MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 965d84cabf414da83736bbcd3e2286a0dc907325ebe17bb0d4da2659edd02052. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 965d84cabf414da83736bbcd3e2286a0dc907325ebe17bb0d4da2659edd02052
SHA3-384 hash: 01aa4667435953f66bd94a573308a76469369108bfe877a3ba0d9e361a4b2b03763260a241e18ff505aa927677d59d0b
SHA1 hash: 189bddd0a5b7006bb60658bbe3ccaebf904c871a
MD5 hash: 0058fc15aef70a63183b3c6bf32a1163
humanhash: north-fourteen-tennessee-emma
File name:Thông báo DHL, 8897209547,pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:530'432 bytes
First seen:2020-08-06 06:08:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:bjG02XcdPyahZ0RcxPYRqBYY9sNhmYyvyW3dgqBUg4kwbI9HweY9KWNuzZAh2P8X:b9eczYRqZMSkqBUg4kycHIKQ2m
Threatray 1'169 similar samples on MalwareBazaar
TLSH D5B4273461754A9BD7EC80B44F0C724849E382B51A8FF7C1ECB72985F6926B0A72DC5B
Reporter abuse_ch
Tags:DHL exe geo Hostwinds RAT RemcosRAT VNM


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: hwsrv-752879.hostwindsdns.com
Sending IP: 104.168.176.91
From: DHL Express Cargo <delivery@dhl.com>
Subject: Thông báo chứng từ vận chuyển
Attachment: Thông báo DHL, 8897209547,pdf.iso (contains "Thông báo DHL, 8897209547,pdf.exe")

RemcosRAT C2:
nkiruka2020.ddns.net:7171 (185.19.85.135)


% Information related to '185.19.84.0 - 185.19.85.255'

% Abuse contact for '185.19.84.0 - 185.19.85.255' is 'abuse@datawire.ch'

inetnum: 185.19.84.0 - 185.19.85.255
netname: DATAWIRE-DATACENTERS
descr: CUSTOMERS ZG01
country: CH
admin-c: DA4314-RIPE
tech-c: DA4314-RIPE
status: ASSIGNED PA
mnt-by: DATAWIRE-NOC
created: 2013-09-23T14:18:55Z
last-modified: 2013-09-23T14:18:55Z
source: RIPE

role: DATAWIRE AG
address: Hinterbergstrasse 22
admin-c: SH3634-RIPE
tech-c: SH3634-RIPE
nic-hdl: DA4314-RIPE
mnt-by: DATAWIRE-NOC
created: 2012-01-03T15:42:22Z
last-modified: 2013-08-25T14:21:45Z
source: RIPE # Filtered
abuse-mailbox: abuse@datawire.ch

% Information related to '185.19.84.0/22AS48971'

route: 185.19.84.0/22
descr: DATAWIRE AG DATACENTERS
origin: AS48971
mnt-by: DATAWIRE-NOC
created: 2013-03-07T20:43:03Z
last-modified: 2013-03-07T20:43:03Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
59
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/40116/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
DNS request
Connection attempt
Creating a file in the %AppData% subdirectories
Setting a global event handler for the keyboard
Enabling autorun by creating a file
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/412207
Signature
Detected Remcos RAT
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Yara detected AntiVM_3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/965d84cabf414da83736bbcd3e2286a0dc907325ebe17bb0d4da2659edd02052/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-06 06:10:11 UTC
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=szoyjsv7ifg2qnzwxpgt4iugudoja4zf5pqxxmgu3itft3oqebja._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0529890413f7f952eb1b6a073369119f1f8f5c1b7e0a9611e721bd695975d0fa
RemcosRAT
327bc1ad9fc793811e5da6cb3553b7dca05c8a48d8060fc94015339ee805851d
RemcosRAT
54c937e5b6fe28e7076e549802765e15ad6191d2ddc427b532ff9347fef2eb39
RemcosRAT
582bb52402f47d9d47b4c786419e32e60a19ae400fdf59654218d6fff01edab2
RemcosRAT
8ec5d666ff1af04113f22c80294db956bedff4123e59ee925c5583c47b7794ec
RemcosRAT
99938664e2162f06313d017b275c7da25b45d578177911808a986f416377e15d
RemcosRAT
b1135688496020eb3e075121b22fb9c726c6021068ce415be82d8e48540dc563
RemcosRAT
cf569e5361d68bca55156e7931606bd5acea860b5824dda249285c824ee32aa6
RemcosRAT
d99680b269d345d0e78e80b5310077f35e781ab5e74a1f926cb0be47d185a9c4
RemcosRAT
df55898a2e3ad76e9ca691d178e15d2c499f391be7ed604a10ea7084e02d9446
RemcosRAT
+ 1'159 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
rat family:remcos
Link:
https://tria.ge/reports/200806-b5apld1x3a/
Behaviour
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Remcos
Malware Config
C2 Extraction:
nkiruka2020.ddns.net:7171
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/965d84cabf414da83736bbcd3e2286a0dc907325ebe17bb0d4da2659edd02052

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

iso a277b768e79fccae4f496c7c88db0c0e89f75f31e3c1f58f27f4f37cfd78ec12

RemcosRAT

Executable exe 965d84cabf414da83736bbcd3e2286a0dc907325ebe17bb0d4da2659edd02052

(this sample)

  
Dropped by
MD5 e14bf660483707e245fb09066d75bff0
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 a277b768e79fccae4f496c7c88db0c0e89f75f31e3c1f58f27f4f37cfd78ec12
Cape
Cape
https://www.capesandbox.com/analysis/40116/

Comments