MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01c59004eb5e4390f96dc41ca001c9bd036068645fb55a922cded1ee1ecf014c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01c59004eb5e4390f96dc41ca001c9bd036068645fb55a922cded1ee1ecf014c
SHA3-384 hash: e48100f62aeec1d47817b8cb1f662ec25d9fa98cad403ab32639cc23985db5db79e7f649957427da02038c871bce07ee
SHA1 hash: 6f14c5bd02dca7c1a58965ccb26a10ef8aa95aea
MD5 hash: 20663ecc753600bebd55fbc4c3fff85e
humanhash: early-network-fourteen-fruit
File name:Wjhus order 13.1.2021.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:383'488 bytes
First seen:2021-01-13 07:40:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 13f6eb96e7165e986a0d233796ec15e0 (5 x Formbook, 5 x RemcosRAT, 1 x Loki)
ssdeep 6144:Y1PcYfkbWRchmWC4cKipHrc6TtcGmxCjHV:YfCY8cK6c6pcGDTV
Threatray 1'576 similar samples on MalwareBazaar
TLSH 8E84C4C3F445349DF8DE827BBADA8E36E1D21C5E1943180192713F51BFAEA8297C05AD
Reporter abuse_ch
Tags:exe RemcosRAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: gmkey.mywire.org
Sending IP: 23.254.227.72
From: Rebecca F. Precia <rebecca@wjhuis.top>
Subject: new order for Wjhus - 13.01.2021
Attachment: Wjhus order 13.1.2021.gz (contains "Wjhus order 13.1.2021.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Wjhus order 13.1.2021.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-13 08:37:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cca2df0a-45bc-4c00-84e3-f73c31a7d094

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/111746/
Detection(s):
Win.Malware.Cnar-7194164-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/579904
Signature
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Detected Remcos RAT
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 338997 Sample: Wjhus order 13.1.2021.exe Startdate: 13/01/2021 Architecture: WINDOWS Score: 100 57 Malicious sample detected (through community Yara rule) 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 Detected Remcos RAT 2->61 63 10 other signatures 2->63 10 Wjhus order 13.1.2021.exe 4 5 2->10         started        13 VLC.exe 2 4 2->13         started        17 VLC.exe 2->17         started        process3 dnsIp4 41 C:\Users\user\AppData\Roaming\...\VLC.exe, PE32 10->41 dropped 43 C:\Users\user\...\VLC.exe:Zone.Identifier, ASCII 10->43 dropped 19 wscript.exe 1 10->19         started        47 push4me.freeddns.org 194.5.98.176, 1814, 49716, 49726 DANILENKODE Netherlands 13->47 45 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 13->45 dropped 71 Injects a PE file into a foreign processes 13->71 21 VLC.exe 1 13->21         started        24 VLC.exe 13 13->24         started        26 VLC.exe 1 13->26         started        28 2 other processes 13->28 file5 signatures6 process7 signatures8 30 cmd.exe 1 19->30         started        65 Tries to steal Instant Messenger accounts or passwords 21->65 67 Tries to steal Mail credentials (via file access) 21->67 69 Tries to harvest and steal browser information (history, passwords, etc) 24->69 process9 process10 32 VLC.exe 30->32         started        35 conhost.exe 30->35         started        signatures11 49 Multi AV Scanner detection for dropped file 32->49 51 Tries to steal Mail credentials (via file registry) 32->51 53 Contains functionalty to change the wallpaper 32->53 55 4 other signatures 32->55 37 VLC.exe 32->37         started        process12 process13 39 VLC.exe 37->39         started       
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/01c59004eb5e4390f96dc41ca001c9bd036068645fb55a922cded1ee1ecf014c/
Threat name:
Win32.Dropper.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-13 04:10:51 UTC
AV detection:
18 of 46 (39.13%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ahczabhllzbzb6lnyqokaaojxubwa2del62vverm33i64hwpafga._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
00b65900131d5d5cac9d48c65ff2e53677418d7c50f0c09480af43e80845bef3
RemcosRAT
1a6757ed0fa8dfc6a0ecc4dcfecc7dacb2b4ff435c15eefeb9edde8b913e1811
RemcosRAT
4c61692f5b36f6b2b136958c7c315113899a1bdb1cfe7415f37c0acfdaab01a7
RemcosRAT
5fdecb2c511ec2b584766991bc2126ae802ed2618a80a227046df5379f12e745
RemcosRAT
6da5a41c6dd6f0ddc638a3bccceeae8132814f605971a2f9eb1af58040f60eb8
RemcosRAT
7938ab5a2e1c4eaf450a144c2d451cfab20feddb85eec8310f14fefebe09e953
RemcosRAT
9a923858b6e0434e961118c2e0b6fc62bfddf64e1fc69b1b8acaa323d27c1d5e
RemcosRAT
b67361c9d7c2bcbe7e94b698f4d5abd1e6ffd96429d2c66dcfd92a573303e4f0
RemcosRAT
bfe8692e2e6e89e7d77482f315a22b3679e511e50eab20ba852cabc06dc4e5fa
RemcosRAT
e7c74f89332dcf4bf0ebaa50d960a8c82a521ca2c9608ecbb13e719e9744b5ca
RemcosRAT
+ 1'566 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat spyware
Link:
https://tria.ge/reports/210113-xkh9tx4y82/
Behaviour
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Executes dropped EXE
Remcos
Unpacked files
SH256 hash:
01c59004eb5e4390f96dc41ca001c9bd036068645fb55a922cded1ee1ecf014c
MD5 hash:
20663ecc753600bebd55fbc4c3fff85e
SHA1 hash:
6f14c5bd02dca7c1a58965ccb26a10ef8aa95aea
Link:
https://www.unpac.me/results/0820b9cb-7bb5-44bb-8176-63e28252df9c/
SH256 hash:
cdec6b30838d2ee17392d100cbd519f3ab874a4fa98bbd20f17b62c19dc9f5a6
MD5 hash:
181bb911ccdd2743f837962d2da5a892
SHA1 hash:
49acf3104ef7b0fb8b74082eed7c7c372f0b92eb
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/0820b9cb-7bb5-44bb-8176-63e28252df9c/
Parent samples :
01c59004eb5e4390f96dc41ca001c9bd036068645fb55a922cded1ee1ecf014c
97c1693cc21829a1b2139d13bc9b21a47555b18d6dc8943c4804890f1ab3b25c
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/01c59004eb5e4390f96dc41ca001c9bd036068645fb55a922cded1ee1ecf014c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

gz 49b7a81c8c9154b42d564348b3a2a93be94bf14de11809e823891fafb65c113f

RemcosRAT

Executable exe 01c59004eb5e4390f96dc41ca001c9bd036068645fb55a922cded1ee1ecf014c

(this sample)

  
Dropped by
MD5 d12c64d45cd7416cc3a3ee41cc81083a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 49b7a81c8c9154b42d564348b3a2a93be94bf14de11809e823891fafb65c113f
Cape
Cape
https://www.capesandbox.com/analysis/111746/

Comments