MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebe0b8890392475537625aeefaec22b5f0115011e135117d7afd9325eb47fad8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ebe0b8890392475537625aeefaec22b5f0115011e135117d7afd9325eb47fad8
SHA3-384 hash: 66634553a313a375845dea4a92aaea6cc7a2ec3aa2dc807ef0cb60507bb568e7161a307dd94410bf70240389b8e9ed68
SHA1 hash: f6d3580857825b3bd0f7155998647f4ba36fdd6e
MD5 hash: ae30602300981c0dfe3dc1c0312b565f
humanhash: river-hydrogen-blue-salami
File name:Dfdvfczl_Signed_.scr
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:756'216 bytes
First seen:2021-06-28 10:18:25 UTC
Last seen:2021-06-28 10:40:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 297e933499a18450c85ffd54c53cbda8 (1 x RemcosRAT, 1 x Formbook, 1 x DBatLoader)
ssdeep 12288:4m4Hco5sy2ziQSM9CUl4kR5UM+iQDMYAdQUivvvvvvvvvvvvvvvvvvvvvvvvvvvu:4jcPTS4CV6VQ/uQHvvvvvvvvvvvvvvvu
Threatray 364 similar samples on MalwareBazaar
TLSH 24F47D22B2E508B3C163697ADD5F92685C2BFF441E3828D36BE00D84DB69F913D251E7
Reporter stoerchl
Tags:exe RemcosRAT scr signed

Intelligence

File Origin
# of uploads :
2
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Dfdvfczl_Signed_.scr
Verdict:
Malicious activity
Analysis date:
2021-06-28 10:21:52 UTC
Tags:
rat remcos trojan
Link:
https://app.any.run/tasks/6e1c753f-d9fe-496a-9558-aaab4c2725bf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/168549/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/231dd3a1-e6b9-49be-a25c-a9cb79035374
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/808747
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates multiple autostart registry keys
Delayed program exit found
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 441158 Sample: Dfdvfczl_Signed_.scr Startdate: 28/06/2021 Architecture: WINDOWS Score: 100 80 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->80 82 Found malware configuration 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 7 other signatures 2->86 10 Dfdvfczl_Signed_.exe 1 24 2->10         started        15 Dfdvfcp.exe 14 2->15         started        17 remcos.exe 15 2->17         started        19 2 other processes 2->19 process3 dnsIp4 72 cdn.discordapp.com 162.159.134.233, 443, 49741, 49742 CLOUDFLARENETUS United States 10->72 68 C:\Users\Public\Libraries\...\Dfdvfcp.exe, PE32 10->68 dropped 98 Detected unpacking (changes PE section rights) 10->98 100 Detected unpacking (overwrites its own PE header) 10->100 102 Creates multiple autostart registry keys 10->102 110 5 other signatures 10->110 21 Dfdvfczl_Signed_.exe 4 5 10->21         started        25 cmd.exe 1 10->25         started        27 cmd.exe 1 10->27         started        74 162.159.133.233, 443, 49761, 49762 CLOUDFLARENETUS United States 15->74 104 Multi AV Scanner detection for dropped file 15->104 106 Machine Learning detection for dropped file 15->106 108 Injects a PE file into a foreign processes 15->108 29 Dfdvfcp.exe 15->29         started        76 192.168.2.1 unknown unknown 17->76 31 remcos.exe 17->31         started        33 Dfdvfcp.exe 19->33         started        35 remcos.exe 19->35         started        file5 signatures6 process7 file8 62 C:\Users\user\AppData\Roaming\...\remcos.exe, PE32 21->62 dropped 64 C:\Users\user\...\remcos.exe:Zone.Identifier, ASCII 21->64 dropped 66 C:\Users\user\AppData\Local\...\install.vbs, data 21->66 dropped 88 Creates multiple autostart registry keys 21->88 37 wscript.exe 1 21->37         started        39 reg.exe 1 25->39         started        41 conhost.exe 25->41         started        43 cmd.exe 1 27->43         started        45 conhost.exe 27->45         started        signatures9 process10 process11 47 cmd.exe 1 37->47         started        49 conhost.exe 39->49         started        51 conhost.exe 43->51         started        process12 53 remcos.exe 13 47->53         started        57 conhost.exe 47->57         started        dnsIp13 70 cdn.discordapp.com 53->70 90 Multi AV Scanner detection for dropped file 53->90 92 Detected unpacking (changes PE section rights) 53->92 94 Detected unpacking (overwrites its own PE header) 53->94 96 2 other signatures 53->96 59 remcos.exe 53->59         started        signatures14 process15 dnsIp16 78 147.124.221.3, 2404, 49763 AC-AS-1US United States 59->78
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ebe0b8890392475537625aeefaec22b5f0115011e135117d7afd9325eb47fad8/
Threat name:
Win32.Trojan.Jacard
Create hunting rule
Status:
Malicious
First seen:
2021-06-28 01:00:29 UTC
AV detection:
13 of 29 (44.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5pqlrcidsjdvkn3cllxpv3bcwxybcuar4e2rc7l27wjsl22h7lma._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1e5a328f760c35f905390fb4bcf0eefa75936c79a43e22ca7557da0e315c72ed
RemcosRAT
210d63272f04545a7b964c5712b0157a9e9801500e063a15ecee4b2de2c87254
RemcosRAT
2e928af33de11fedaf5d0c388e96ac67509b64bd445a3f4a576f46ec2a0d5374
RemcosRAT
736c1c3ed4301b2f069ba84d5bcdf3919e88d5412fa13080d2eed53fe98c0ac4
RemcosRAT
8ddbf9769d71a2b946894307864aa35aee8afb86a469a6c032b7eaa1225bc720
RemcosRAT
926da3334135961ff0c19ecf4358201ba4734ab01186061c423deeb081ec1cff
RemcosRAT
9f2fc689de26cd7461adc91dad9e369d3250df1819466f565ff0623e3c874755
RemcosRAT
b6e24ae319f72f87dbf9d5e6fc2394737b938f7eb391a39c5043114458f31733
RemcosRAT
d00cdc47ecf61320c65927dd2cd3ec52e5d1496264ba527b019eebca8d9b3410
RemcosRAT
e5065ecce465f659ef4f82667fc0c3bccb3e596497d884cc95b61008ec1a707b
RemcosRAT
+ 354 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat
Link:
https://tria.ge/reports/210628-ncvephrk4s/
Behaviour
Modifies registry class
Modifies registry key
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
147.124.221.3:2404
Unpacked files
SH256 hash:
fc2e68d5cf20e3f0bd18bb95bfac6e5e9e2f776c422394b743f2fc0be818c120
MD5 hash:
ee143f66c22c13a2bd87fc8490cc3de5
SHA1 hash:
743457daeb10809e06d7cf11e2d2dc48512c395f
Link:
https://www.unpac.me/results/fa7a96e7-aee1-44dd-8534-725a5434de4b/
SH256 hash:
ebe0b8890392475537625aeefaec22b5f0115011e135117d7afd9325eb47fad8
MD5 hash:
ae30602300981c0dfe3dc1c0312b565f
SHA1 hash:
f6d3580857825b3bd0f7155998647f4ba36fdd6e
Link:
https://www.unpac.me/results/fa7a96e7-aee1-44dd-8534-725a5434de4b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.98
Link:
https://yomi.yoroi.company/submissions/ebe0b8890392475537625aeefaec22b5f0115011e135117d7afd9325eb47fad8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EnvVarScheduledTasks
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC (ab)using Environment Variables in Scheduled Tasks
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe ebe0b8890392475537625aeefaec22b5f0115011e135117d7afd9325eb47fad8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1406915/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/168549/

Comments