MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1619a67b0219aac78f1e5e8ac86ec2cf68641ba65a19653fc176916275b6f6ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1619a67b0219aac78f1e5e8ac86ec2cf68641ba65a19653fc176916275b6f6ad
SHA3-384 hash: e89cb0905e782dea48df71bfa760b8f16ea9ea04fa651cc2f6c6acf3cca6514f34e9577ef3a6848405516e98dec07fde
SHA1 hash: aa2a6edb2f26bec4465e9f94ecc6849fb9a2b088
MD5 hash: f6ecf089089d159be0094b2df9450419
humanhash: one-video-oscar-tennis
File name:09009000090.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:248'832 bytes
First seen:2021-01-14 20:09:34 UTC
Last seen:2021-01-14 21:35:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:JdTjGpRvjHH8ootTKA95ISDaJe8qOb9N3+pC1Abt5jsgbfvvKWzQ:TTjGpFviTKI5/DX85JopCGbtRPb/KCQ
Threatray 1'373 similar samples on MalwareBazaar
TLSH F9349D2133944195D5F427712653C8A80737BC0E4927830EB9FA73DE1AB72DEC69AB17
Reporter abuse_ch
Tags:exe geo RAT RemcosRAT TUR


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: hosted-by.rootlayer.net
Sending IP: 185.222.58.152
From: ekstre@eekstre.qnbfinansbank.com
Subject: CardFinans KOBİ Visa Aralık ayi ekstreniz.
Attachment: 09009000090..pdf.z (contains "09009000090.exe")

RemcosRAT C2:
72.11.157.241:4445

Intelligence

File Origin
# of uploads :
2
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
09009000090.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-14 20:53:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fa21bfc8-5e0c-47c8-bdcc-b139b2729837

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/112083/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.507.6767.28458.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Deleting a recently created file
Creating a file
Sending a custom TCP request
Sending a UDP request
Creating a file in the %AppData% subdirectories
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/581906
Signature
Bypasses PowerShell execution policy
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Detected Remcos RAT
Drops PE files to the startup folder
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Remcos
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 339993 Sample: 09009000090.exe Startdate: 14/01/2021 Architecture: WINDOWS Score: 100 60 Malicious sample detected (through community Yara rule) 2->60 62 Multi AV Scanner detection for dropped file 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 5 other signatures 2->66 7 09009000090.exe 4 2->7         started        11 I$s#$lT3ssl.exe 4 2->11         started        process3 file4 50 C:\Users\user\AppData\...\09009000090.exe.log, ASCII 7->50 dropped 68 Writes to foreign memory regions 7->68 70 Injects a PE file into a foreign processes 7->70 13 InstallUtil.exe 1 3 7->13         started        18 powershell.exe 15 7->18         started        20 SecEdit.exe 5 7->20         started        28 2 other processes 7->28 22 SecEdit.exe 11->22         started        24 SecEdit.exe 11->24         started        26 SecEdit.exe 11->26         started        30 2 other processes 11->30 signatures5 process6 dnsIp7 58 72.11.157.241, 4445, 49719 ASN-QUADRANET-GLOBALUS United States 13->58 52 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 13->52 dropped 72 Contains functionality to detect virtual machines (IN, VMware) 13->72 74 Contains functionality to steal Chrome passwords or cookies 13->74 76 Contains functionality to capture and log keystrokes 13->76 82 4 other signatures 13->82 32 conhost.exe 13->32         started        54 C:\Users\user\AppData\...\I$s#$lT3ssl.exe, PE32 18->54 dropped 56 C:\Users\...\I$s#$lT3ssl.exe:Zone.Identifier, ASCII 18->56 dropped 78 Drops PE files to the startup folder 18->78 80 Powershell drops PE file 18->80 34 conhost.exe 18->34         started        36 conhost.exe 20->36         started        38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        42 conhost.exe 26->42         started        44 conhost.exe 28->44         started        46 conhost.exe 28->46         started        48 conhost.exe 30->48         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1619a67b0219aac78f1e5e8ac86ec2cf68641ba65a19653fc176916275b6f6ad/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-01-14 20:10:21 UTC
AV detection:
14 of 46 (30.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cym2m6ycdgvmpdy6l2fmq3wcz5ugig5glimwkp6bo2iwe5nw62wq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
04e18fc32464a616b096a50a3ed43b646ece444e693b238a29d6f6de6ee45833
RemcosRAT
061683dae15dd995c0a0669b0fd23f0e60973901f98ab58f11d0cd783b700b4b
RemcosRAT
210560d23e3c023c90bd24ed0d76c68732dc267277fc6adcc3c991cb611bb06a
RemcosRAT
292fdda313c6d03852ecd9487653eb15bdf8cf6412e814365c2f176a1104cbc3
RemcosRAT
5df5e69f38e5fc641a089f213a2791aa1a9d9df801093a6dbd3bfb680c38884c
RemcosRAT
8abb3951282558d959930da03e83bfefd2274bbc6e844b42ae5abc0d453006a7
RemcosRAT
abd4e6ee8152822c0545bd27a4f4c5114728873873e227044dfb48ecf1ecb37f
RemcosRAT
b55bd6825fe91af7f39a6db95cc72d531fae8edf94266dfcbf82d44fcf1e67c7
RemcosRAT
c85e13a5030bcd0c8173ef7ff6939690fe9638fa25d3c89cbf1e1e95a89db997
RemcosRAT
deaeae58f25c2af5579c5bd2dc276dcc346a6f022d359fc1e4d9e09ac2c1107f
RemcosRAT
+ 1'363 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos rat
Link:
https://tria.ge/reports/210114-jsknbmz7tn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetThreadContext
Drops startup file
Remcos
Malware Config
C2 Extraction:
72.11.157.241:4445
Unpacked files
SH256 hash:
19cbe3b0e35b69af0934e13cbd98613d524e4ba16816e01ede39d55ea46becf7
MD5 hash:
676218fb77049315a99f24c4133711ef
SHA1 hash:
edc91270d6f9b16e509fa2c47c339bd86330875e
Link:
https://www.unpac.me/results/062eaece-6835-434e-9827-fab6c216b399/
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/062eaece-6835-434e-9827-fab6c216b399/
SH256 hash:
efdfa2a0271aecf3c3564c7ac02cde54a13b82ccb865660551b833b3cd5717e3
MD5 hash:
6229e72009769bdb5148ef5323d410d5
SHA1 hash:
ca4014df56bc8c2de55cc864c1b994c4c835f2ec
Link:
https://www.unpac.me/results/062eaece-6835-434e-9827-fab6c216b399/
SH256 hash:
1619a67b0219aac78f1e5e8ac86ec2cf68641ba65a19653fc176916275b6f6ad
MD5 hash:
f6ecf089089d159be0094b2df9450419
SHA1 hash:
aa2a6edb2f26bec4465e9f94ecc6849fb9a2b088
Link:
https://www.unpac.me/results/062eaece-6835-434e-9827-fab6c216b399/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1619a67b0219aac78f1e5e8ac86ec2cf68641ba65a19653fc176916275b6f6ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip 006f4b8cfdf16471b8c4f07c010d2ce2ed61c332f9ea2ab09035ef2a1e029a17

RemcosRAT

Executable exe 1619a67b0219aac78f1e5e8ac86ec2cf68641ba65a19653fc176916275b6f6ad

(this sample)

  
Dropped by
MD5 655e3886a2376a4f6472443f34ad8946
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 006f4b8cfdf16471b8c4f07c010d2ce2ed61c332f9ea2ab09035ef2a1e029a17
Cape
Cape
https://www.capesandbox.com/analysis/112083/

Comments