MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 572a6a6fa5277c2b4cc040710694d33b2def62ab74e2801893d33e92e7b105af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



RemcosRAT


Vendor detections: 11


Intelligence 11 File information Yara 7 Comments

SHA256 hash: 572a6a6fa5277c2b4cc040710694d33b2def62ab74e2801893d33e92e7b105af
SHA3-384 hash: c415c09c74cf1b62896fdeeebbadd9a0aa8d6fbdc5e57330b2e8912a77282909a91d86b8892af343d98fa491d96cf32e
SHA1 hash: 64accc9e3f84e7365d8236c580b9644427e3f9e3
MD5 hash: 9c51e2991c6c9708d783aab030dcc0da
humanhash: pasta-sink-angel-bacon
File name:QuotationInvoices.exe
Download: download sample
Signature RemcosRAT
File size:528'567 bytes
First seen:2021-02-22 12:56:32 UTC
Last seen:2021-02-22 15:00:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ea4e67a31ace1a72683a99b80cf37830
ssdeep 12288:Nro6kYoqOR5HdRAFmzKNVky0QynxqHLUmb8uAT:NrEYyBRAFm2/ky0RxqHLLAT
TLSH D0B4236823BAEDFBCDE101B6047DAB1BEDD56647C2518B436744A8043D60DD3DA2F2CA
Reporter @abuse_ch
Tags:exe RAT RemcosRAT


Twitter
@abuse_ch
Malspam distributing RemcosRAT:

HELO: slot0.abutatodam.xyz
Sending IP: 203.159.80.137
From: Ravi Prasad <shradha.banerjee@mcleodrussel.com>
Subject: New PO For Urgent Supply
Attachment: NewPO.rar (contains "QuotationInvoices.exe")

RemcosRAT C2:
greatglass.servebeer.com:1961 (194.5.97.248)

Pointing to nVpn:
% Information related to '194.5.97.0 - 194.5.97.255'

% Abuse contact for '194.5.97.0 - 194.5.97.255' is 'abuse@privacyfirst.sh'

inetnum: 194.5.97.0 - 194.5.97.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-UK5
country: GB
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
mnt-by: PRIVACYFIRST-MNT
status: SUB-ALLOCATED PA
created: 2018-07-23T09:31:45Z
last-modified: 2020-08-26T17:48:55Z
source: RIPE

Intelligence


File Origin
# of uploads :
2
# of downloads :
85
Origin country :
FR FR
Mail intelligence
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Unauthorized injection to a recently created process
DNS request
Connection attempt
Sending a UDP request
Creating a file in the %AppData% subdirectories
Setting a global event handler for the keyboard
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Sigma detected: Remcos
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.Convagent
Status:
Malicious
First seen:
2021-02-22 12:57:07 UTC
AV detection:
18 of 28 (64.29%)
Threat level
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:remcos rat
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Remcos
Malware Config
C2 Extraction:
greatglass.servebeer.com:1961
Unpacked files
SH256 hash:
bf39e671e6df91f93dca7cdcd4e8c738b5403b766f1cfea695dcf19e181280e4
MD5 hash:
06a1d11ef6494cc50169a3823b589a46
SHA1 hash:
13a6c66a0e1c6a0c036f266a342729dab4173d92
Detections:
win_buer_auto
SH256 hash:
572a6a6fa5277c2b4cc040710694d33b2def62ab74e2801893d33e92e7b105af
MD5 hash:
9c51e2991c6c9708d783aab030dcc0da
SHA1 hash:
64accc9e3f84e7365d8236c580b9644427e3f9e3
Threat name:
Backdoor
Score:
1.00

Yara Signatures


Rule name:ach_RemcosRAT
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:remcos_rat
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 572a6a6fa5277c2b4cc040710694d33b2def62ab74e2801893d33e92e7b105af

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments