MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 157447fce775d3e303f51839e30994daedd62b93460ef617385ef8027585647d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	157447fce775d3e303f51839e30994daedd62b93460ef617385ef8027585647d
SHA3-384 hash:	81e50008ee911ead1485ab6f44b448256096096ace8b03091db5824489b009d56fe4647e85d3761c8941b78254929978
SHA1 hash:	e119db811180214f71d4c14e0d815019b5f26593
MD5 hash:	72c1bdd4719186248a68e4983dd1956f
humanhash:	leopard-kitten-colorado-lake
File name:	Purchase Order.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	281'600 bytes
First seen:	2020-10-26 14:48:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	3072:9rBiuZ6AMYb4FpwWAxdTZ4jk6p9dSuRxZI/i1ZQJ/uSKm9tIrrmU1ysF6Ql+8ykb:HlzdTZ4rjNxG/i/OfFGr6IZFUnp7
Threatray	1'344 similar samples on MalwareBazaar
TLSH	525402717946897ECA2A0735187B90C0FAB627C23FA4871D719F230C5D16A9FAF63247
Reporter	James_inthe_box
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/79224/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Creating a file

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

Deleting a recently created file

Running batch commands

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/512054

Signature

.NET source code contains very large array initializations

Executable has a suspicious name (potential lure to open the executable)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/157447fce775d3e303f51839e30994daedd62b93460ef617385ef8027585647d/

Threat name:

ByteCode-MSIL.Trojan.Wacatac

Status:

Malicious

First seen:

2020-10-26 11:41:46 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cv2ep7hhoxj6ga7vda46gcmu3lw5mk4tiyhpmfzyl34ae5mfmr6q._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

308245e3b036eaa8e2b12c92852a64e5feedd6d952789d12da2ea5da9b7acced

RemcosRAT

4ea16682c6d48eb737c1857beceadc3d3077921c03fa62d9dad44d551d92729d

RemcosRAT

76ad37d1dc734c1ede800c5cc7e2459dc0a2aea8347b25ea609af6c299da5a78

RemcosRAT

84a066f7294211d47a88b38b0ad9ff2f0e385973c4a3b92b39b2df25e178aca8

RemcosRAT

92f26df2b8881b2971127cc9bd67d17924b895e4124092d49fdc6ebe4d362620

RemcosRAT

abee232f81ca94abbdb0d1c0d236b0ee49b421b32e0a6b8812e278a248b6b46a

RemcosRAT

b8d1d962744d0c6ab3abe293c4671b3ba6524f623f9d6f02361bc60eec7b4cb4

RemcosRAT

c9b3c7ce6446a64df017cf3301ab24a7993b1336befdec8bab77332fe783e4d4

RemcosRAT

f18bf944f9365beda201e63d97f1b93139994d9cef424f855d691cf797c33d0f

RemcosRAT

+ 1'334 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

upx rat family:remcos persistence

Link:

https://tria.ge/reports/201026-aqplzc69da/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of SetThreadContext

Adds Run key to start application

Loads dropped DLL

Executes dropped EXE

UPX packed file

Remcos

Malware Config

C2 Extraction:

23.105.131.166:2888

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

Rule name:	upx_packed Create hunting rule
Description:	UPX packed file

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/79224/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample