MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0fac83472e461604cdb195068ca091af7c56d39c73794fa41394206e1ede2894. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0fac83472e461604cdb195068ca091af7c56d39c73794fa41394206e1ede2894
SHA3-384 hash: 9f1e8fc91a20427a212257646c514b261bbdae2677dbf0f74a32068e15d64a987e9bf7431d31e36c0a72dfe8d28a4eaa
SHA1 hash: 78c7ec8a51960f2f6fa7b1941aa24dca0a11f845
MD5 hash: 231442cee42f591f495edf68551d5e26
humanhash: butter-yellow-mars-quebec
File name:Ordine_PEKOR_1020.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:864'256 bytes
First seen:2020-10-20 08:04:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9d99d2b7dc0b1c0b642d9d88933e0dd9 (8 x ModiLoader, 1 x RemcosRAT)
ssdeep 12288:Gg6qVpf8BGuCG43fxR8bUQFqSjRJsK/AlQ4fMCGOLou:GgZoBGuX44pbLmlQDpw
Threatray 369 similar samples on MalwareBazaar
TLSH 0205AE63B2928837C07316799D0BAB685D39FE007D24A4473BFC2D4D9F79641787A2A3
Reporter abuse_ch
Tags:exe RemcosRAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

From: "pekor@t.mk" <pekor@t.mk>
Subject: Nuovo ordine ottobre
Attachment: Ordine_PEKOR_1020.rar (contains "Ordine_PEKOR_1020.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/73295/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Connecting to a non-recommended domain
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Setting a global event handler for the keyboard
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/497221
Signature
Allocates memory in foreign processes
Detected Remcos RAT
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Sigma detected: Remcos
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 300776 Sample: Ordine_PEKOR_1020.exe Startdate: 20/10/2020 Architecture: WINDOWS Score: 100 48 Multi AV Scanner detection for domain / URL 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Detected Remcos RAT 2->52 54 2 other signatures 2->54 7 Ordine_PEKOR_1020.exe 1 15 2->7         started        12 Ttyjdrv.exe 13 2->12         started        14 Ttyjdrv.exe 13 2->14         started        process3 dnsIp4 40 discord.com 162.159.128.233, 443, 49746, 49751 CLOUDFLARENETUS United States 7->40 42 cdn.discordapp.com 162.159.133.233, 443, 49747, 49752 CLOUDFLARENETUS United States 7->42 36 C:\Users\user\AppData\Local\...\Ttyjdrv.exe, PE32 7->36 dropped 58 Writes to foreign memory regions 7->58 60 Allocates memory in foreign processes 7->60 62 Injects a PE file into a foreign processes 7->62 16 ieinstal.exe 2 3 7->16         started        44 162.159.135.232, 443, 49759 CLOUDFLARENETUS United States 12->44 21 ieinstal.exe 12->21         started        46 192.168.2.1 unknown unknown 14->46 23 ieinstal.exe 14->23         started        file5 signatures6 process7 dnsIp8 38 rromaniitalfoodsinc.zapto.org 194.127.179.245, 49750, 49761, 49764 CLOUVIDERClouvider-GlobalASNGB unknown 16->38 34 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 16->34 dropped 56 Injects a PE file into a foreign processes 16->56 25 ieinstal.exe 16->25         started        28 ieinstal.exe 1 16->28         started        30 ieinstal.exe 16->30         started        32 6 other processes 16->32 file9 signatures10 process11 signatures12 64 Tries to steal Instant Messenger accounts or passwords 25->64 66 Tries to steal Mail credentials (via file access) 25->66 68 Tries to harvest and steal browser information (history, passwords, etc) 32->68
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0fac83472e461604cdb195068ca091af7c56d39c73794fa41394206e1ede2894/
Threat name:
Win32.Trojan.Rescoms
Create hunting rule
Status:
Malicious
First seen:
2020-10-20 08:06:14 UTC
File Type:
PE (Exe)
Extracted files:
45
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b6wigrzoiylajtnrsudizierv56fnu44on4u7jatsqqg4hw6fcka._file
Verdict:
suspicious
Similar samples:
095c0ec3aaf403883d840db77147a330a4cbe0781d26ca4825a69a1798fdef1c
RemcosRAT
0d233d14dd5333614b0521a887e1917ab36649531c8aaaf96a3660e72ac8c463
RemcosRAT
33e6263b0e9dbd16c509e5701a60e4615feda4713fad24c75f51c94e5e53f5cb
RemcosRAT
4284003dc87d3f8afa499b3edac620589dba8b1ac5d9a38d943dd0b381a473c5
RemcosRAT
6b821b358a92094bf1218d5a455e7205efeda83a4b4247d010a86b77e284ee75
RemcosRAT
6ce29350390228c4f8cf474b079fc0e786b364cf5c0c8994b7ad1137c185be3b
RemcosRAT
99a8e371d2d05838012be53f7e86a675acdc9be4770eb4372779a85a574c2f1a
RemcosRAT
cb8095a08ad64a6811cfb011db6f7bc97f21e459ca65382251bec95cfd1d9529
RemcosRAT
e7def582e6c764fb35cad598da8b83da969897d37241402df8c8bac2b870432f
RemcosRAT
fb28260466e3ce4029f48c81b60a1ef83e755e772672a28cea1f00f51984c808
RemcosRAT
+ 359 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
persistence trojan family:modiloader rat family:remcos
Link:
https://tria.ge/reports/201020-vkbg1tvbq6/
Behaviour
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader First Stage
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Unpacked files
SH256 hash:
0fac83472e461604cdb195068ca091af7c56d39c73794fa41394206e1ede2894
MD5 hash:
231442cee42f591f495edf68551d5e26
SHA1 hash:
78c7ec8a51960f2f6fa7b1941aa24dca0a11f845
Link:
https://www.unpac.me/results/ff3d458a-700f-499d-8444-9dabed826105/
SH256 hash:
09d882b9f2ee1b1c4e741148bff6022ad2dc954336f4a0068e74ac44b8c0da90
MD5 hash:
2d396f6b17ced0f5bbe35732b059f39a
SHA1 hash:
f99451819cad0af6dc99df27d3c59ac47c50a2ec
Link:
https://www.unpac.me/results/ff3d458a-700f-499d-8444-9dabed826105/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0fac83472e461604cdb195068ca091af7c56d39c73794fa41394206e1ede2894

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:MALWARE_Win_DLAgent03
Create hunting rule
Author:ditekSHen
Description:Detects known Delphi downloader agent downloading second stage payload, notably from discord

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

rar 7633a968b48b13b4ca41bc4de1ba3054843f051f58ea3af875979e8306c0068f

RemcosRAT

Executable exe 0fac83472e461604cdb195068ca091af7c56d39c73794fa41394206e1ede2894

(this sample)

  
Dropped by
MD5 7d21a3a91cdce43998d8ac0845490f34
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/73295/
  
Dropped by
SHA256 7633a968b48b13b4ca41bc4de1ba3054843f051f58ea3af875979e8306c0068f

Comments