MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f096e7be6faad03bb6da7e29e30ca53031fad96265d6bfbf131a042a9d1d5b3a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f096e7be6faad03bb6da7e29e30ca53031fad96265d6bfbf131a042a9d1d5b3a
SHA3-384 hash: 9c5fb9135dcc4a5708caece28067cada753834be94e9715ba1a6e465779992288a81cd958ab80ddfae7fc9a2af5644c1
SHA1 hash: cee7d5a157aa7f0e2455da24781f4899d21855d9
MD5 hash: 322ffdcfca625e71db0e0b43908fd3ec
humanhash: bakerloo-failed-seventeen-single
File name:DHL_119040 dokument paragonu,pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:830'976 bytes
First seen:2021-10-06 09:08:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 384487a869f88e6d61619b7a3f81e432 (1 x RemcosRAT, 1 x DBatLoader)
ssdeep 12288:LJNzf5G/0os4Hn6hgF8VCJ3fj9FPin4uq8Sk:vhfos4Hn8dVU3fxFPin4t8Sk
Threatray 734 similar samples on MalwareBazaar
TLSH T18F054B3775F48A33D2E22ABEBC1D66E899367D207D1852C711DCB51D2C396F32A22583
File icon (PE):PE icon
dhash icon 616110152b2b5130 (12 x RemcosRAT, 5 x Formbook, 4 x BitRAT)
Reporter abuse_ch
Tags:DHL exe geo POL RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
182
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL_119040 dokument paragonu,pdf.exe
Verdict:
No threats detected
Analysis date:
2021-10-06 09:47:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/949f7d72-44ef-42ae-8abd-ea4eca9cd43f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/195386/
Detection(s):
Win.Trojan.Remcos-9897068-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
evasive greyware keylogger packed
Link:
https://www.filescan.io/uploads/615d67b298a6280f3932d084/reports/9481205e-9992-464b-9de5-f0dcd6784d44/overview
Malware family:
Remcos RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e61f5a6a-ffb1-40f8-9ae1-cab69209199b
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/865456
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 497884 Sample: DHL_119040 dokument paragon... Startdate: 06/10/2021 Architecture: WINDOWS Score: 100 44 blessmelord.hopto.org 2->44 72 Found malware configuration 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 Antivirus / Scanner detection for submitted sample 2->76 78 4 other signatures 2->78 9 Ygdqxrx.exe 14 2->9         started        13 DHL_119040 dokument paragonu,pdf.exe 1 23 2->13         started        16 Ygdqxrx.exe 17 2->16         started        signatures3 process4 dnsIp5 50 onedrive.live.com 9->50 60 2 other IPs or domains 9->60 80 Antivirus detection for dropped file 9->80 82 Multi AV Scanner detection for dropped file 9->82 84 Writes to foreign memory regions 9->84 18 DpiScaling.exe 9->18         started        52 onedrive.live.com 13->52 54 db-files.fe.1drv.com 13->54 56 coy0sg.db.files.1drv.com 13->56 42 C:\Users\Public\Libraries\...\Ygdqxrx.exe, PE32 13->42 dropped 86 Creates a thread in another existing process (thread injection) 13->86 88 Injects a PE file into a foreign processes 13->88 21 secinit.exe 2 13->21         started        24 cmd.exe 1 13->24         started        26 cmd.exe 1 13->26         started        58 onedrive.live.com 16->58 62 2 other IPs or domains 16->62 28 DpiScaling.exe 16->28         started        file6 signatures7 process8 dnsIp9 64 Contains functionality to steal Chrome passwords or cookies 18->64 46 blessmelord.hopto.org 194.147.140.22, 3783, 49759, 49760 PTPEU unknown 21->46 48 192.168.2.1 unknown unknown 21->48 66 Contains functionality to inject code into remote processes 21->66 68 Contains functionality to steal Firefox passwords or cookies 21->68 70 Delayed program exit found 21->70 30 reg.exe 1 24->30         started        32 conhost.exe 24->32         started        34 cmd.exe 1 26->34         started        36 conhost.exe 26->36         started        signatures10 process11 process12 38 conhost.exe 30->38         started        40 conhost.exe 34->40         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f096e7be6faad03bb6da7e29e30ca53031fad96265d6bfbf131a042a9d1d5b3a/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-10-05 08:00:51 UTC
AV detection:
21 of 45 (46.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6clopptpvlidxnw2pyu6gdffgay7vwlcmxll7pytdiccvhi5lm5a._file
Verdict:
malicious
Similar samples:
09a365ac0a698062b59ea6b45f9d4b5d32ba3f70b9a93df77521c29603e14047
RemcosRAT
1f472784494710200607f381849c6e3ea4f09f2ded2e84a1734ab5fdbd25d1de
RemcosRAT
3ab89e55bbd69e15b4115d8cc2881040f24db3b7ba4ea63dc08ba72e2799e9d3
RemcosRAT
42d7b502dea09c3cdb997873cee2edcfd5ff84059735faf712111ea5542a065e
RemcosRAT
45cbfcaef7666a834e2d71b743847e5c3eb024d3abe6d897fc81de60903de41c
RemcosRAT
ad9f923641c74fc714114423f52d1ef7d1de87e5c40c46377f2718532c0848ae
RemcosRAT
c84c8a5d9ea1dbf1b5af8d75cd100faadc54a5a83ab952e1ba03068d9287b32c
RemcosRAT
cea073b0df1f1c1d964c4acb6755b6002976c05a4e9a059ca7f0d26da84ecb35
RemcosRAT
fba31a212526660d90a18e87db2427d72a328a87b35b5783567af5917423ed60
RemcosRAT
ff5447b359711095f909692d48cc1b597ac4e5b7c976a8a91f2b6c2c8a7e54ae
RemcosRAT
+ 724 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/211006-k4gassahc5/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Unpacked files
SH256 hash:
f096e7be6faad03bb6da7e29e30ca53031fad96265d6bfbf131a042a9d1d5b3a
MD5 hash:
322ffdcfca625e71db0e0b43908fd3ec
SHA1 hash:
cee7d5a157aa7f0e2455da24781f4899d21855d9
Link:
https://www.unpac.me/results/4fa737ee-8465-4856-8dc5-94b4c5535c3a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f096e7be6faa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f096e7be6faad03bb6da7e29e30ca53031fad96265d6bfbf131a042a9d1d5b3a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe f096e7be6faad03bb6da7e29e30ca53031fad96265d6bfbf131a042a9d1d5b3a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/195386/

Comments