cc1c0c59cb026d5b76e78160ebb8a553f9bbe50c
RemcosRAT
33e6263b0e9dbd16c509e5701a60e4615feda4713fad24c75f51c94e5e53f5cb
RemcosRAT
7ad833f9f06a7ebbad69a40515654c8a7a1b3346cf93214e2638e33901133409
RemcosRAT
7f53893a9ce40e497ef34ecfc9c4f493b9d5dd7f989b60ffa248cbf289a1505a
RemcosRAT
9f425eb8fd149d006ba3d4902f80f24cc81c7e4215f66644b700da5b5a4edd03
RemcosRAT
a1c561c21720c4f1c3626276db6afc2c12b1aae9304c78518763eb78454f84b8
RemcosRAT
a7bba5cba33b4320a78cd057e3cdd5169a86e90f6550e997772f4447549fd729
RemcosRAT
+ 1'481 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos persistence rat trojan
Link:
https://tria.ge/reports/201128-5pg1j5rf4x/
Behaviour
Script User-Agent
Suspicious use of WriteProcessMemory
Adds Run key to start application
ServiceHost packer
ModiLoader, DBatLoader
Remcos
Unpacked files
SH256 hash:
e98459447d40bb2a0917db99a3b9a99f22ee66234bfece9bba40f4fea3851201
MD5 hash:
dff186097bdb9bbd26ba111344e08f89
SHA1 hash:
7e8fe85d19821bcfebae3cd3a083481b1fdd687c
Link:
https://www.unpac.me/results/123a6ca9-84a4-4252-b1c3-4857e88dda13/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

unknown 4f60dc7766e62f3d4172c403650e887c6a9cb20470166b94449e562be7a993bc

RemcosRAT

Executable exe e98459447d40bb2a0917db99a3b9a99f22ee66234bfece9bba40f4fea3851201

(this sample)

  
Dropped by
MD5 4ddd3a5b1615833acd6cb3a75f4a3475
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/105880/
  
Dropped by
SHA256 4f60dc7766e62f3d4172c403650e887c6a9cb20470166b94449e562be7a993bc

Comments