MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10651ea0a48a7ef20842899c2dbd0f97199d342f0c6e4a70d6c66d8d6d320047. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 10651ea0a48a7ef20842899c2dbd0f97199d342f0c6e4a70d6c66d8d6d320047
SHA3-384 hash: 69a32f4c87f3ad968483d141229281fcdd5922f9f7c6296f5ffce75e15a34b9cfc0058a6770757ff2b3681271ccd7ba7
SHA1 hash: 66580337430d93bdb2c32b9f4252f5350673faa5
MD5 hash: c0b3f68ec970a6cb0c83c050ed06c072
humanhash: jersey-grey-sink-uranus
File name:Order1.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:473'600 bytes
First seen:2021-01-14 20:23:52 UTC
Last seen:2021-01-14 21:35:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e59a3cbb982a626b3c0c185f63cadc13 (1 x RemcosRAT)
ssdeep 12288:PTwoa8YEp7/HaJhiy4DKBUx5grFvCkGaRQ:PTwCp7ki7gUXgp59RQ
Threatray 1'384 similar samples on MalwareBazaar
TLSH 1EA409DE12F2106BD12945B0A959EFE01561ECB87B51C627BE80FCCFAE713E154622F2
Reporter abuse_ch
Tags:exe Hostwinds RemcosRAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: hwsrv-824517.hostwindsdns.com
Sending IP: 23.238.43.35
From: imports@welfare.top
Subject: Request For Quotation And Price Listing
Attachment: order.img (contains "Order1.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Order1.exe
Verdict:
Malicious activity
Analysis date:
2021-01-14 21:15:49 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/927d81cc-a526-45f9-8ad7-db794a06b869

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/112110/
Detection(s):
SecuriteInfo.com.Variant.Strictor.105210.20466.14260.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/581843
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Detected Remcos RAT
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Sigma detected: Suspicious Svchost Process
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 339962 Sample: Order1.exe Startdate: 14/01/2021 Architecture: WINDOWS Score: 100 69 Malicious sample detected (through community Yara rule) 2->69 71 Antivirus detection for dropped file 2->71 73 Antivirus / Scanner detection for submitted sample 2->73 75 8 other signatures 2->75 11 Order1.exe 3 2->11         started        15 cos.exe 1 3 2->15         started        process3 file4 49 C:\Users\user\AppData\Local\...\files.exe, PE32 11->49 dropped 77 Contains functionalty to change the wallpaper 11->77 79 Contains functionality to steal Chrome passwords or cookies 11->79 81 Contains functionality to capture and log keystrokes 11->81 83 3 other signatures 11->83 17 Order1.exe 2 11->17         started        19 conhost.exe 11->19         started        21 conhost.exe 15->21         started        signatures5 process6 process7 23 Order1.exe 4 7 17->23         started        file8 45 C:\Users\user\AppData\Roaming\cos\cos.exe, PE32 23->45 dropped 47 C:\Users\user\...\cos.exe:Zone.Identifier, ASCII 23->47 dropped 26 wscript.exe 1 23->26         started        process9 process10 28 cmd.exe 1 26->28         started        process11 30 cos.exe 5 296 28->30         started        35 conhost.exe 28->35         started        dnsIp12 59 185.140.53.136, 1818, 49720, 49726 DAVID_CRAIGGG Sweden 30->59 51 C:\Users\user\AppData\Roaming\...\logs.dat, data 30->51 dropped 53 C:\Users\user\...\time_20210115_224119.dat, data 30->53 dropped 55 C:\Users\user\...\time_20210115_223049.dat, data 30->55 dropped 57 142 other malicious files 30->57 dropped 61 Antivirus detection for dropped file 30->61 63 Contains functionalty to change the wallpaper 30->63 65 Machine Learning detection for dropped file 30->65 67 7 other signatures 30->67 37 svchost.exe 1 30->37         started        39 svchost.exe 30->39         started        41 svchost.exe 1 30->41         started        43 6 other processes 30->43 file13 signatures14 process15
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/10651ea0a48a7ef20842899c2dbd0f97199d342f0c6e4a70d6c66d8d6d320047/
Threat name:
Win32.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2021-01-14 20:24:07 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cbsr5iferj7pecccrgoc3pips4mz2nbpbrxeu4gwyzwy23jsabdq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
00b65900131d5d5cac9d48c65ff2e53677418d7c50f0c09480af43e80845bef3
RemcosRAT
1a6757ed0fa8dfc6a0ecc4dcfecc7dacb2b4ff435c15eefeb9edde8b913e1811
RemcosRAT
20cc3f25b59d83cbfd3f6908726114e8b0442907fabfc58da5f1eee4ae2ece81
RemcosRAT
4c73230621e55c51c6e4a32e354dca5e8fd3aaaa2df450b73991e6e21257a742
RemcosRAT
5fdecb2c511ec2b584766991bc2126ae802ed2618a80a227046df5379f12e745
RemcosRAT
816f26e5b5de1be644fff419718bc3e1b8410a4a9a9f405d8db814e7758608d9
RemcosRAT
aea8b826c919840c0757bde7e31b915fda0439bd28b10418479aa17c53f91e12
RemcosRAT
b67361c9d7c2bcbe7e94b698f4d5abd1e6ffd96429d2c66dcfd92a573303e4f0
RemcosRAT
bfe8692e2e6e89e7d77482f315a22b3679e511e50eab20ba852cabc06dc4e5fa
RemcosRAT
fe719ecb5f04ed964bd5fdecc2085bdb1518358c65d12462fcddb66a6015740d
RemcosRAT
+ 1'374 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/210114-t1lre5h8dn/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Adds Run key to start application
Unpacked files
SH256 hash:
10651ea0a48a7ef20842899c2dbd0f97199d342f0c6e4a70d6c66d8d6d320047
MD5 hash:
c0b3f68ec970a6cb0c83c050ed06c072
SHA1 hash:
66580337430d93bdb2c32b9f4252f5350673faa5
Link:
https://www.unpac.me/results/b44dad32-dc83-4bbc-92cd-6170b93397fe/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/10651ea0a48a7ef20842899c2dbd0f97199d342f0c6e4a70d6c66d8d6d320047

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

img 6f18114ca53a1b255d747ab2c51901a92e09e2b76ee784a0e540dca023c559b4

RemcosRAT

Executable exe 10651ea0a48a7ef20842899c2dbd0f97199d342f0c6e4a70d6c66d8d6d320047

(this sample)

  
Dropped by
MD5 54c18fc67a8e68d9dca82558e36e801f
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/112110/
  
Dropped by
SHA256 6f18114ca53a1b255d747ab2c51901a92e09e2b76ee784a0e540dca023c559b4

Comments