MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8c1e04edd5c422d065e27a3a73931d373de200419cd9ba649fdfadee686e5f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	c8c1e04edd5c422d065e27a3a73931d373de200419cd9ba649fdfadee686e5f2
SHA3-384 hash:	8816b99dfb81aaa441fdd9e78590b2404265bff2b3fdd5d9287bf6b9822abaa772c4dcb195e132e5ed7fe2ead30e6daf
SHA1 hash:	0e56d3abd84193b3c35ed7281ea104b986f0426f
MD5 hash:	305fc37c32a3048cc54ff40191dad33b
humanhash:	floor-nuts-hydrogen-uniform
File name:	Purchase Order.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	361'472 bytes
First seen:	2020-08-11 12:09:34 UTC
Last seen:	2020-08-11 13:19:05 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	6144:S20Xclai8FLnJxL4XUhaVs4Wid1ZL6wt32J389m7U8PUS1Nyi0:S2oclr8pJxLfN4Wid1ZDtlmAAtyi
Threatray	877 similar samples on MalwareBazaar
TLSH	DF74DF5566C89F45D02DAB7D8321141A03F3E92FAB39EF597FC316E80E62B7287A1503
Reporter	abuse_ch
Tags:	exe RemcosRAT

abuse_ch

Malspam distributing unidentified malware:

HELO: mail.com
Sending IP: 156.96.45.238
From: Johnson Bathy <purchase.smartsourcing@mail.com>
Reply-To: purchase.smartsourcing@gmail.com
Subject: Purchase order #438
Attachment: Purchase Order.zip (contains "Purchase Order.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

70

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/43334/

Detection(s):

SecuriteInfo.com.Fareit-FYE305FC37C32A3.9294.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Launching a process

Creating a process with a hidden window

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/418759

Signature

.NET source code contains potential unpacker

Executable has a suspicious name (potential lure to open the executable)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM_3

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/c8c1e04edd5c422d065e27a3a73931d373de200419cd9ba649fdfadee686e5f2/

Threat name:

ByteCode-MSIL.Backdoor.NanoCore

Status:

Malicious

First seen:

2020-08-11 12:11:09 UTC

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zda6atw5lrbc2bs6e6r2oojr2nz54iaedhgzxjsj7x5n5zug4xza._file

Verdict:

malicious

Label(s):

remcos

Similar samples:

1d7bd4569c9c65e200191f37c4880af45b409a145ad9e883cd6699f76bcd5262

24d5ae18d6995c5afcb2ba03c90cbebde633c69c5f3a5f1fa157c1d4fcd84928

39734faf0a577140648e7a9c46220d612bd334a14c547e33a08af07e102fce30

439ed702b9700b4bd7ec8877db8d90820176cd183cb888c8be9b14267d3581cc

4756d7695557a0c18e9f662cb1b17639cacf4dbc017ee733a62f1b9d0c37a950

5abfb2c26d98dbe4aba173a7d3eb43d112ccb2bacaa2c874669128a13a98fe25

83a4040f51f86dd5a5da772636d1a2271962a87b42994fdaa53438c24b142376

83b70b20d0cdb13e9c420723ba5f025827d21e0c051c6e64b5553a5c372c3374

cbe0ac62133d33b65e7f70a9b044e2e901fec3c0af0b76ac17ed1450bdb6beee

de4e7923d6209906899738f2091bd48d49e2bce9fbc5aebe7658444e8d040285

+ 867 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

rat family:remcos

Link:

https://tria.ge/reports/200811-m3p8m389bs/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Uses the VBS compiler for execution

Remcos

Malware Config

C2 Extraction:

john777.ddns.net:6640

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c8c1e04edd5c422d065e27a3a73931d373de200419cd9ba649fdfadee686e5f2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 104104917b78fd2b5b07e66fb1ca37c58ba4b93c82fd49b97a8d9afb7861d6dd

exe c8c1e04edd5c422d065e27a3a73931d373de200419cd9ba649fdfadee686e5f2

(this sample)

Dropped by

MD5 bb0f2aa590ca3c075b80fba9742b71fc

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 104104917b78fd2b5b07e66fb1ca37c58ba4b93c82fd49b97a8d9afb7861d6dd

Cape

Cape

https://www.capesandbox.com/analysis/43334/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample