MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0213b080d6e1188df027bebfc9d5fa07d0548168997536afd0471c29be4ce75c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0213b080d6e1188df027bebfc9d5fa07d0548168997536afd0471c29be4ce75c
SHA3-384 hash: fe49397e85adb573524b28117c9c74e4b3144a0375909d80f0406d0a4bf5f922c23794f74fbcf2bb5fa3239d3c4ed06f
SHA1 hash: f8a23d72e5d78bd18236e70f44a5fce0898b8f89
MD5 hash: d166e73c371e8e22142bb7fce0e34cb1
humanhash: march-earth-blue-venus
File name:Urban Equipment.scr
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:254'768 bytes
First seen:2020-08-10 09:27:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 3072:JjskNslgmLLUoDk/D5KNCdboaZxAFsgs27pj4GkFkL7utmW/vmSm7wWsD88zvkoM:J4+slflDsRdfzAFs27dctySDWEHPSd
Threatray 787 similar samples on MalwareBazaar
TLSH B9443984E84888E8DC5D27728C3A985013F37EE6D6705E1D1DDAB9616B732C3182ED9F
Reporter abuse_ch
Tags:RemcosRAT scr


Avatar
abuse_ch
Malspam distributing unidentified malware:

From: Emilia Garcia <info@benito.com>
Subject: RFQ no. 1818033- Urban Equipment
Attachment: Urban Equipment.img (contains "Urban Equipment.scr")

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/42595/
Detection(s):
Win.Trojan.Ag-18
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Connection attempt
Creating a file
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Enabling autorun
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/416628
Signature
Allocates memory in foreign processes
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Country aware sample found (crashes after keyboard check)
Creates an undocumented autostart registry key
Detected Remcos RAT
Drops PE files to the startup folder
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 260637 Sample: Urban Equipment.scr Startdate: 10/08/2020 Architecture: WINDOWS Score: 100 43 Malicious sample detected (through community Yara rule) 2->43 45 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->45 47 Detected Remcos RAT 2->47 49 4 other signatures 2->49 6 Urban Equipment.exe 2 2 2->6         started        10 Urban Equipment.exe 3 2->10         started        12 Urban Equipment.exe 3 2->12         started        14 Urban Equipment.exe 4 2->14         started        process3 file4 35 C:\Users\user\AppData\...\Urban Equipment.exe, PE32 6->35 dropped 37 C:\...\Urban Equipment.exe:Zone.Identifier, ASCII 6->37 dropped 59 Creates an undocumented autostart registry key 6->59 61 Writes to foreign memory regions 6->61 63 Allocates memory in foreign processes 6->63 16 InstallUtil.exe 2 3 6->16         started        21 WerFault.exe 23 9 6->21         started        65 Injects a PE file into a foreign processes 10->65 23 InstallUtil.exe 10->23         started        25 WerFault.exe 10->25         started        27 WerFault.exe 10 12->27         started        29 InstallUtil.exe 12->29         started        31 InstallUtil.exe 14->31         started        signatures5 process6 dnsIp7 39 172.111.200.225, 8069 M247GB United States 16->39 33 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 16->33 dropped 51 Contains functionality to steal Chrome passwords or cookies 16->51 53 Contains functionality to capture and log keystrokes 16->53 55 Contains functionality to inject code into remote processes 16->55 57 Contains functionality to steal Firefox passwords or cookies 16->57 41 192.168.2.1 unknown unknown 21->41 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0213b080d6e1188df027bebfc9d5fa07d0548168997536afd0471c29be4ce75c/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-08-10 09:28:10 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aij3bagw4emi34bhx274tvp2a7ifjalitf2tnl6qi4octpsm45oa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
2db4ee21ea51c36e7dac362a31f5791643de1ced086758c80ad2cb8b8b70f80e
RemcosRAT
4692d4716a224f54c928808d2d7ee7e9eaeb8531f1cd29b91886fa511a12f07a
RemcosRAT
5be1955cc565b499f3948429e16db2d902ceb8953132d39ae54954ed5cf73de0
RemcosRAT
5c8a1fcc7289127fe8b58aacf60776b0165e11a240cb1d44f7048f5ccae8769d
RemcosRAT
6307b6ffc48a88aeeff567c7a296ca6daf830f9b4eecf9f48352c489e5256fca
RemcosRAT
6883ab02c6b5c22d0035e476501021e228dd1b94f5a1f301a343b731fc847d45
RemcosRAT
81586576466b84318c110be299cad2ff3594cf483d33690d6a691581cd87fd76
RemcosRAT
936aa436f6a85762fe0fa8f9f14af43e5a53ba7bf398f279925f73dc511c09b4
RemcosRAT
96867bcc79971d9c01eb37e642c0e405b6fce31a3b59ab996f04c38a85a444c9
RemcosRAT
a7d93e9c9bb80f0f8a271ae4a101f305bac535e197697b35f291794fa83ef538
RemcosRAT
+ 777 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
persistence rat family:remcos
Link:
https://tria.ge/reports/200810-z12951rype/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Remcos
Modifies WinLogon for persistence
Malware Config
C2 Extraction:
172.111.200.225:8069
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0213b080d6e1188df027bebfc9d5fa07d0548168997536afd0471c29be4ce75c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

img d7d81b61089e2639cede68b6db324344cc092b4c6fe4d94f2ab55f2f2c6f838d

RemcosRAT

Executable exe 0213b080d6e1188df027bebfc9d5fa07d0548168997536afd0471c29be4ce75c

(this sample)

  
Dropped by
MD5 e1b02ade82f2d4f9a58af0561a0a1ad5
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/42595/
  
Dropped by
SHA256 d7d81b61089e2639cede68b6db324344cc092b4c6fe4d94f2ab55f2f2c6f838d

Comments