MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03ce96851d1e23ce614c9f24d97727c68f0f1156a442ff0eaecff89299dd90e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 11

Intelligence 11 IOCs YARA 7 File information Comments

SHA256 hash:	03ce96851d1e23ce614c9f24d97727c68f0f1156a442ff0eaecff89299dd90e9
SHA3-384 hash:	173615c7c9eb7dd507457fa1ad990ebdc007c713112344813f7d42ac932e19ace131c202fd567db1e7f9edbb08e656f0
SHA1 hash:	521c507e63ea7237b9c85ac2973a1b53465dabae
MD5 hash:	c5318a4bb156bf5ce9d8bcd2e9f2682b
humanhash:	december-tango-spaghetti-early
File name:	PURCHASE ORDER098090.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	157'184 bytes
First seen:	2021-01-11 08:53:37 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f7dbba1d9956b9fc0fee4be8b364a1e9 (4 x Loki, 1 x RemcosRAT)
ssdeep	3072:/mOrc90DiAfRuq5sNIGiq6IhFHKUS1ceJ+LioHHjB:Zc90eAZsT6ItSaegL3HjB
Threatray	1'374 similar samples on MalwareBazaar
TLSH	34E3E01332D2D570C200877E8DB5E2980B92BEF75E5A994732863B9E6CF1CC6EF95024
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

abuse_ch

Malspam distributing RemcosRAT:

HELO: hosted-by.rootlayer.net
Sending IP: 185.222.58.152
From: r.abouldahab@emis-int.com
Subject: Re: Quotation
Attachment: PURCHASE ORDER098090.z (contains "PURCHASE ORDER098090.exe")

RemcosRAT C2:
45.137.22.52:8780

Intelligence

File Origin

# of uploads :

# of downloads :

127

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PURCHASE ORDER098090.exe

Verdict:

Malicious activity

Analysis date:

2021-01-11 08:58:11 UTC

Tags:

trojan rat remcos stealer

Link:

https://app.any.run/tasks/fbd27855-b210-4420-b162-c510402cca96

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/111248/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a file

Running batch commands

Creating a process with a hidden window

Sending a UDP request

Unauthorized injection to a recently created process

Sending a custom TCP request

Setting a keyboard event handler

Launching a process

Creating a file in the %AppData% subdirectories

Enabling autorun by creating a file

Result

Threat name:

Remcos

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/577742

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Contains functionality to capture and log keystrokes

Contains functionality to detect virtual machines (IN, VMware)

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Detected Remcos RAT

Detected unpacking (creates a PE file in dynamic memory)

Executable has a suspicious name (potential lure to open the executable)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Yara detected Remcos RAT

Yara detected WebBrowserPassView password recovery tool

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/03ce96851d1e23ce614c9f24d97727c68f0f1156a442ff0eaecff89299dd90e9/

Threat name:

Win32.Trojan.Pwsx

Status:

Malicious

First seen:

2021-01-11 04:52:55 UTC

AV detection:

11 of 46 (23.91%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=aphjnbi5dyr44ykmt4sns5zhy2hq6ekwurbp6dvoz74jfgo5sduq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

34f712cf924d76de4f93de3ddc9a0bb9a55b97bf64f2e36c7c0ae49ede694dfb

RemcosRAT

3ce969a94f4bc8dec526e3551626d7e3639bae986304deba85e8f29f039fe345

RemcosRAT

5b474ca6fc8158bd6f14d53bca8962f25db3392dfe324f49ddf376610bd785e4

RemcosRAT

7a30279d9a17f60370018e2e519d9f3a5a423b79c996e2ce25649505206d0d53

RemcosRAT

89313534a5c4579b6a00425281ef0473246cfb2340653bd3cf41b584bfa40578

RemcosRAT

8abb3951282558d959930da03e83bfefd2274bbc6e844b42ae5abc0d453006a7

RemcosRAT

abd4e6ee8152822c0545bd27a4f4c5114728873873e227044dfb48ecf1ecb37f

RemcosRAT

deaeae58f25c2af5579c5bd2dc276dcc346a6f022d359fc1e4d9e09ac2c1107f

RemcosRAT

fdd40bcfba668b785d404214fd35db117b186e21944b24f16540cce86f7bec78

RemcosRAT

+ 1'364 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos rat

Link:

https://tria.ge/reports/210111-gt54gyt9xe/

Behaviour

Creates scheduled task(s)

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetThreadContext

Remcos

Malware Config

C2 Extraction:

45.137.22.52:8780

Unpacked files

SH256 hash:

03ce96851d1e23ce614c9f24d97727c68f0f1156a442ff0eaecff89299dd90e9

MD5 hash:

c5318a4bb156bf5ce9d8bcd2e9f2682b

SHA1 hash:

521c507e63ea7237b9c85ac2973a1b53465dabae

Link:

https://www.unpac.me/results/36786c33-304c-453d-a35c-1a735cf40043/

SH256 hash:

2791c53987918702e553b2f3efdfe0d3c5dd69e50f19f74ae3f2a74fede24478

MD5 hash:

1b088d6250ab6d89937740df7fe6f309

SHA1 hash:

0ebd3ca01fdb4d3cc19539c7e771c6b428c64514

Link:

https://www.unpac.me/results/36786c33-304c-453d-a35c-1a735cf40043/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/03ce96851d1e23ce614c9f24d97727c68f0f1156a442ff0eaecff89299dd90e9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator