MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0282b710d24b3d098017e3231c93e1b46bf8586a6e0cc83ec76f2a1d710c6813. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0282b710d24b3d098017e3231c93e1b46bf8586a6e0cc83ec76f2a1d710c6813
SHA3-384 hash: 5bd861af1b038376227e41b585eb505cee6c359afec6b31fce2b8f87286b8d1636de2e1f9b173309c77c5210f5f9d11f
SHA1 hash: 7594ab3d1f1309794d158a7e3dc4e565ad4de498
MD5 hash: ee67cddab302ab6f9a3953f09efa8dfe
humanhash: mike-mississippi-double-network
File name:AWB # 2205280630.jpg.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:102'400 bytes
First seen:2020-08-04 08:39:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2dee1b1d090d5f0d9f4437a1f3bed4e2 (1 x RemcosRAT)
ssdeep 768:++b2JZx9dRocayMV3DVIvhYnTBqDDj2EG/oX0CAgD6k2P/Wz7sOCb+:+42XAyMdyvhYndmDhlETgDr/0OCb
Threatray 2'267 similar samples on MalwareBazaar
TLSH 91A3D71691E84639F267DF715D7446F7813C7C38392EC58B8DE038AF37B2A498660A27
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: ofmacamp.com
Sending IP: 37.49.230.177
From: commercial3@ofmacamp.com
Subject: Revised_ AWB#2205280630
Attachment: AWB___2205280630.jpg.img (contains "AWB # 2205280630.jpg.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38366/
Detection(s):
SecuriteInfo.com.Variant.Graftor.808153.16574.999.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Creating a file in the %temp% directory
Creating a process from a recently created file
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
Remcos FormBook GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/408895
Signature
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Remcos
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Uses netstat to query active network connections and open ports
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 256687 Sample: AWB # 2205280630.jpg.exe Startdate: 04/08/2020 Architecture: WINDOWS Score: 100 70 www.prometheusacquisitions.net 2->70 72 www.nycmassageankeny.com 2->72 74 3 other IPs or domains 2->74 110 Malicious sample detected (through community Yara rule) 2->110 112 Yara detected GuLoader 2->112 114 Yara detected Generic Dropper 2->114 116 8 other signatures 2->116 13 AWB # 2205280630.jpg.exe 1 2->13         started        16 remcos.exe 1 2->16         started        signatures3 process4 signatures5 134 Hides threads from debuggers 13->134 18 AWB # 2205280630.jpg.exe 1 12 13->18         started        23 remcos.exe 6 16->23         started        process6 dnsIp7 76 t8t3jq.db.files.1drv.com 18->76 78 t8ssmg.db.files.1drv.com 18->78 80 onedrive.live.com 18->80 62 C:\Users\user\AppData\Roaming\...\remcos.exe, PE32 18->62 dropped 64 C:\Users\user\AppData\...behaviorgraphRANSKNINGENS.exe, PE32 18->64 dropped 66 C:\Users\user\...\remcos.exe:Zone.Identifier, ASCII 18->66 dropped 118 Hides threads from debuggers 18->118 25 GRANSKNINGENS.exe 1 18->25         started        28 cmd.exe 1 18->28         started        82 t8t3jq.db.files.1drv.com 23->82 84 t8ssmg.db.files.1drv.com 23->84 86 onedrive.live.com 23->86 file8 signatures9 process10 signatures11 120 Tries to detect virtualization through RDTSC time measurements 25->120 122 Hides threads from debuggers 25->122 30 GRANSKNINGENS.exe 6 25->30         started        124 Uses ping.exe to sleep 28->124 34 remcos.exe 1 28->34         started        36 PING.EXE 1 28->36         started        38 conhost.exe 28->38         started        process12 dnsIp13 102 t8ufsw.db.files.1drv.com 30->102 104 onedrive.live.com 30->104 136 Modifies the context of a thread in another process (thread injection) 30->136 138 Maps a DLL or memory area into another process 30->138 140 Sample uses process hollowing technique 30->140 142 Queues an APC in another process (thread injection) 30->142 40 explorer.exe 30->40 injected 144 Hides threads from debuggers 34->144 44 remcos.exe 1 9 34->44         started        106 127.0.0.1 unknown unknown 36->106 108 192.168.2.1 unknown unknown 36->108 signatures14 process15 dnsIp16 88 www.joomlas123.com 199.192.16.98, 49766, 80 NAMECHEAP-NETUS United States 40->88 126 System process connects to network (likely due to code injection or exploit) 40->126 47 NETSTAT.EXE 40->47         started        50 remcos.exe 1 40->50         started        52 autofmt.exe 40->52         started        90 hussanm.duckdns.org 185.140.53.50, 49740, 49743, 49747 DAVID_CRAIGGG Sweden 44->90 92 t8t3jq.db.files.1drv.com 44->92 94 2 other IPs or domains 44->94 68 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 44->68 dropped 128 Hides threads from debuggers 44->128 130 Installs a global keyboard hook 44->130 file17 signatures18 process19 signatures20 146 Modifies the context of a thread in another process (thread injection) 47->146 148 Maps a DLL or memory area into another process 47->148 150 Tries to detect virtualization through RDTSC time measurements 47->150 54 cmd.exe 47->54         started        152 Hides threads from debuggers 50->152 56 remcos.exe 50->56         started        process21 dnsIp22 60 conhost.exe 54->60         started        96 t8t3jq.db.files.1drv.com 56->96 98 t8ssmg.db.files.1drv.com 56->98 100 onedrive.live.com 56->100 132 Hides threads from debuggers 56->132 signatures23 process24
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0282b710d24b3d098017e3231c93e1b46bf8586a6e0cc83ec76f2a1d710c6813/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2020-08-04 08:41:05 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=akbloegsjm6qtaax4mrrze7bwrv7qwdknygmqpwhn4vb24imnajq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
guloader
Create hunting rule
Similar samples:
06e0e3da562a627b84f328a76d70b62326e2b5a82fd28bf943b6d3dfd1f26cb7
RemcosRAT
07bea1f0f5a11fdada688ba215ee670c1a77d2f05b0e1125edaee37e66a0819c
RemcosRAT
2302aa79bb34eb683a91324995a9fb366bbbe55dffb53deee00b842e75ad19c0
RemcosRAT
37dd9ac0253be5eb6036877963ff457db90932e34d9bbd2c18852bf8bfd873c2
RemcosRAT
9c5315409c9ccb1e74195e244a17531781b973f9f489743602c18aaf5a22e7fb
RemcosRAT
a574b201fa1b1b05d857cff48993efd19a3f700c55d6a7ea8ea9a1da30becb62
RemcosRAT
a6009a6b0724811f3bb71fc6f0c6b3b1aad71448948175949c7eb8af82034e91
RemcosRAT
c224d671ef8ea5bfdc03b9a33d7ae043827b83c2ddc96e7ce128efb36f26fb9e
RemcosRAT
d76bb689a401094eee47a075368224161d261665c2b285b155d1b7833ba4fbaa
RemcosRAT
eca4673c4308cb6dfd3757fcda824d93b7076fa2b2e7b2912863cdc4cb3f422e
RemcosRAT
+ 2'257 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat family:remcos persistence spyware evasion trojan stealer family:formbook
Link:
https://tria.ge/reports/200804-68991tr3en/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
System policy modification
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Reads user/profile data of web browsers
Adds policy Run key to start application
Executes dropped EXE
Formbook Payload
Remcos
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/0282b710d24b3d098017e3231c93e1b46bf8586a6e0cc83ec76f2a1d710c6813

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

img 48b26a6f7efe9e3197153cabbcac69a7b30a6d0d39535835c0841c3bfaa84508

RemcosRAT

Executable exe 0282b710d24b3d098017e3231c93e1b46bf8586a6e0cc83ec76f2a1d710c6813

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/424228/
  
Dropped by
MD5 89a4b8d65eddd94922b0cdff397156e0
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 48b26a6f7efe9e3197153cabbcac69a7b30a6d0d39535835c0841c3bfaa84508
Cape
Cape
https://www.capesandbox.com/analysis/38366/

Comments