MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2c6471b1b9d652ab1d224110745db1cbc81bafb419a4faa1e57a256464d37f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2c6471b1b9d652ab1d224110745db1cbc81bafb419a4faa1e57a256464d37f5
SHA3-384 hash: 8d92e5eca85bd5fff4f3c67799b4ead8f3afe246e85e3e8da1ea4cac3d832fcd028051fb5a7fd556314e0725df618e31
SHA1 hash: 872b330ad3b06da79f5e832be1dfc700282d1881
MD5 hash: 11fe503e2e791a53e1d9fbe5149f3e18
humanhash: october-stairway-fanta-lactose
File name:Docs-04781-order.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:711'168 bytes
First seen:2021-07-24 06:57:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 58af898a8945f807ca70ebf9933b9268 (4 x RemcosRAT, 1 x BitRAT)
ssdeep 12288:RcOqhpe5sWWUgjIkdcCMTOArWe/C36lAnm4vNOpRKa:R7q+sWiItCoCdv
Threatray 265 similar samples on MalwareBazaar
TLSH T167E46C56E012C8F7C922667D0D1BAA5894A6FE2079302C5116F2F87CFEFF580BC1EA55
dhash icon 72c28292b2a888e0 (7 x RemcosRAT, 1 x BitRAT, 1 x AveMariaRAT)
Reporter abuse_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Docs-04781-order.exe
Verdict:
Malicious activity
Analysis date:
2021-07-24 07:05:00 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/46cf5778-e179-41d8-a10d-7f529eca64ab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/173841/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.19331.4272.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bd6a1472-5481-4eda-8fcf-689bca57d1b9
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/821166
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 453575 Sample: Docs-04781-order.exe Startdate: 24/07/2021 Architecture: WINDOWS Score: 100 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 5 other signatures 2->65 8 Docs-04781-order.exe 1 24 2->8         started        13 Jlkwhou.exe 16 2->13         started        15 Jlkwhou.exe 16 2->15         started        process3 dnsIp4 45 ru7apg.dm.files.1drv.com 8->45 53 2 other IPs or domains 8->53 41 C:\Users\Public\Libraries\...\Jlkwhou.exe, PE32 8->41 dropped 75 Writes to foreign memory regions 8->75 77 Creates a thread in another existing process (thread injection) 8->77 79 Injects a PE file into a foreign processes 8->79 17 dialer.exe 2 3 8->17         started        21 cmd.exe 1 8->21         started        23 cmd.exe 1 8->23         started        47 192.168.2.1 unknown unknown 13->47 49 ru7apg.dm.files.1drv.com 13->49 55 2 other IPs or domains 13->55 81 Multi AV Scanner detection for dropped file 13->81 83 Machine Learning detection for dropped file 13->83 25 ieinstal.exe 13->25         started        51 ru7apg.dm.files.1drv.com 15->51 57 2 other IPs or domains 15->57 27 DpiScaling.exe 15->27         started        file5 signatures6 process7 dnsIp8 43 style.ptbagasps.co.id 185.62.86.145, 42024 THINKSYSTEMSUK-ASNGB United Kingdom 17->43 67 Contains functionalty to change the wallpaper 17->67 69 Contains functionality to steal Chrome passwords or cookies 17->69 71 Contains functionality to inject code into remote processes 17->71 73 2 other signatures 17->73 29 reg.exe 1 21->29         started        31 conhost.exe 21->31         started        33 cmd.exe 1 23->33         started        35 conhost.exe 23->35         started        signatures9 process10 process11 37 conhost.exe 29->37         started        39 conhost.exe 33->39         started       
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f2c6471b1b9d652ab1d224110745db1cbc81bafb419a4faa1e57a256464d37f5/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-07-23 07:53:59 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0954364fc93fcfcc1ec2518eb732d150544c05ec5960667da080da7a08f9dc2f
RemcosRAT
1c036008043bc63c7fb8377d10a14b60793a9f2bfa96aca7a9f462eb6e3c23fe
RemcosRAT
38bd80f1a17882d299bdac7df085d889ef677951b8954d847e42503d38b77141
RemcosRAT
5dd2f8347b2c2a334231ec2167d38514868ebbeede5311ace774c9a4b5375fff
RemcosRAT
8767a5b4518a08d3ca336a881a40e28806afcb6074074356665706fcb4e3ccd0
RemcosRAT
88f79e83c95b1e666a1bcb387919b2dba6ebb0cdc6db14c7f6d1229728e40a6c
RemcosRAT
a846b19ee029394012dc19a190096807497edb4ea4096c30550dbc3cbaa5435f
RemcosRAT
d8d1848fcde25e0975a524cb62ef2d622997caacbee10038cb4b49b23b76d484
RemcosRAT
e7aa9ed4edc37d0b7515085211d1107ff1a54f2ca2651bd6698ae345663b93c6
RemcosRAT
+ 255 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat
Link:
https://tria.ge/reports/210724-625bzx5edn/
Behaviour
Modifies registry key
Suspicious use of WriteProcessMemory
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
style.ptbagasps.co.id:42024
Unpacked files
SH256 hash:
d174ea83359cec0b0a35da88fa2a1791a1308e35a5e36e83f51a2723e48582a6
MD5 hash:
5c63077607b089e7045eb5e93d8324d9
SHA1 hash:
9ca12c4d6e4a97269d26fe6755aae441276bff42
Link:
https://www.unpac.me/results/6af6c2a3-7749-4575-b775-9cba34022610/
SH256 hash:
f2c6471b1b9d652ab1d224110745db1cbc81bafb419a4faa1e57a256464d37f5
MD5 hash:
11fe503e2e791a53e1d9fbe5149f3e18
SHA1 hash:
872b330ad3b06da79f5e832be1dfc700282d1881
Link:
https://www.unpac.me/results/6af6c2a3-7749-4575-b775-9cba34022610/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f2c6471b1b9d652ab1d224110745db1cbc81bafb419a4faa1e57a256464d37f5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/173841/

Comments