MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fbd6cf6fb215d5dc42ce4c04eb504a4192f3fcc4b65e6e377a996b104b475461. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QNodeService


Vendor detections: 9


Intelligence 9 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fbd6cf6fb215d5dc42ce4c04eb504a4192f3fcc4b65e6e377a996b104b475461
SHA3-384 hash: 6f7f58f59e33aa26ef123a931a5f2c536b837ea97ea5fb8053619653019d3899dafb8b48b0d4fa1d57960eb4551697c9
SHA1 hash: 2c1cc24d3543addfbb451effbe08dcf3527b952c
MD5 hash: 0c83015eb3be060371e9acedd2d9bc6b
humanhash: cat-lactose-uranus-october
File name:SKM_C258201001130020005057.exe
Download: download sample
Signature QNodeService
Create hunting rule
File size:803'328 bytes
First seen:2021-02-10 18:41:38 UTC
Last seen:2021-02-10 21:08:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 24576:75VdXoBANxIWM2MGyZjzMFWoR+EyFiq57wrlqtAX:VCSIl0WoR+EdMMUt4
Threatray 15 similar samples on MalwareBazaar
TLSH 4205F12122887F56F57E937514214160D3F3A946D322EF0EBEB961CD1DA3F90C633AA6
Reporter abuse_ch
Tags:exe QNodeService RAT


Avatar
abuse_ch
Malspam distributing QNodeService:

HELO: ds1196.tmddedicated.eu
Sending IP: 198.20.127.220
From: Sharon Palombi <Sharon@footinfusion.com>
Subject: Commission Statement
Attachment: SKM_C258201001130020005057.IMG (contains "SKM_C258201001130020005057.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
183
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SKM_C258201001130020005057.exe
Verdict:
Malicious activity
Analysis date:
2021-02-10 18:44:49 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/0b33500b-0717-4d20-b6b7-55e0aa90c9ae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/116617/
Detection(s):
SecuriteInfo.com.Artemis0C83015EB3BE.25223.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/605001
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected Remcos RAT
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fbd6cf6fb215d5dc42ce4c04eb504a4192f3fcc4b65e6e377a996b104b475461/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-10 18:42:07 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7plm635scxk5yqwojqcowuckigjph7gewzpg4n32tfvras2hkrqq._file
Verdict:
unknown
Similar samples:
005051028cd70b06d41a9703a87b07dfd779d03395073edf6d43aaa10a719040
QNodeService
222165dd7723dadb40fa68e27857cfe28d44c75eb1eb14dd13ea2861d900c473
QNodeService
4730211b41726d261fe9f81bbbacd224b2659f9f05909395f8492adf187d8666
QNodeService
4c197092877ec4d548bdb4a2fb4284bed16b940e701c3123fba0f25eac00664a
QNodeService
4c38ca304d90865a911a298d8d79fe91000c50d78e58383a74b5f502d4c17bf2
QNodeService
738eadad6a96be79d6cb5d394226383d66bc48930fef5839d2ec031a3f19c5b8
QNodeService
8860e3c71ecb84168ebb5f24df91cbd0db7190e83b79754606e7ded7dbc94481
QNodeService
8ae24432a8380607bc692f038f1d459a9c8c38ba4150904fee9ed9fa9de37bdb
QNodeService
a08288c2f3f2d382f47a3f5b6e742189280a7a1310bc038c46c3a01f82740390
QNodeService
ee559d67bcad95fc4e1e6c867908b0b84338472a30d28d34da415c7efbd48f2b
QNodeService
+ 5 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos ransomware rat
Link:
https://tria.ge/reports/210210-ng6frx3ecx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Remcos
Unpacked files
SH256 hash:
e7d4b683ea23dbc38c30e3b9b0b7aae9d431e91becf32fa7b37d9b8218a6de2a
MD5 hash:
889c17d80b2934ef404ef1279b810011
SHA1 hash:
2005d0df8e5d2373b3999ca7c871e6a6fb75f967
Link:
https://www.unpac.me/results/9a1d45a7-d39c-427d-b64d-01b9f43157e8/
SH256 hash:
fbd6cf6fb215d5dc42ce4c04eb504a4192f3fcc4b65e6e377a996b104b475461
MD5 hash:
0c83015eb3be060371e9acedd2d9bc6b
SHA1 hash:
2c1cc24d3543addfbb451effbe08dcf3527b952c
Link:
https://www.unpac.me/results/9a1d45a7-d39c-427d-b64d-01b9f43157e8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.87
Link:
https://yomi.yoroi.company/submissions/fbd6cf6fb215d5dc42ce4c04eb504a4192f3fcc4b65e6e377a996b104b475461

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

a0694dc8334b85b657b66ca3baabadf3

QNodeService

Executable exe fbd6cf6fb215d5dc42ce4c04eb504a4192f3fcc4b65e6e377a996b104b475461

(this sample)

  
Dropped by
MD5 a0694dc8334b85b657b66ca3baabadf3
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/116617/

Comments