MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0755d371e5549b67564d6dfa29600f76226a3dae42acaa8a6d0a82402e57bf86. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0755d371e5549b67564d6dfa29600f76226a3dae42acaa8a6d0a82402e57bf86
SHA3-384 hash: dcb24e59098004c450b6e1adb672c1b80d25edf5f6b6620e49c0095447ed8ba47331728be4700325da4e1f61bf5ea67e
SHA1 hash: fb1485d47fc43f88be7acdab8cad4015d3bab129
MD5 hash: 01b0998d34d0cce5c7281415ff91ff85
humanhash: rugby-romeo-beryllium-uncle
File name:PO_Technical Spec_17.8.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:792'809 bytes
First seen:2020-08-17 17:52:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 925501b726051625fb692aeb5906e244 (7 x ModiLoader, 2 x RemcosRAT, 1 x NetWire)
ssdeep 12288:vgAk0EFhcIK4FpC8FkjqwXRZtyjHqTt4ONWe744bmhiSEAlUgBGj:4MCc4FpC8Fkjb0jOtrXF0rE
Threatray 919 similar samples on MalwareBazaar
TLSH B1F49EE2E2908437C1332A77DD1B9E9968267F513E28DC466BE41D4C4F3A7D1383A197
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: poydorus.t.mk
Sending IP: 195.26.152.36
From: Andrei Stroie <dispomk@bomi10.com.mk>
Subject: Request offer for 2 pcs machines/trucks
Attachment: PO_Technical Spec_17.8.rar (contains "PO_Technical Spec_17.8.exe")

RemcosRAT C2:
rromaniitalfoodsinc.zapto.org:7762 (115.134.100.130)

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/47234/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Setting a single autorun event
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/434414
Signature
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Yara detected Keylogger Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0755d371e5549b67564d6dfa29600f76226a3dae42acaa8a6d0a82402e57bf86/
Threat name:
Win32.Trojan.DelfInject
Create hunting rule
Status:
Malicious
First seen:
2020-08-17 17:54:09 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=a5k5g4pfksnwovsnnx5csyapoyrgupnoikwkvctnbkbealsxx6da._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
485c1301f4bc84bc2d274f53222cf7ca5fbd8af8728d1aaa977a6574f577fb87
RemcosRAT
4ea16682c6d48eb737c1857beceadc3d3077921c03fa62d9dad44d551d92729d
RemcosRAT
53136d19559089e0674af4ad81621b99a031741edcc486eb3d402fd180b1b77e
RemcosRAT
7720da8dd623a00812870efdb75c2f2571417599ebfabcff48d2bd95cd029ea2
RemcosRAT
83eb442b175e4fe5a2fde6e8d72618eee280398f89a81da1f9c118d2c46032d4
RemcosRAT
9930543939f97818319ed031530d9e084994331aa4b06a304faeb321bbcc63db
RemcosRAT
a1c561c21720c4f1c3626276db6afc2c12b1aae9304c78518763eb78454f84b8
RemcosRAT
c232e05f633d3e2bd0a1486a955d7f72eb9155408a635666306d922b333809b2
RemcosRAT
c86bcfe4e22cb50054b44e38fc4fb79624c4ed5bf9a26174754dbb5c1a6baff8
RemcosRAT
eb1230ab4a5408a3d264bb51f1ff311fcf52aa97d52b801738cd5add365e77d2
RemcosRAT
+ 909 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
persistence rat family:remcos
Link:
https://tria.ge/reports/200817-d8nqt3d5m2/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Remcos
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0755d371e5549b67564d6dfa29600f76226a3dae42acaa8a6d0a82402e57bf86

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:win_dbatloader_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Description:targets loader
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

rar 46088f79e9eae56cdf3ca31ffcdaf70503c2cda55bb6e53d225fee76b6611c49

RemcosRAT

Executable exe 0755d371e5549b67564d6dfa29600f76226a3dae42acaa8a6d0a82402e57bf86

(this sample)

  
Dropped by
MD5 5284fb846132d541a879081393110ecd
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/47234/
  
Dropped by
SHA256 46088f79e9eae56cdf3ca31ffcdaf70503c2cda55bb6e53d225fee76b6611c49

Comments