MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 07bea1f0f5a11fdada688ba215ee670c1a77d2f05b0e1125edaee37e66a0819c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 07bea1f0f5a11fdada688ba215ee670c1a77d2f05b0e1125edaee37e66a0819c
SHA3-384 hash: eb7a9607707b6e7ba6ecc6fc2623825073f453e01f0b67f74c35826dfedb1290d54dc1fa6d3d9acf280e0b3a81ff6f3b
SHA1 hash: 63cd648d76f0b801988abbd2f23529abd80cf2b3
MD5 hash: 9eaa93c2850b10359c965b9ddc209bc9
humanhash: lima-asparagus-cup-angel
File name:AWB # 2205280630.jpg.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:102'400 bytes
First seen:2020-08-03 13:55:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c7b1f104cce79244db8803b86aa4734d (1 x RemcosRAT)
ssdeep 768:fxSFZq4m+9dk18JWxnElW6LE72vfvdr9JolRk92P/hWE7sWnCgS:fxKZuQ4bQFQlueWxWnCg
Threatray 2'751 similar samples on MalwareBazaar
TLSH 0BA3C52691E84639F167DF715E7847E7413D7C38382E858B4EE439AE33B2E088661627
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: dbschenker.com
Sending IP: 37.49.230.177
From: monir.hossain@dbschenker.com
Subject: Revised_ AWB#2205280630
Attachment: AWB 2205280630.IMG (contains "AWB # 2205280630.jpg.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/37918/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Creating a file in the %temp% directory
Creating a process from a recently created file
Connection attempt
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Threat name:
Remcos FormBook GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/408068
Signature
Benign windows process drops PE files
Contains functionality to hide a thread from the debugger
Detected Remcos RAT
Hides threads from debuggers
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Remcos
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 256282 Sample: AWB # 2205280630.jpg.exe Startdate: 03/08/2020 Architecture: WINDOWS Score: 100 71 www.u0a2a.com 2->71 73 www.bastugglobal.com 2->73 75 4 other IPs or domains 2->75 117 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->117 119 Malicious sample detected (through community Yara rule) 2->119 121 Detected Remcos RAT 2->121 123 10 other signatures 2->123 12 AWB # 2205280630.jpg.exe 1 2->12         started        signatures3 process4 signatures5 143 Hides threads from debuggers 12->143 15 AWB # 2205280630.jpg.exe 8 12->15         started        process6 dnsIp7 101 t8u7na.db.files.1drv.com 15->101 103 t8sgka.db.files.1drv.com 15->103 105 onedrive.live.com 15->105 63 C:\Users\user\AppData\Local\...\UNGLOVED.exe, PE32 15->63 dropped 107 Modifies the context of a thread in another process (thread injection) 15->107 109 Maps a DLL or memory area into another process 15->109 111 Sample uses process hollowing technique 15->111 113 2 other signatures 15->113 20 explorer.exe 3 4 15->20 injected 25 UNGLOVED.exe 1 15->25         started        file8 signatures9 process10 dnsIp11 81 kankanasobi.com 160.16.224.252, 49753, 80 SAKURA-BSAKURAInternetIncJP Japan 20->81 83 www.kankanasobi.com 20->83 67 C:\Users\user\AppData\...\f4vpb6d03r5x.exe, PE32 20->67 dropped 125 System process connects to network (likely due to code injection or exploit) 20->125 127 Benign windows process drops PE files 20->127 27 wlanext.exe 20->27         started        30 remcos.exe 1 20->30         started        32 remcos.exe 20->32         started        129 Hides threads from debuggers 25->129 34 UNGLOVED.exe 1 10 25->34         started        file12 signatures13 process14 dnsIp15 135 Modifies the context of a thread in another process (thread injection) 27->135 137 Maps a DLL or memory area into another process 27->137 139 Tries to detect virtualization through RDTSC time measurements 27->139 38 cmd.exe 27->38         started        40 remcos.exe 6 30->40         started        44 remcos.exe 32->44         started        77 t8tweq.db.files.1drv.com 34->77 79 onedrive.live.com 34->79 65 C:\Users\user\AppData\Roaming\...\remcos.exe, PE32 34->65 dropped 141 Hides threads from debuggers 34->141 46 cmd.exe 1 34->46         started        file16 signatures17 process18 dnsIp19 48 conhost.exe 38->48         started        87 t8tweq.db.files.1drv.com 40->87 89 onedrive.live.com 40->89 131 Hides threads from debuggers 40->131 91 t8tweq.db.files.1drv.com 44->91 93 onedrive.live.com 44->93 133 Uses ping.exe to sleep 46->133 50 remcos.exe 1 46->50         started        53 PING.EXE 1 46->53         started        56 conhost.exe 46->56         started        signatures20 process21 dnsIp22 115 Hides threads from debuggers 50->115 58 remcos.exe 1 9 50->58         started        85 127.0.0.1 unknown unknown 53->85 signatures23 process24 dnsIp25 95 hussanm.duckdns.org 185.140.53.50, 49739, 49742, 49743 DAVID_CRAIGGG Sweden 58->95 97 t8tweq.db.files.1drv.com 58->97 99 onedrive.live.com 58->99 69 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 58->69 dropped 145 Hides threads from debuggers 58->145 147 Installs a global keyboard hook 58->147 file26 signatures27
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/07bea1f0f5a11fdada688ba215ee670c1a77d2f05b0e1125edaee37e66a0819c/
Threat name:
Win32.Trojan.Dynamer
Create hunting rule
Status:
Malicious
First seen:
2020-08-03 13:57:09 UTC
AV detection:
36 of 48 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=a67kd4hvuep5vwtirorbl3thbqnhpuxqlmhbcjpnv3rx4zvaqgoa._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
guloader
Create hunting rule
Similar samples:
0282b710d24b3d098017e3231c93e1b46bf8586a6e0cc83ec76f2a1d710c6813
RemcosRAT
06e0e3da562a627b84f328a76d70b62326e2b5a82fd28bf943b6d3dfd1f26cb7
RemcosRAT
2302aa79bb34eb683a91324995a9fb366bbbe55dffb53deee00b842e75ad19c0
RemcosRAT
9c5315409c9ccb1e74195e244a17531781b973f9f489743602c18aaf5a22e7fb
RemcosRAT
a574b201fa1b1b05d857cff48993efd19a3f700c55d6a7ea8ea9a1da30becb62
RemcosRAT
a6009a6b0724811f3bb71fc6f0c6b3b1aad71448948175949c7eb8af82034e91
RemcosRAT
c123d96d15083236ebd509b2a5381b350e533d3c869f9aeed7df54651a04c238
RemcosRAT
c224d671ef8ea5bfdc03b9a33d7ae043827b83c2ddc96e7ce128efb36f26fb9e
RemcosRAT
d76bb689a401094eee47a075368224161d261665c2b285b155d1b7833ba4fbaa
RemcosRAT
eca4673c4308cb6dfd3757fcda824d93b7076fa2b2e7b2912863cdc4cb3f422e
RemcosRAT
+ 2'741 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat spyware evasion trojan family:remcos persistence stealer family:formbook
Link:
https://tria.ge/reports/200803-pjaqr65la6/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious behavior: MapViewOfSection
Modifies Internet Explorer settings
Runs ping.exe
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
Remcos
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/07bea1f0f5a11fdada688ba215ee670c1a77d2f05b0e1125edaee37e66a0819c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

img f4c346a46483eb98d1e57d0e1c3c7ba7bda5c549dd30b37eb7120aeaa0bbbb15

RemcosRAT

Executable exe 07bea1f0f5a11fdada688ba215ee670c1a77d2f05b0e1125edaee37e66a0819c

(this sample)

  
Dropped by
MD5 0eaa3b9f955d6430be46904220411551
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/37918/
  
Dropped by
SHA256 f4c346a46483eb98d1e57d0e1c3c7ba7bda5c549dd30b37eb7120aeaa0bbbb15

Comments