MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02153d544f745e7688a5f5f801ef4c2c197349fc79089b422d101f4f345fed8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02153d544f745e7688a5f5f801ef4c2c197349fc79089b422d101f4f345fed8f
SHA3-384 hash: c81e879c4074da66ca2b8b4b8b0581a87caeb4cde3c03fbf2740da6cf427286ddc1e3a63eb651cda7bb91f74f253fbd4
SHA1 hash: e5628c468db22facd1d3e6949628e633a825b48f
MD5 hash: c86e1f0dd853b1348e84ee2d793d33bc
humanhash: july-pennsylvania-lemon-indigo
File name:End of the yr shipment#102120.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:413'696 bytes
First seen:2020-10-22 06:24:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:E3DYsKT9AgmAnqPJ7ucSvkjaL+Ot3/uQ5o:42mAeJqv4mYSo
Threatray 930 similar samples on MalwareBazaar
TLSH BC940288D702CB69EF3E413579600F500B7D4EA9603997A69B05B0EB1F9BF86243A5D3
Reporter abuse_ch
Tags:exe RemcosRAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: vps.pantin-hoes.com
Sending IP: 45.95.169.163
From: charles <sales@koster-nl.com>
Subject: Wholesale Inquiry
Attachment: End of the yr shipment102120.7z (contains "End of the yr shipment#102120.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Agenttesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/74465/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader35.5199.15162.27850.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file
Launching the default Windows debugger (dwwin.exe)
Enabling autorun by creating a file
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/506593
Signature
Allocates memory in foreign processes
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Detected Remcos RAT
Detected unpacking (creates a PE file in dynamic memory)
Drops PE files to the startup folder
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 302467 Sample: End of the yr shipment#102120.exe Startdate: 22/10/2020 Architecture: WINDOWS Score: 100 32 petroleum.sytes.net 2->32 36 Malicious sample detected (through community Yara rule) 2->36 38 Multi AV Scanner detection for dropped file 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 12 other signatures 2->42 8 End of the yr shipment#102120.exe 4 2->8         started        signatures3 process4 file5 26 C:\Users\user\sdf567, PE32 8->26 dropped 28 C:\Users\user\AppData\...\HJdyTuap.exe, PE32 8->28 dropped 30 C:\Users\user\sdf567:Zone.Identifier, ASCII 8->30 dropped 44 Maps a DLL or memory area into another process 8->44 46 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->46 12 End of the yr shipment#102120.exe 3 8->12         started        15 End of the yr shipment#102120.exe 8->15         started        17 End of the yr shipment#102120.exe 8->17         started        signatures6 process7 signatures8 48 Detected Remcos RAT 12->48 50 Writes to foreign memory regions 12->50 52 Allocates memory in foreign processes 12->52 54 Injects a PE file into a foreign processes 12->54 19 iexplore.exe 12->19         started        56 Maps a DLL or memory area into another process 15->56 21 End of the yr shipment#102120.exe 15->21         started        24 End of the yr shipment#102120.exe 15->24         started        process9 dnsIp10 34 petroleum.sytes.net 185.244.30.10, 3014, 49769, 49770 DAVID_CRAIGGG Netherlands 21->34
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/02153d544f745e7688a5f5f801ef4c2c197349fc79089b422d101f4f345fed8f/
Threat name:
ByteCode-MSIL.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-10-21 17:26:15 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aikt2vcporphncff6x4ad32mfqmxgsp4peejwqrncapu6nc75whq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
29e976622956314e13cff9fce7e829a27827214ddcfd41ccd33fc4faca45b566
RemcosRAT
308245e3b036eaa8e2b12c92852a64e5feedd6d952789d12da2ea5da9b7acced
RemcosRAT
4096056536154e1fa5a10e3495cd3ddadf7c01022b7b65b0c35a67b2eac2bc6b
RemcosRAT
4a024542511c7d0a40e8317486b7177eaf71ee355f1731f17bc632731ea814b0
RemcosRAT
5561d008620229638c19ba7e991d22edfd27eef99c5a038510b24950687befd3
RemcosRAT
5a418e084b49b740a94d307baf45d67ac25db462fdeb80065fb60ffeb197273f
RemcosRAT
6637c089017af9c448d8235e20db32603d8547f0611187341cf184dc66c170b4
RemcosRAT
e037b5ebac7b3ac81b3e268268dbd072784c73f178662e4a66e5e57d7e8a67c3
RemcosRAT
f412da03defe68cc6e1f264449adf519a4c5470c51e7b502854f7fbf358f8516
RemcosRAT
fa5850a0ba8809631d4e3f5a3f8cafa133b3d6ae37088eeb934ec13d1bc9f368
RemcosRAT
+ 920 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
rat family:remcos
Link:
https://tria.ge/reports/201022-2xzl4374mx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Remcos
Malware Config
C2 Extraction:
petroleum.sytes.net:3014
Unpacked files
SH256 hash:
18b6b5096fbb3f2f521cef52d6b5b47b63add63e22d5d968f12b90b1151dacd2
MD5 hash:
fb2728dfa638ac73c693218b0a8d9ae0
SHA1 hash:
622530a894ef8554e4780a97a3dbfcfb41d44cc2
Link:
https://www.unpac.me/results/8e1afdd6-1c16-4e76-8deb-6b3def689eb5/
SH256 hash:
0f30034b8b94ce1ed4ca26c1ab96f48861b97e762b9dc73494ba39859e1d124f
MD5 hash:
1e6c8fe92461e844ffe1bc2f9619dd1f
SHA1 hash:
ef0dc7cb2d387ccb70d7cfff007c49f6ad4d2a45
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/8e1afdd6-1c16-4e76-8deb-6b3def689eb5/
SH256 hash:
02153d544f745e7688a5f5f801ef4c2c197349fc79089b422d101f4f345fed8f
MD5 hash:
c86e1f0dd853b1348e84ee2d793d33bc
SHA1 hash:
e5628c468db22facd1d3e6949628e633a825b48f
Link:
https://www.unpac.me/results/8e1afdd6-1c16-4e76-8deb-6b3def689eb5/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

7z f0d394b302e438381b87b7a9a8eb1bc497c748dc1cbac2d30397766bdb9fd271

RemcosRAT

Executable exe 02153d544f745e7688a5f5f801ef4c2c197349fc79089b422d101f4f345fed8f

(this sample)

  
Dropped by
MD5 f82a47d9b6f5e45a85864e6bdfd167b2
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74465/
  
Dropped by
SHA256 f0d394b302e438381b87b7a9a8eb1bc497c748dc1cbac2d30397766bdb9fd271

Comments