MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2d4e21c9c01ada5d8aeaf91a05f344ba07965268c9ae9febf552d6234bcc09a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2d4e21c9c01ada5d8aeaf91a05f344ba07965268c9ae9febf552d6234bcc09a
SHA3-384 hash: e138205e448070e0cceb1afe8f523aa338e402b41981c01026c83c5bae79d0bba4ccc46cd67f321559a7b9f21b5e760b
SHA1 hash: bdbc76cb361d1baa215ada79e7e5a25197f2de9f
MD5 hash: ad3288ac78baa0d22ac5e2a545be3781
humanhash: fourteen-six-nine-lemon
File name:Document.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:870'912 bytes
First seen:2021-09-17 19:36:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 96d68413d52ee291c9b444b7006f0bce (4 x RemcosRAT, 1 x BitRAT)
ssdeep 12288:mmnGyuE9fz9VBCY4Alz2MjbjBQHhazE2sdvnk6LHC7WWnMvwfHVBPggseBnDz5ZE:mmnZbz9e0z12HtBngseBDz5ZE
Threatray 736 similar samples on MalwareBazaar
TLSH T113057B81A1C288F2F83620389DE7BA4A511F3DF739555D8A3DB43C84967C292B53D64F
dhash icon 8ccc0c37e3969a68 (8 x RemcosRAT, 2 x NetWire, 1 x BitRAT)
Reporter GovCERT_CH
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
280
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Document.exe
Verdict:
Malicious activity
Analysis date:
2021-09-17 19:38:16 UTC
Tags:
installer
Link:
https://app.any.run/tasks/cf06995f-1a64-4ba4-8498-692cdb8f44ca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/188839/
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

SecuriteInfo.com.UDS.Backdoor.Win32.Remcos.gen.30130.2328.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/688ad482-a223-4263-a4ef-9ed5a87bd4f0
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/852998
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 485425 Sample: Document.exe Startdate: 17/09/2021 Architecture: WINDOWS Score: 100 32 remcosw44.freeddns.org 2->32 34 remcosw33.kozow.com 2->34 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 4 other signatures 2->54 7 Document.exe 1 17 2->7         started        12 Cpdtoxx.exe 13 2->12         started        14 Cpdtoxx.exe 14 2->14         started        signatures3 process4 dnsIp5 36 remcosw22.giize.com 7->36 38 cdn.discordapp.com 162.159.135.233, 443, 49736, 49737 CLOUDFLARENETUS United States 7->38 24 C:\Users\Public\Libraries\...\Cpdtoxx.exe, PE32 7->24 dropped 56 Writes to foreign memory regions 7->56 58 Creates a thread in another existing process (thread injection) 7->58 60 Injects a PE file into a foreign processes 7->60 16 mshta.exe 2 3 7->16         started        62 Machine Learning detection for dropped file 12->62 20 mshta.exe 12->20         started        22 secinit.exe 14->22         started        file6 signatures7 process8 dnsIp9 26 remcosw44.freeddns.org 5.181.234.154, 2404, 49744, 49745 M247GB Romania 16->26 28 remcosw77.freeddns.org 16->28 30 6 other IPs or domains 16->30 40 Contains functionality to steal Chrome passwords or cookies 16->40 42 Contains functionality to inject code into remote processes 16->42 44 Contains functionality to steal Firefox passwords or cookies 16->44 46 Delayed program exit found 16->46 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f2d4e21c9c01ada5d8aeaf91a05f344ba07965268c9ae9febf552d6234bcc09a/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-09-17 19:37:04 UTC
AV detection:
13 of 45 (28.89%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6lkoehe4agw2lwfov6i2axzujoqhszjgrsnot7v7kuwwenf4ycna._file
Verdict:
malicious
Similar samples:
0840ac6a8ee445eed007f29220dad3dd03e59cf161524623c831596673c7e8d0
RemcosRAT
174d091dcf5a5b2c4af35b5df2e4094ddf31bc589208f7b79ff5fc0db2dde514
RemcosRAT
1d4f1e01cbbd896a55a83dd107e381fe0a572bd2c9327cbb82a9510eb4832e99
RemcosRAT
1f715d5b757b50e756c70424d15902f064ad12df112413e518b78c22a7372e9a
RemcosRAT
2cc63ed4b98c0457f975339ddb58fc82f9dac01a15fd096804ee3ce16c968dcc
RemcosRAT
4b989ceef83817dd4a14c9322a2b127a14f98d85dafb99625fe3483cd58dc6dc
RemcosRAT
6b637314dc7b63dfce69d3efe9b792d8fb2fbb0d9f19ea70aa0ff83ae8dbd495
RemcosRAT
8f4dcda8ef498f0d5f7dbbf978a3e9588bef94f5ee91a3659349d60b1f2447ec
RemcosRAT
a737c6bf1fe3e63d6d187d114d887c6c1e722579fc9caab72ce4451564e165f6
RemcosRAT
d79ba47a55b5dcb4cf6e76ac13bd3179e1523d5904483232d9ce9d39915dbc69
RemcosRAT
+ 726 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat
Link:
https://tria.ge/reports/210917-ybsp1sgdc9/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
remcosw11.mywire.org:2404
remcosw22.giize.com:2404
remcosw33.kozow.com:2404
remcosw44.freeddns.org:2404
remcosw55.freeddns.org:2404
remcosw66.freeddns.org:2404
remcosw77.freeddns.org:2404
Unpacked files
SH256 hash:
519197f521aa39b7a7ab34b4500a304a7329d967115c2e48fe1b6eb201e39af1
MD5 hash:
3da921c9355d01d335cf03159a950030
SHA1 hash:
3be3f4ea8f289a123dcd1f6ac97c6f34a503c9cf
Link:
https://www.unpac.me/results/e94ed85b-e593-4262-9e87-e46364de0794/
SH256 hash:
f2d4e21c9c01ada5d8aeaf91a05f344ba07965268c9ae9febf552d6234bcc09a
MD5 hash:
ad3288ac78baa0d22ac5e2a545be3781
SHA1 hash:
bdbc76cb361d1baa215ada79e7e5a25197f2de9f
Link:
https://www.unpac.me/results/e94ed85b-e593-4262-9e87-e46364de0794/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/f2d4e21c9c01ada5d8aeaf91a05f344ba07965268c9ae9febf552d6234bcc09a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe f2d4e21c9c01ada5d8aeaf91a05f344ba07965268c9ae9febf552d6234bcc09a

(this sample)

  
Dropped by
RemcosRAT
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/188839/

Comments