MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd9c78c0994c085516b97c91de39ffe88b7111ac2f040f826e53c6c9f72ffce7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd9c78c0994c085516b97c91de39ffe88b7111ac2f040f826e53c6c9f72ffce7
SHA3-384 hash: 66e839eaf8d0b40698ad56b2d28482aa8d77080d9ac08ac27b9b0ca4aa53287db4c22ec352228f797e3770e51426cc62
SHA1 hash: 01e96643d8a754f8d37e21b1279a79547cb67eed
MD5 hash: 87870a512b0d889e1da9ee54388799ca
humanhash: fruit-potato-triple-washington
File name:LPO-DOCS-140822.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:708'608 bytes
First seen:2022-08-15 09:07:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4f92bc6ee9d267eeff5e419f812a6db0 (2 x RemcosRAT, 2 x Formbook, 1 x DBatLoader)
ssdeep 12288:nBPEHJ5bqTOY+QjiYIFpw+qkcgXiRCLy2vIYO2AkReLo/dlx:ntwrqTOY+QjinpCJ/wy29O2XeLoPx
Threatray 1'637 similar samples on MalwareBazaar
TLSH T10BE4AF36B7A24872C26B1534DD1937ED6C1A7E1A1DB8B48367D82E3C6B3A140B72F153
TrID 33.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
30.5% (.SCR) Windows screen saver (13101/52/3)
10.5% (.EXE) Win32 Executable (generic) (4505/5/1)
6.9% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
4.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 27d0d8e4d4d8f007 (7 x Formbook, 6 x RemcosRAT, 6 x DBatLoader)
Reporter adrian__luca
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
273
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
LPO-DOCS-140822.exe
Verdict:
Malicious activity
Analysis date:
2022-08-15 09:08:33 UTC
Tags:
remcos
Link:
https://app.any.run/tasks/540cbdd6-56d4-4c26-b3a5-919c73a743d7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/298615/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.61286350.12486.16310.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Launching a process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/28971/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
keylogger netwire
Link:
https://www.filescan.io/uploads/62fa0d6ef6ec33747daeb4ea/reports/ae6ef4f0-fe43-4093-adbc-ba0b38e3dbc4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c9ae61f5-27a4-478e-a812-3e922d634c0b
Result
Threat name:
DBatLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1051401
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fd9c78c0994c085516b97c91de39ffe88b7111ac2f040f826e53c6c9f72ffce7/
Threat name:
Win32.Trojan.NetWired
Create hunting rule
Status:
Malicious
First seen:
2022-08-14 13:29:16 UTC
File Type:
PE (Exe)
Extracted files:
31
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7wohrqezjqefkfvzpsi54op75cfxcenmf4ca7atokpdmt5zp7ttq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
2929451852384ac9f1b289746f767b752e04ec5d778b9538ac761cb175006948
RemcosRAT
41dbd50dec8697c71e8feea9912873500ae7061955e1331ac9e657041b7b57f8
RemcosRAT
437e444fdf417fa35390eec589e380b8d5c70b5418a4554ee19cb706470a7edc
RemcosRAT
48d97367a91454e04e0161675bc323aaea552ef9335c57090e0d471d3d28c97e
RemcosRAT
8043ea1eec1337542f54a3da01248f048588f43c2f5a434d425775dbb3ddd6b3
RemcosRAT
cfddcbf0a97a326f7a26683f817e7d42082c30f28113bef76e3c3b491c094c69
RemcosRAT
d09e0e3cdb3fa52dcea7852176dc97aac0741e85b22bd088fd0bf0633e3f3bbb
RemcosRAT
d17de6f437033140a8197c29721e535e19cde342b211c3a0074fa54f79afb375
RemcosRAT
da94505a95c11c751468743c7eb6cef882f99c6c5ad4ca0b24b4c3e36d0ea11c
RemcosRAT
+ 1'627 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:finally persistence rat trojan
Link:
https://tria.ge/reports/220815-k3wn4abed5/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies system certificate store
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Adds Run key to start application
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
185.62.86.145:42024
Unpacked files
SH256 hash:
1aa0b0480f4a4a41977ee8725c0be025bf8ea30f83696633062d5741af8200af
MD5 hash:
1324549c176999f791dc1b3cb2eb1fc2
SHA1 hash:
11f4e74ba73cda5d6861fa5bf93dc5062a71e98f
Link:
https://www.unpac.me/results/7346a226-d026-4e86-bc1e-fe3d942f395c/
SH256 hash:
fd9c78c0994c085516b97c91de39ffe88b7111ac2f040f826e53c6c9f72ffce7
MD5 hash:
87870a512b0d889e1da9ee54388799ca
SHA1 hash:
01e96643d8a754f8d37e21b1279a79547cb67eed
Link:
https://www.unpac.me/results/7346a226-d026-4e86-bc1e-fe3d942f395c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fd9c78c0994c085516b97c91de39ffe88b7111ac2f040f826e53c6c9f72ffce7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe fd9c78c0994c085516b97c91de39ffe88b7111ac2f040f826e53c6c9f72ffce7

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/298615/

Comments