MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ee1ed01fe26af330a114bc5d39fdfb3a6357a75b8091a234d115bf2230256c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	9ee1ed01fe26af330a114bc5d39fdfb3a6357a75b8091a234d115bf2230256c3
SHA3-384 hash:	5aa8ed9ed665d5f9828c712d8fddf16b10ec4bf6410db71b02ec35011d11769aba84f12d96141df5336f6d7bd432b952
SHA1 hash:	16c6f8a56472ad89eacc4f09ae67f47d4e040a78
MD5 hash:	29e8627b2373ead96fa20e5c7d492ae1
humanhash:	sweet-quebec-berlin-failed
File name:	POEA ADVISORY NO. 107.PDF.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	905'572 bytes
First seen:	2020-09-02 06:11:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep	24576:BAOcZeJsLMVdzLwAquaVbN9xg539FQZMaBQi2j3:b8qzMAq3N9xw96ZMAI
Threatray	876 similar samples on MalwareBazaar
TLSH	E6151202F7E68871D13219325E2A7711AE7D3D204F29DA2EB3D04D6DEA761D02635BB3
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

abuse_ch

Malspam distributing RemcosRAT:

HELO: sd.latticesystems.com
Sending IP: 96.44.130.88
From: OPAP SECRETARIAT <opapsecretariat@yahoo.com>
Subject: POEA ADVISORY NO. 107
Attachment: POEA ADVISORY NO. 107.PDF.lzh (contains "POEA ADVISORY NO. 107.PDF.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/54188/

Detection(s):

Win.Malware.Vasal-9406011-0

PUA.Win.Downloader.Aiis-6803892-0

SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Searching for the window

Creating a file in the %temp% subdirectories

Enabling the 'hidden' option for files in the %temp% directory

Creating a process from a recently created file

Creating a file

Adding an access-denied ACE

DNS request

Creating a file in the %AppData% subdirectories

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Setting a global event handler for the keyboard

Sending a TCP request to an infection source

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/457170

Signature

Allocates memory in foreign processes

Detected Remcos RAT

Drops PE files with a suspicious file extension

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Writes to foreign memory regions

Yara detected AntiVM autoit script

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/9ee1ed01fe26af330a114bc5d39fdfb3a6357a75b8091a234d115bf2230256c3/

Threat name:

Win32.Trojan.Ymacco

Status:

Malicious

First seen:

2020-09-02 05:36:35 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=t3q62ap6e2xtgcqrjpc5hh67wotdk6tvxaerui2ncfn7eiyck3bq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

5c5e4e31bde29168e03fa8cce36bab9b577568137edab59f68f8968616546ed9

RemcosRAT

6d833bd671f179c8dfdf89aac0bc77cd7bb49f82a98cbf5d8122a9d47fa98e9f

RemcosRAT

9a40f0300c23e940e1e6abdab04d0d52218ac9a28b96075238de1fb9acd88b77

RemcosRAT

a1c243083cc1870948216df122047ee1a8e473d0fab33283009c0d291567ea10

RemcosRAT

ad26de7b388b0d667f98b6fc939bf942f284752b6353b033b93d31556ad9b461

RemcosRAT

be229bdaf4ed159fcee3b29cf41851f25ce584b88aac09aaad69bf51e1b14577

RemcosRAT

c366104c944aee48c742218be05de134d13fd7bde6024b1c0f4c1d843b2288f8

RemcosRAT

cd8770808daf4f97a339438001f0ac7dab0853feb07134e6f7bb2fc3db9581c0

RemcosRAT

dce0fd32e1a722b27a3d60dc55016edbbfe763d3ec5aa10de6a6455e062b1432

RemcosRAT

+ 866 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

persistence keylogger trojan stealer spyware family:nanocore rat family:remcos

Link:

https://tria.ge/reports/200902-w9cmbtffbj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Loads dropped DLL

Executes dropped EXE

NanoCore

Remcos

Malware Config

C2 Extraction:

officer170.webredirect.org:2404
chidera12345.ddns.net:2404

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9ee1ed01fe26af330a114bc5d39fdfb3a6357a75b8091a234d115bf2230256c3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator