MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0bfae38c37f8478cfd4c92f603b202f8f4bff11f96fdce5959eeaad5142d9a3a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0bfae38c37f8478cfd4c92f603b202f8f4bff11f96fdce5959eeaad5142d9a3a
SHA3-384 hash: 09469443e1b11f8435a752fab39ab670d7a66725e0d4e5577d1cf44fe3081f391c8df3031f8c855aeefaf997c81a0f9d
SHA1 hash: d62998531aea7d6acb9d0add1f168739e2e9eab1
MD5 hash: 217179aac1ed3994614e7c8666d2f82b
humanhash: nevada-north-happy-fruit
File name:POEA DELISTED AGENCIES (BATCH A).PDF.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:527'872 bytes
First seen:2021-02-18 07:39:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'655 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:5eEDvEqy+FiY1i4Ba7JNQl/SzUQ/lQ1RBiFsC0Jh26M:1D6aiY19Ba97/lm6Ah26M
Threatray 34 similar samples on MalwareBazaar
TLSH DEB4F13972741DA3CFB994FAA109915A2F34C2D438BEF3E19E86A1E970C7B404463937
Reporter abuse_ch
Tags:exe geo PHL POEA RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: sd.latticesystems.com
Sending IP: 204.152.206.90
From: Philippine Overseas Employment Administration <info1@poea.gov.ph>
Subject: POEA ADVISORY NO 450 2021
Attachment: POEA DELISTED AGENCIES BATCH A.uue (contains "POEA DELISTED AGENCIES (BATCH A).PDF.exe")

RemcosRAT C2:
shahzad73.casacam.net:2404

Intelligence

File Origin
# of uploads :
1
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/117689/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Setting a global event handler for the keyboard
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/611186
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Detected Remcos RAT
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0bfae38c37f8478cfd4c92f603b202f8f4bff11f96fdce5959eeaad5142d9a3a/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-02-18 07:40:16 UTC
AV detection:
11 of 47 (23.40%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bp5ohdbx7bdyz7kmsl3ahmqc7d2l74i7s3644wkz52vnkfbnti5a._file
Verdict:
malicious
Similar samples:
47d7d58ecc205502ab85b2f74d462e55b5d1e676d71d94a2a553df482350190b
RemcosRAT
503cec3d1e7545f610736aa3ee4473b3e0f28ee2bd80b682e8d8f687c2410008
RemcosRAT
786be13603b06cce80fac1349c514e29ecd2664a51f045bc5446d2f9647087ec
RemcosRAT
8d339c015c4ffe14cd28f423625d45313081c61585ced94f822c7759a7226086
RemcosRAT
91236da59c95dd764f85a84297238f215ef0cd3d0fbc37f2a2f15d2f302e2dfd
RemcosRAT
976abbb8f188572f8f2dc301739f6edf94fae0ce2ae30d633f82df36ea79a42d
RemcosRAT
b2fcca31796bd8b38cadccf730710c298c702ab07e24b5d90e691ea047395026
RemcosRAT
cff7917b775748ad82f20fede03809e1cf8d186747d82c5bbd5f4bf0a2c6ae32
RemcosRAT
f0996fd1f27a193c71c2384d7a760b3db419a52033707d10f55283c9d2ea147f
RemcosRAT
f18587b09cc9e48c6fcc74391510ba261d04cd3a788201aec2375d97a87f486d
RemcosRAT
+ 24 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos rat
Link:
https://tria.ge/reports/210218-snxmklc97e/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Remcos
Malware Config
C2 Extraction:
shahzad73.casacam.net:2404
shahzad73.ddns.net:2404
Unpacked files
SH256 hash:
260900d7f061400a015ef8100be9d45efd1b51c7a486a85cb989bdd889949d95
MD5 hash:
78421250b4c7d6ec5032618369beb02e
SHA1 hash:
7bb7a5f65e80a8cd5f686024b4c202be78886b6f
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/41404161-2da7-4303-b978-db51177b0b2a/
Parent samples :
0bfae38c37f8478cfd4c92f603b202f8f4bff11f96fdce5959eeaad5142d9a3a
abb4163c6b54005775d4b62e00a5a8fd403c4fa474380935ac4d311058341e51
4a9558166c80c188e48a382edbe91a387a7e3aa877d035420bb0e7b198eccdfe
d8d0fa0edc24a3f45c735569b2ff8b407f69b3c309775e33b08c08c295177b42
58da120970be7bbf194aa12c38b56f7542174f1672b103d695cc262c6d90f18a
SH256 hash:
32ff28d713585e03f32f5b2d0f500d3a42d102a32c90076573494d5fd57bd536
MD5 hash:
19cd1a829bf924347f52bc951baa6bd5
SHA1 hash:
18ee44c13fd676da4ca17e020eb3c464889c1843
Link:
https://www.unpac.me/results/41404161-2da7-4303-b978-db51177b0b2a/
SH256 hash:
f0a09c48af16c079c37ad0914f18897976357981fe5ee6f556ab9f9f70b9a671
MD5 hash:
f984a71581f6da5732110be2a569a392
SHA1 hash:
10de05b6b35fc5dbc00c42d59a4b850bcaae01e6
Link:
https://www.unpac.me/results/41404161-2da7-4303-b978-db51177b0b2a/
SH256 hash:
0bfae38c37f8478cfd4c92f603b202f8f4bff11f96fdce5959eeaad5142d9a3a
MD5 hash:
217179aac1ed3994614e7c8666d2f82b
SHA1 hash:
d62998531aea7d6acb9d0add1f168739e2e9eab1
Link:
https://www.unpac.me/results/41404161-2da7-4303-b978-db51177b0b2a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0bfae38c37f8478cfd4c92f603b202f8f4bff11f96fdce5959eeaad5142d9a3a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

uue 8324f90d2d4e187f2ed442a89f22d1fd4ef93dc48e8b0fa2850451676e430975

RemcosRAT

Executable exe 0bfae38c37f8478cfd4c92f603b202f8f4bff11f96fdce5959eeaad5142d9a3a

(this sample)

  
Dropped by
MD5 99471551df97faacc726d6d05fb477c3
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/117689/
  
Dropped by
SHA256 8324f90d2d4e187f2ed442a89f22d1fd4ef93dc48e8b0fa2850451676e430975

Comments