MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 059ac87b5d6736721984e912bc0dcca50506fba170787b6aedb85e94b9683642. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 059ac87b5d6736721984e912bc0dcca50506fba170787b6aedb85e94b9683642
SHA3-384 hash: d7dd00cf06ee97aa3128bcd07cc4419400646444af6d2ed5f9a3f953edc105a154191d6533effba7f4c5e57fe7d4788a
SHA1 hash: 65fae97ec1480deb5421bc967e316ce10977c9db
MD5 hash: d91456035c9e48c7b8da1ebcd4d6cdbc
humanhash: gee-sad-equal-edward
File name:Request ## HMI 8130-3##.pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'037'824 bytes
First seen:2021-01-11 08:18:24 UTC
Last seen:2021-01-11 09:29:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:H/WwGkvYx3mB76BgZK3uBo/3uW0lGhY3C:41tmd6peBYhY
Threatray 1'329 similar samples on MalwareBazaar
TLSH 4F25DF4E13141A6FE538377180AE6B5003E062FD7A63D77ABDA1B087F952BC541B393A
Reporter abuse_ch
Tags:exe RemcosRAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: WIN-BKIQ3LS7OGB
Sending IP: 185.222.57.214
From: Ashwin Sakpal <a.peramountinternational@gmail.com>
Subject: URGENT RQF HMI 8130-3 victim-domain
Attachment: Request HMI 8130-3.pdf.7z (contains "Request ## HMI 8130-3##.pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Request ## HMI 8130-3##.pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-01-11 08:29:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/efe31a49-ac97-44b6-9f91-452c39fcdb99

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/111237/
Detection(s):
SecuriteInfo.com.ArtemisD91456035C9E.32739.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a file
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Running batch commands
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/577713
Signature
Detected Remcos RAT
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 337910 Sample: Request ## HMI 8130-3##.pdf.exe Startdate: 11/01/2021 Architecture: WINDOWS Score: 100 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for dropped file 2->51 53 Sigma detected: Scheduled temp file as task from temp location 2->53 55 10 other signatures 2->55 9 Request ## HMI 8130-3##.pdf.exe 7 2->9         started        13 windows update.exe 1 2->13         started        15 windows update.exe 1 2->15         started        process3 file4 39 C:\Users\user\AppData\Roaming\fxVYDCoPb.exe, PE32 9->39 dropped 41 C:\Users\...\fxVYDCoPb.exe:Zone.Identifier, ASCII 9->41 dropped 43 C:\Users\user\AppData\Local\...\tmp4401.tmp, XML 9->43 dropped 45 C:\...\Request ## HMI 8130-3##.pdf.exe.log, ASCII 9->45 dropped 57 Writes to foreign memory regions 9->57 59 Sample uses process hollowing technique 9->59 61 Injects a PE file into a foreign processes 9->61 17 vbc.exe 4 4 9->17         started        20 schtasks.exe 1 9->20         started        22 conhost.exe 13->22         started        24 conhost.exe 15->24         started        signatures5 process6 file7 37 C:\Users\user\AppData\...\windows update.exe, PE32 17->37 dropped 26 wscript.exe 1 17->26         started        29 conhost.exe 20->29         started        process8 dnsIp9 47 192.168.2.1 unknown unknown 26->47 31 cmd.exe 1 26->31         started        process10 process11 33 windows update.exe 1 31->33         started        35 conhost.exe 31->35         started       
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/059ac87b5d6736721984e912bc0dcca50506fba170787b6aedb85e94b9683642/
Threat name:
Win32.Backdoor.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-11 03:06:19 UTC
AV detection:
7 of 46 (15.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=awnmq625m43hegme5ejlydomuucqn65bob4hw2xnxbpjjoligzba._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
11b16ba733f2f4f10ac58021eecaf5668551a73e2a1acfae99745c50bfccbb44
RemcosRAT
21691425c52cf7a77c0e3a65cc1c0c59cb026d5b76e78160ebb8a553f9bbe50c
RemcosRAT
4791861118e0be776fd14153e2feca7d25f5a91a6c32a997385f5ae272e3d7c8
RemcosRAT
4a94b062dbb9df940520146d100df5b019795d0f508d7ba89d24eb18725e1608
RemcosRAT
5b10f4a23880b51923a0df3e9e3c37f40eb0d3cc93de7b463da62f936a501385
RemcosRAT
61d9f4cbc76b7889d7d17d262b63c0fd2ee40642653063b1eb6ab84397f8c57b
RemcosRAT
82027bdaf86e2d0da1c45ede5efd820a1cbaace1b1b8f7675b8115d82db75f26
RemcosRAT
9930543939f97818319ed031530d9e084994331aa4b06a304faeb321bbcc63db
RemcosRAT
d34e588c8bef9cef39708c52f7f372bcd4b5fc39e4eaf0b9193aa586a10d7cc2
RemcosRAT
e26c95b32b64e3f7b5d72d52be2fd7cb52c7a2c1df25f5337a783a1735f806ad
RemcosRAT
+ 1'319 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat
Link:
https://tria.ge/reports/210111-wdfz8bf44e/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Uses the VBS compiler for execution
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
richiealvin2021.duckdns.org:1989
Unpacked files
SH256 hash:
059ac87b5d6736721984e912bc0dcca50506fba170787b6aedb85e94b9683642
MD5 hash:
d91456035c9e48c7b8da1ebcd4d6cdbc
SHA1 hash:
65fae97ec1480deb5421bc967e316ce10977c9db
Link:
https://www.unpac.me/results/5d24d31c-cdd0-4920-9b26-cf48552b0a1c/
SH256 hash:
296620e9308a1069ca98d27c426f25f5c1f87d9240bb371c657571034b0261b5
MD5 hash:
4cf24d41a7882216740280e3294cb853
SHA1 hash:
6bcb31d3dc0a7d71da1067a628168664202769a4
Link:
https://www.unpac.me/results/5d24d31c-cdd0-4920-9b26-cf48552b0a1c/
SH256 hash:
98fb118f78617c9e7671cc323c90ff5fc985baf94f1af3ed783155d77ca0afc4
MD5 hash:
42cd872cb82c30286a63ca95f0f35180
SHA1 hash:
a0dd5dc62f4640a7b8a30ca28f6c628e9c1ca1d2
Link:
https://www.unpac.me/results/5d24d31c-cdd0-4920-9b26-cf48552b0a1c/
SH256 hash:
41625a28a40a8485332daef7ab7ce01373e1763965cc7aef5d780ae216238f68
MD5 hash:
1ea212867074a766fc97d102a8cbb9f8
SHA1 hash:
52950416b01f8623e9802933abc4176103f945f0
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/5d24d31c-cdd0-4920-9b26-cf48552b0a1c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/059ac87b5d6736721984e912bc0dcca50506fba170787b6aedb85e94b9683642

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

7z c0274d3c1013ed27161dfac219fe6d044c94aa4f1267d8126866bb66f5a5e8b4

RemcosRAT

Executable exe 059ac87b5d6736721984e912bc0dcca50506fba170787b6aedb85e94b9683642

(this sample)

  
Dropped by
MD5 a55c6e6ccccc2918a81dd4cd2cef6851
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 c0274d3c1013ed27161dfac219fe6d044c94aa4f1267d8126866bb66f5a5e8b4
Cape
Cape
https://www.capesandbox.com/analysis/111237/

Comments