MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 210560d23e3c023c90bd24ed0d76c68732dc267277fc6adcc3c991cb611bb06a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 210560d23e3c023c90bd24ed0d76c68732dc267277fc6adcc3c991cb611bb06a
SHA3-384 hash: 2b876dd7ca61369873703954305a93f86856b2dd49b98f4fe0461163508d523f52c2626cbb6f7ba0e39edcde1cedee40
SHA1 hash: 5ddb90b83f20f1d0218fec99f7af1f7a1bdfe0d9
MD5 hash: 7e1a3a4437986a8441db79ed61598a5b
humanhash: oxygen-thirteen-may-virginia
File name:POS Statements for Date - _22-07-2020.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:549'888 bytes
First seen:2020-07-22 10:08:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 45d579faec0eaf279c0841b2233727cf (6 x AgentTesla, 2 x MassLogger, 2 x NanoCore)
ssdeep 12288:HRmJ34UqACPQoKwICzPhVifZWFuGZkTP2bjmgqLRGd:H0B4U+Qo5Ph4ZWkQ5egqLId
Threatray 2'133 similar samples on MalwareBazaar
TLSH 28C48E23F6A14433C1631A389D1B57789C3AFE103A3869862BF46D4C9F797C1397A297
Reporter abuse_ch
Tags:exe nVpn RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: server1.livepotqatar.com
Sending IP: 198.24.151.201
From: POS@dohabank.com.qa
Subject: POS Statements for Date - _22-07-2020
Attachment: POS Statements for Date - _22-07-2020.zip (contains "POS Statements for Date - _22-07-2020.exe")

RemcosRAT C2:
185.165.153.15:6642

Hosted on nVpn:

% Information related to '185.165.153.0 - 185.165.153.255'

% Abuse contact for '185.165.153.0 - 185.165.153.255' is 'abuse@privacyfirst.sh'

inetnum: 185.165.153.0 - 185.165.153.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-AT2
country: AT
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-10-18T12:14:26Z
last-modified: 2020-07-14T13:31:45Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/31076/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
Setting a keyboard event handler
Sending a custom TCP request
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/394903
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 249851 Sample: POS Statements for Date - _... Startdate: 23/07/2020 Architecture: WINDOWS Score: 100 53 Malicious sample detected (through community Yara rule) 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 Detected unpacking (changes PE section rights) 2->57 59 15 other signatures 2->59 9 POS Statements for Date - _22-07-2020.exe 2->9         started        12 gosh.exe 2->12         started        14 gosh.exe 2->14         started        process3 signatures4 63 Maps a DLL or memory area into another process 9->63 16 POS Statements for Date - _22-07-2020.exe 1 5 9->16         started        19 SgrmBroker.exe 9->19         started        21 gosh.exe 12->21         started        23 gosh.exe 14->23         started        process5 file6 43 C:\Users\user\AppData\Roaming\gosh\gosh.exe, PE32 16->43 dropped 45 C:\Users\user\...\gosh.exe:Zone.Identifier, ASCII 16->45 dropped 25 cmd.exe 1 16->25         started        process7 signatures8 65 Uses ping.exe to sleep 25->65 28 gosh.exe 25->28         started        31 PING.EXE 1 25->31         started        34 conhost.exe 25->34         started        process9 dnsIp10 67 Multi AV Scanner detection for dropped file 28->67 69 Detected unpacking (changes PE section rights) 28->69 71 BOT functionalities found, sample is likely a BOT 28->71 73 6 other signatures 28->73 36 gosh.exe 1 3 28->36         started        41 conhost.exe 28->41         started        51 127.0.0.1 unknown unknown 31->51 signatures11 process12 dnsIp13 49 185.165.153.15, 49716, 49720, 49721 DAVID_CRAIGGG Netherlands 36->49 47 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 36->47 dropped 61 Installs a global keyboard hook 36->61 file14 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/210560d23e3c023c90bd24ed0d76c68732dc267277fc6adcc3c991cb611bb06a/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-22 10:09:08 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=eecwbur6hqbdzef5etwq25wgq4znyjtso76gvxgdzgi4wyi3wbva._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
trickbot
Create hunting rule
Similar samples:
01dc41b35298ebb01d00083efa17adad8e1c7c4ab40f77f6d943f7031359ccb6
RemcosRAT
04e18fc32464a616b096a50a3ed43b646ece444e693b238a29d6f6de6ee45833
RemcosRAT
1aeb603dd60de76549e74fa97476865d66093fc0cd65b340b9d81b9e63875d91
RemcosRAT
292fdda313c6d03852ecd9487653eb15bdf8cf6412e814365c2f176a1104cbc3
RemcosRAT
3f2c710a97bb42579ee2f9956437ff160a68bd787439fbc025ab3d6b46076d34
RemcosRAT
54091d6f7893b5a42baebba2ea94def14f9181a46544633116be5f1772811236
RemcosRAT
b55bd6825fe91af7f39a6db95cc72d531fae8edf94266dfcbf82d44fcf1e67c7
RemcosRAT
c85e13a5030bcd0c8173ef7ff6939690fe9638fa25d3c89cbf1e1e95a89db997
RemcosRAT
ce53e7d6bf4497672eb6798ad63488ae41f3943601b76d390761006b56f3befe
RemcosRAT
fdd40bcfba668b785d404214fd35db117b186e21944b24f16540cce86f7bec78
RemcosRAT
+ 2'123 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
persistence rat family:remcos
Link:
https://tria.ge/reports/200722-qxsrera2ln/
Behaviour
Suspicious use of SetWindowsHookEx
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
185.165.153.15:6642
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
0.36
Link:
https://yomi.yoroi.company/submissions/210560d23e3c023c90bd24ed0d76c68732dc267277fc6adcc3c991cb611bb06a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip f0d105b1770efb0e75d76ef01e86f88ac506d4bb0b259a19e1837ec4da196178

RemcosRAT

Executable exe 210560d23e3c023c90bd24ed0d76c68732dc267277fc6adcc3c991cb611bb06a

(this sample)

  
Dropped by
MD5 5912e53a833c49eddd743e7f8930b856
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/31076/
  
Dropped by
SHA256 f0d105b1770efb0e75d76ef01e86f88ac506d4bb0b259a19e1837ec4da196178

Comments