MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0499edd68518a172935fb984e9d97c72c50a00d5aff2cc7d5528cd38da42695c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0499edd68518a172935fb984e9d97c72c50a00d5aff2cc7d5528cd38da42695c
SHA3-384 hash: ac4a794acef11043bd28143c7a34dbb2333ccbf716b0c035f38ac08d273b4924951962601fa2209fe381ef61a3a44e8f
SHA1 hash: 333489b969078a267387386bf37f1e01ddac9ec6
MD5 hash: d43290db3880072fbb9ab8a93bddf047
humanhash: uranus-south-winner-charlie
File name:Order-10236587458.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'257'288 bytes
First seen:2021-02-25 10:00:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f90dcec0e8a4aa224157a453075012d8 (6 x RemcosRAT, 1 x Loki, 1 x NetWire)
ssdeep 24576:wnYO6b38bEngZQ4MS9/PBN9Buz15W+FXEy59dA:wnSnSrWXXEy59C
Threatray 100 similar samples on MalwareBazaar
TLSH 2C4538B2E91A8FE1F46B193DF91FD6741815BD6E390C54A66FE43B0A8BAF70138110B1
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: box.knaufinsulation.pw
Sending IP: 104.168.152.82
From: Vivian TAI <order@knaufinsulation.pw>
Subject: Re: Enquire now form submited
Attachment: Order-10236587458.img (contains "Order-10236587458.exe")

RemcosRAT C2:
cwzxas.ddns.net

Intelligence

File Origin
# of uploads :
1
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Order-10236587458.exe
Verdict:
Malicious activity
Analysis date:
2021-02-25 10:02:35 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/859b9b9d-b4eb-4bd7-a7f7-fc9894cd3ef0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/119160/
Detection(s):
SecuriteInfo.com..32309.28632.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Sending a UDP request
Creating a file
Deleting a recently created file
Launching a process
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/618510
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 358256 Sample: Order-10236587458.exe Startdate: 25/02/2021 Architecture: WINDOWS Score: 100 28 cwzxas.ddns.net 2->28 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 11 other signatures 2->46 7 Xeuffest.exe 2->7         started        10 Order-10236587458.exe 1 20 2->10         started        14 Xeuffest.exe 2->14         started        signatures3 process4 dnsIp5 48 Multi AV Scanner detection for dropped file 7->48 50 Contains functionality to inject threads in other processes 7->50 52 Writes to foreign memory regions 7->52 16 ieinstal.exe 7->16         started        34 1drv.ws 168.235.93.122, 443, 49713 RAMNODEUS United States 10->34 36 hpfjhw.dm.files.1drv.com 10->36 38 dm-files.fe.1drv.com 10->38 26 C:\Users\Public\Libraries\Xeuffest.exe, PE32 10->26 dropped 54 Creates a thread in another existing process (thread injection) 10->54 56 Injects a PE file into a foreign processes 10->56 18 ieinstal.exe 2 3 10->18         started        58 Allocates memory in foreign processes 14->58 22 ieinstal.exe 14->22         started        file6 signatures7 process8 dnsIp9 30 cwzxas.ddns.net 104.168.219.213, 49718, 49719, 49723 HOSTWINDSUS United States 18->30 32 192.168.2.1 unknown unknown 18->32 24 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 18->24 dropped file10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0499edd68518a172935fb984e9d97c72c50a00d5aff2cc7d5528cd38da42695c/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-02-25 02:51:46 UTC
AV detection:
20 of 47 (42.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=asm63vufdcqxfe27xgcotwl4olcquagvv7zmy7kvfdgtrwscnfoa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
2a344d464465069aa8739a45ecba1b6de4ef4ba4cc2b8128af5a54112c507058
RemcosRAT
49a4c95599f7bfe481ed85792ded20eae37d7a3889d43f81c349314cf87e6219
RemcosRAT
71f60a985d2cc9fc47c6845a88eea4da19303a96a2ff69daae70276f70dcdae0
RemcosRAT
7368fa4790b1b3863155f8af30305a3195c0c6bd146673d263e3760aeec31d7f
RemcosRAT
b6e24ae319f72f87dbf9d5e6fc2394737b938f7eb391a39c5043114458f31733
RemcosRAT
c3d5cfa19bb7af77abe161135bd85506171d67dca3f86fa6a68340d05e203f64
RemcosRAT
c400fa0429a3b241dd2757ce322082c15786c3bb18eb71fe2ef3a1eb60c7e0d8
RemcosRAT
cbf5b54d5d1c70086efefea16f38b80a329cb96bb5a59e709b0ab2304acb157c
RemcosRAT
e418958dc7d42216f8f151aef40df718df0a6a20d7d70c9954f7bd82953707a7
RemcosRAT
f436b8e7b214f3f56d0c62326e37653f87184760b406ab4f6eae79a5c34297b1
RemcosRAT
+ 90 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat
Link:
https://tria.ge/reports/210225-y8t81pm982/
Behaviour
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
cwzxas.ddns.net:8654
Unpacked files
SH256 hash:
706d20d3ed5a944ad7351b2b1e6510db719e150baf045713dfba5494879cd959
MD5 hash:
5e793005579e35e29886ecd8c19b78bb
SHA1 hash:
688b72e225d35b6a0caf21ccbac0fd580374d2d8
Link:
https://www.unpac.me/results/d5bea025-5ca9-48dc-95fc-f14661176794/
SH256 hash:
6d7be8b3c12f70e59c4a7e1a570fa8eac149b00e15114a022cbef60c50f94a87
MD5 hash:
bdc6fe25cf3f464b245743ce75d34458
SHA1 hash:
5cafeb1b904dbd72ed65e2005e1fe3439e866f92
Link:
https://www.unpac.me/results/d5bea025-5ca9-48dc-95fc-f14661176794/
SH256 hash:
0499edd68518a172935fb984e9d97c72c50a00d5aff2cc7d5528cd38da42695c
MD5 hash:
d43290db3880072fbb9ab8a93bddf047
SHA1 hash:
333489b969078a267387386bf37f1e01ddac9ec6
Link:
https://www.unpac.me/results/d5bea025-5ca9-48dc-95fc-f14661176794/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

img 9a30782cc216f17ef481c44c9d1e83be8aafeed4134a343b37efb2aa06cc99e0

RemcosRAT

Executable exe 0499edd68518a172935fb984e9d97c72c50a00d5aff2cc7d5528cd38da42695c

(this sample)

  
Dropped by
MD5 d7f6252c25900e862328e342a0f58485
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 9a30782cc216f17ef481c44c9d1e83be8aafeed4134a343b37efb2aa06cc99e0
Cape
Cape
https://www.capesandbox.com/analysis/119160/

Comments