MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa3e1ea5a814915ffc65b8a94180aedccf3140f515f05737f3017d6ab6f10b89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa3e1ea5a814915ffc65b8a94180aedccf3140f515f05737f3017d6ab6f10b89
SHA3-384 hash: 017ccb7e2a09f7d6bcf32fae4ab186ec702ac70bf357bb15688d526ebb7b8913fbf91489bf23d4b0aa56aa1c508cbfc8
SHA1 hash: a5e54274113d2c2b1040366ebe5ae2e59abdf573
MD5 hash: cd6487ba57f9ae3d2a23ec2e41f7a2e0
humanhash: august-eight-solar-cardinal
File name:Yeni siparişi onaylayın - TK176H,pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:818'688 bytes
First seen:2022-06-24 08:41:15 UTC
Last seen:2022-06-24 09:57:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a904634b84d02f614b2f151a40be792b (6 x RemcosRAT, 2 x AveMariaRAT, 1 x ModiLoader)
ssdeep 12288:wwTdxwdGmxLdhcpJG1H3qrL9P/oOzjA3VcvtScSwuQ:wwTnmopJGkrBoP3Wt/y
Threatray 3'181 similar samples on MalwareBazaar
TLSH T191059E23A2C24477C0F72939DD9B62A49827BE00296DA9876BF42C4D7F39741393D397
TrID 61.1% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
24.1% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
10.7% (.OCX) Windows ActiveX control (116521/4/18)
1.3% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.2% (.SCR) Windows screen saver (13101/52/3)
File icon (PE):PE icon
dhash icon 74f08889868e88b4 (13 x RemcosRAT, 4 x AveMariaRAT, 2 x ModiLoader)
Reporter abuse_ch
Tags:exe geo RemcosRAT TUR

Intelligence

File Origin
# of uploads :
2
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/282967/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/22675/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger
Link:
https://www.filescan.io/uploads/62b5791762d792dc5741468b/reports/72426f98-0d05-4baf-a3d6-e8f950af620a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/2051ac56-7fd4-48b6-9bb4-4bbd0352b711
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1019190
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 651684 Sample: Yeni sipari#U015fi onaylay#... Startdate: 24/06/2022 Architecture: WINDOWS Score: 100 30 blessmyhustlelord.ddns.net 2->30 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Detected Remcos RAT 2->48 50 4 other signatures 2->50 7 Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe 1 18 2->7         started        12 Jrthzkvzlt.exe 13 2->12         started        14 Jrthzkvzlt.exe 2->14         started        signatures3 process4 dnsIp5 32 cdn.discordapp.com 162.159.130.233, 443, 49759, 49761 CLOUDFLARENETUS United States 7->32 22 C:\Users\Public\Libraries\Jrthzkvzlt.exe, PE32 7->22 dropped 24 C:\Users\...\Jrthzkvzlt.exe:Zone.Identifier, ASCII 7->24 dropped 52 Writes to foreign memory regions 7->52 54 Allocates memory in foreign processes 7->54 56 Creates a thread in another existing process (thread injection) 7->56 16 logagent.exe 2 7->16         started        34 162.159.134.233, 443, 49866 CLOUDFLARENETUS United States 12->34 58 Injects a PE file into a foreign processes 12->58 20 logagent.exe 12->20         started        60 Multi AV Scanner detection for dropped file 14->60 file6 signatures7 process8 dnsIp9 26 blessmyhustlelord.ddns.net 37.0.14.195, 49774, 49778, 49791 WKD-ASIE Netherlands 16->26 28 192.168.2.1 unknown unknown 16->28 36 Contains functionality to steal Chrome passwords or cookies 16->36 38 Contains functionality to capture and log keystrokes 16->38 40 Contains functionality to inject code into remote processes 16->40 42 Contains functionality to steal Firefox passwords or cookies 16->42 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fa3e1ea5a814915ffc65b8a94180aedccf3140f515f05737f3017d6ab6f10b89/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2022-06-24 05:14:35 UTC
File Type:
PE (Exe)
Extracted files:
64
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7i7b5jnicsiv77dfxcuudafo3thtcqhvcxyfon7taf6wvnxrboeq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
15170d0dbe467efc4e38156ed4e03702ae19af44c100d7df7a75c6dbdb7ac587
RemcosRAT
4ea16682c6d48eb737c1857beceadc3d3077921c03fa62d9dad44d551d92729d
RemcosRAT
6274c01dd6783517a68267d2c6c2af38143ed35074cfc2372d8bc385a7c5f4e9
RemcosRAT
758eb853faa1eac3b6c524e03d23f816f0d10155dee4090b8fba05c5e8dc5713
RemcosRAT
bfa4daa95a303253a45cc02597d1fa404168fb88e627dc3afa4b3548a6ff893d
RemcosRAT
c0b1ba178d886a9d71fb7ffd5b169bf023021e13c545e3cd8d15461221dd2006
RemcosRAT
dbabf85d66c08e57af2a3ffc46b5e915291849b19aa00f1ab9ab61d5b0fe7bfc
RemcosRAT
dc6e226e21a3ebf95909cadc0c601a5188fa199c4437e87ffa6e86050f8e9329
RemcosRAT
df75348104d6f02f567e76c1f761f5e68c4a613ff1c4b4acfbe0df80443b7542
RemcosRAT
e7c74f89332dcf4bf0ebaa50d960a8c82a521ca2c9608ecbb13e719e9744b5ca
RemcosRAT
+ 3'171 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220624-kl1aysdhf9/
Unpacked files
SH256 hash:
0b4b7d7628499c9d0c62562dc64f22baf5390cd32f71e0317c259511ae85b5b6
MD5 hash:
d6e8fb9c9383709a7475144fbc74cb44
SHA1 hash:
3dc32f98eb13d725511b64924730132883ad3591
Link:
https://www.unpac.me/results/e4b990bb-0854-4d96-9aa3-3f99d7d2fffa/
SH256 hash:
fa3e1ea5a814915ffc65b8a94180aedccf3140f515f05737f3017d6ab6f10b89
MD5 hash:
cd6487ba57f9ae3d2a23ec2e41f7a2e0
SHA1 hash:
a5e54274113d2c2b1040366ebe5ae2e59abdf573
Link:
https://www.unpac.me/results/e4b990bb-0854-4d96-9aa3-3f99d7d2fffa/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fa3e1ea5a814/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.74
Link:
https://yomi.yoroi.company/submissions/fa3e1ea5a814915ffc65b8a94180aedccf3140f515f05737f3017d6ab6f10b89

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/282967/

Comments