MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00ef71f861b6fc1bc29bac8cc0f9f32d70e70407c2fba4931737409af8d7bd85. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 6


Intelligence 6 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 00ef71f861b6fc1bc29bac8cc0f9f32d70e70407c2fba4931737409af8d7bd85
SHA3-384 hash: 2030e6069dd39f32c5ae7ca26b1075ed8c11b2e7aec6adcd59457a476cfa6c8f09838a1d9d223799182b5294cf91f107
SHA1 hash: a8b7ee149a452124fbe4772a6afc5f7f5c51dd8b
MD5 hash: 592a7f2bd5408b60acfc31f8b7bafdb1
humanhash: green-north-nevada-victor
File name:Infra Purchase Order Confirmation (Please Sign),pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:429'328 bytes
First seen:2020-10-14 15:34:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 768:dy8SoPxeirJwy0W5fzoN7eVVqOXy3npVIKONRmdM8sScR9ApqcAqQ6Uf2hDv:pxeirJ5h4SXpX6pVlAkqSjpPD9Ufuv
Threatray 4 similar samples on MalwareBazaar
TLSH 989443153246EF14F1AF02F1D8E381F503A7BE41FE1187DBA6E9BE5938B21952B0158B
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: cloudserver10.qpc.co.th
Sending IP: 203.154.39.142
From: Gerardo Altieri <gerardo.altier@infra.com.mx>
Subject: Re: Re: Purchase order Request for preview Please check the report Thank you #Gerardo Altieri
Attachment: Infra Purchase Order Confirmation Please Sign,pdf.iso (contains "Infra Purchase Order Confirmation (Please Sign),pdf.exe")

RemcosRAT C2:
insidelife1.ddns.net:8811

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70906/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
DNS request
Sending a UDP request
Sending a TCP request to an infection source
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/491346
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to a pastebin service (likely for C&C)
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Country aware sample found (crashes after keyboard check)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Detected Remcos RAT
Drops PE files to the startup folder
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Uses dynamic DNS services
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 298233 Sample: Infra Purchase Order Confir... Startdate: 14/10/2020 Architecture: WINDOWS Score: 100 56 insidelife1.ddns.net 2->56 58 hastebin.com 2->58 70 Malicious sample detected (through community Yara rule) 2->70 72 Antivirus detection for dropped file 2->72 74 Antivirus / Scanner detection for submitted sample 2->74 76 16 other signatures 2->76 8 Infra Purchase Order Confirmation (Please Sign),pdf.exe 24 6 2->8         started        13 Infra Purchase Order Confirmation (Please Sign),pdf.exe 2->13         started        15 Infra Purchase Order Confirmation (Please Sign),pdf.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 62 pastebin.com 104.23.99.190, 443, 49763 CLOUDFLARENETUS United States 8->62 64 hastebin.com 172.67.143.180, 443, 49747, 49777 CLOUDFLARENETUS United States 8->64 66 192.168.2.1 unknown unknown 8->66 52 Infra Purchase Ord...lease Sign),pdf.exe, PE32 8->52 dropped 54 Infra Purchase Ord...exe:Zone.Identifier, ASCII 8->54 dropped 78 Creates an undocumented autostart registry key 8->78 80 Creates autostart registry keys with suspicious names 8->80 82 Creates multiple autostart registry keys 8->82 84 3 other signatures 8->84 19 Infra Purchase Order Confirmation (Please Sign),pdf.exe 8->19         started        22 powershell.exe 23 8->22         started        24 powershell.exe 22 8->24         started        34 5 other processes 8->34 68 104.24.126.89, 443, 49774 CLOUDFLARENETUS United States 13->68 26 timeout.exe 13->26         started        28 timeout.exe 15->28         started        30 timeout.exe 17->30         started        32 timeout.exe 17->32         started        file6 signatures7 process8 dnsIp9 60 insidelife1.ddns.net 216.38.7.231, 49770, 49771, 49772 ASN-GIGENETUS United States 19->60 36 conhost.exe 22->36         started        38 conhost.exe 24->38         started        40 conhost.exe 26->40         started        42 conhost.exe 28->42         started        44 conhost.exe 30->44         started        46 conhost.exe 34->46         started        48 conhost.exe 34->48         started        50 conhost.exe 34->50         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/00ef71f861b6fc1bc29bac8cc0f9f32d70e70407c2fba4931737409af8d7bd85/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-10-13 19:46:32 UTC
AV detection:
24 of 48 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=adxxd6dbw36bxqu3vsgmb6ptfvyoobahyl52jeyxg5ajv6gxxwcq._file
Verdict:
unknown
Similar samples:
15d52fd28534185ea7113b9006d708baee62a09f9544e69989166398328364fa
RemcosRAT
62a3f96dbc53b59dc32cac8f2627992d4152cbd6735e488c4ae86f089dc97aa8
RemcosRAT
68774e1082c9ce2463d9024585565524b03af824f9ec890f1faee377a5148096
RemcosRAT
ebbc6c8a9394818874d649441f0644f42f52fd0aac5090212a9908b4b8889d6e
RemcosRAT
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201014-r16wjerxb6/
Behaviour
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
00ef71f861b6fc1bc29bac8cc0f9f32d70e70407c2fba4931737409af8d7bd85
MD5 hash:
592a7f2bd5408b60acfc31f8b7bafdb1
SHA1 hash:
a8b7ee149a452124fbe4772a6afc5f7f5c51dd8b
Link:
https://www.unpac.me/results/e48fd7ed-8390-48df-adc9-6dda9c81c962/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Dropper
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/00ef71f861b6fc1bc29bac8cc0f9f32d70e70407c2fba4931737409af8d7bd85

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

iso 107810dcb5aa686117ab9d8db06ddd6747c05f8775bccf3410eff0586229ea0f

RemcosRAT

Executable exe 00ef71f861b6fc1bc29bac8cc0f9f32d70e70407c2fba4931737409af8d7bd85

(this sample)

  
Dropped by
MD5 444ccb8869c4db90dd44ac1d78045bf6
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70906/
  
Dropped by
SHA256 107810dcb5aa686117ab9d8db06ddd6747c05f8775bccf3410eff0586229ea0f

Comments