MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ea3dadb30fa6cad3d1f20d0a63497545b04d9e3ba045b7b6b111322ba79ccb5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ea3dadb30fa6cad3d1f20d0a63497545b04d9e3ba045b7b6b111322ba79ccb5
SHA3-384 hash: f3d2d16659cf8d86d2a4c91219c8392ebb2bb875b01bc648e72e899e7db03093c2c54fec186a73681152442f0d7d9c80
SHA1 hash: 0dd4f24f7a0eeb95cd43e513903979a47e046f3d
MD5 hash: e93a3ef44184648112f92751609de32a
humanhash: oregon-march-xray-washington
File name:STATEMENT OF ACCOUNT.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'311'424 bytes
First seen:2020-11-28 09:21:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c7f986b767e22dea5696886cb4d7da70 (5 x ModiLoader, 2 x RemcosRAT, 1 x AveMariaRAT)
ssdeep 24576:FiLDfJXRq+fowpGG7By3Z72mwn8gKmX9hIbEIKn:FiLr5By3Z7N5gKAj
Threatray 1'495 similar samples on MalwareBazaar
TLSH 4755D123B1A28435C211A9BD9E1780FD3F75FD62795CB50E7BD0AD0C8E3AA80E9151DB
Reporter abuse_ch
Tags:exe RemcosRAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: slot0.deinflae.com
Sending IP: 45.85.90.138
From: accountspayable@aalco.com
Subject: STATEMENT OF ACCOUNT
Attachment: STATEMENT OF ACCOUNT.IMG (contains "STATEMENT OF ACCOUNT.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/105876/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Launching a process
Creating a file
Running batch commands
Creating a process with a hidden window
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Unauthorized injection to a system process
Result
Gathering data
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/549930
Signature
Allocates memory in foreign processes
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Suspicious Svchost Process
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 324076 Sample: STATEMENT OF ACCOUNT.exe Startdate: 28/11/2020 Architecture: WINDOWS Score: 100 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Detected Remcos RAT 2->50 52 10 other signatures 2->52 8 Gloxdrv.exe 2->8         started        12 STATEMENT OF ACCOUNT.exe 1 2 2->12         started        15 Gloxdrv.exe 2->15         started        process3 dnsIp4 38 162.159.135.233, 443, 49747, 49754 CLOUDFLARENETUS United States 8->38 54 Multi AV Scanner detection for dropped file 8->54 56 Machine Learning detection for dropped file 8->56 58 Writes to foreign memory regions 8->58 17 ieinstal.exe 8->17         started        40 discord.com 162.159.128.233, 443, 49721, 49746 CLOUDFLARENETUS United States 12->40 42 cdn.discordapp.com 162.159.129.233, 443, 49722 CLOUDFLARENETUS United States 12->42 34 C:\Users\user\AppData\Local\...behaviorgraphloxdrv.exe, PE32 12->34 dropped 60 Allocates memory in foreign processes 12->60 62 Creates a thread in another existing process (thread injection) 12->62 64 Injects a PE file into a foreign processes 12->64 19 svchost.exe 5 12->19         started        21 ieinstal.exe 2 12->21         started        44 162.159.136.232, 443, 49753 CLOUDFLARENETUS United States 15->44 24 ieinstal.exe 15->24         started        file5 signatures6 process7 dnsIp8 26 cmd.exe 1 19->26         started        28 cmd.exe 1 19->28         started        36 79.134.225.75, 1199, 49733 FINK-TELECOM-SERVICESCH Switzerland 21->36 process9 process10 30 conhost.exe 26->30         started        32 conhost.exe 28->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0ea3dadb30fa6cad3d1f20d0a63497545b04d9e3ba045b7b6b111322ba79ccb5/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-11-28 05:48:00 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b2r5vwzq7jwk2pi7edikmnexkrnqjwpdxicfw63lcejsfotzzs2q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0561429ee93b0bc545689257b6cda0d43025317f9c890acb219c51d0f6e721e8
RemcosRAT
0965f63851a278a87bc8886a5b370b150af79d91fb0177a85e181555784ad114
RemcosRAT
1098c2e11043776815738d6f8abc818560c7516948d15f231a7018dfaeb279ed
RemcosRAT
16d05adbac66cd8607035590bf1efceeaa59aa2e1867f79737f0b6795da7dbd1
RemcosRAT
2f5d404fb3c493851a8c71f651f84c6c10ba0844efe334b907374540d35fed1c
RemcosRAT
41839aa5e4d72dfb5b544550588a3b18e83b45c64193e96236ddaca0527e303e
RemcosRAT
7f53893a9ce40e497ef34ecfc9c4f493b9d5dd7f989b60ffa248cbf289a1505a
RemcosRAT
936c820fd6780e9edb880cffc274c944ceb189e8f10915eb333fa5898d4e50be
RemcosRAT
a91a4674f844f5aa50396270e294341cbb2f87dbc5c9fc29d832efa2234eb9e9
RemcosRAT
db536ff2260adc1c6ff5182ecccf59c17d30ab7f014daa7aaa5347d4e5e50dc8
RemcosRAT
+ 1'485 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos persistence rat trojan
Link:
https://tria.ge/reports/201128-3eks6ekmve/
Behaviour
Modifies registry key
Script User-Agent
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader First Stage
ServiceHost packer
ModiLoader, DBatLoader
Remcos
Unpacked files
SH256 hash:
0ea3dadb30fa6cad3d1f20d0a63497545b04d9e3ba045b7b6b111322ba79ccb5
MD5 hash:
e93a3ef44184648112f92751609de32a
SHA1 hash:
0dd4f24f7a0eeb95cd43e513903979a47e046f3d
Link:
https://www.unpac.me/results/fdd112b6-b47b-460e-8b3d-2f76f676ae78/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

img 737b26b330f6ff5a3987d564fdab9c07d6ab1fd9240a6b8635b213e7dd9ec870

RemcosRAT

Executable exe 0ea3dadb30fa6cad3d1f20d0a63497545b04d9e3ba045b7b6b111322ba79ccb5

(this sample)

  
Dropped by
MD5 5f1a76ad1726d7594e32c47026c11114
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/105876/
  
Dropped by
SHA256 737b26b330f6ff5a3987d564fdab9c07d6ab1fd9240a6b8635b213e7dd9ec870

Comments