MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18beca395ea8cfba85e8fb26a3adc366bf7c047088c2fe16b4ed587cecd6e57f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 11

Intelligence 11 IOCs YARA 6 File information Comments

SHA256 hash:	18beca395ea8cfba85e8fb26a3adc366bf7c047088c2fe16b4ed587cecd6e57f
SHA3-384 hash:	7e3d7a1196d674abab68413fb2fad6e53e6c5cc804faa2a56dfc4cb684eef24439aa1d6419c8bda2b66d8a27503943a8
SHA1 hash:	d66f2c3af67121075ceffff26a47cf021a7dc251
MD5 hash:	3d8937ed63f1ea820068909d727ba58c
humanhash:	summer-bulldog-beryllium-texas
File name:	PO FH8765446878-17-10-2020,pdf.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	738'304 bytes
First seen:	2020-10-17 12:07:35 UTC
Last seen:	2020-10-17 13:04:11 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	12288:yPwbeOvd/SPDAu2KFl0K3luXshfjC1k+KiPPUl/YASM:MYeWSPD2KFlX4881kwPM
Threatray	887 similar samples on MalwareBazaar
TLSH	08F48C51A6889F58E4BE43339435C83053FAFC569631C52E2DEA3DDF39B2F94A620712
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

abuse_ch

Malspam distributing RemcosRAT:

HELO: ns1.uzbektourism.uz
Sending IP: 185.8.212.70
From: Paul <cpaul@aplmachinery.com>
Subject: Re: Order PO FH8765446878-17-10-2020
Attachment: PO FH8765446878-17-10-2020,pdf.iso (contains "PO FH8765446878-17-10-2020,pdf.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

126

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/72546/

Detection(s):

SecuriteInfo.com.Artemis3D8937ED63F1.26291.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Launching a process

Creating a process with a hidden window

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/494441

Signature

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Detected Remcos RAT

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM_3

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/18beca395ea8cfba85e8fb26a3adc366bf7c047088c2fe16b4ed587cecd6e57f/

Threat name:

ByteCode-MSIL.Backdoor.Remcos

Status:

Malicious

First seen:

2020-10-17 10:57:38 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=dc7muok6vdh3vbpi7mtkhlodm27xybdqrdbp4fvu5vmhz3gw4v7q._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

485c1301f4bc84bc2d274f53222cf7ca5fbd8af8728d1aaa977a6574f577fb87

RemcosRAT

4ca67f02ee334674afe88b3a4329449ecbfb8d9f83ceccc9198c5edecdafa96b

RemcosRAT

71d7c76b658053e46f6dff1e25fc4ed32bdbe2afd879ce510ce79d327c34bc31

RemcosRAT

736bd7b09aa1e987edac64868cc8e5db0d86e709652e0588e2023d052f3def8f

RemcosRAT

76d694e6cd2c80db5b3e4a46497548a424e0f1babf5c36402cc48060ebe5ced0

RemcosRAT

80f45086395417ea3bda68a20d2fc5b0bc5050c000023d82544fd2b5b5a8ce89

RemcosRAT

8698337edbeaff1bcd719babffa69ff876d5ee74349886e5cba349b7cae7e19f

RemcosRAT

be83ef519ed5e3e444b10b4dd8a77515cda4993c6ce69f565405c9c2bd0901bc

RemcosRAT

d7c62c1526c39e136b5c7a703c92ec5f8a67c987a7414e0cbb145172671a2293

RemcosRAT

+ 877 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

rat family:remcos

Link:

https://tria.ge/reports/201017-atydb1g5kj/

Behaviour

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Remcos

Malware Config

C2 Extraction:

incidencias6645.ddns.net:8638

Unpacked files

SH256 hash:

18beca395ea8cfba85e8fb26a3adc366bf7c047088c2fe16b4ed587cecd6e57f

MD5 hash:

3d8937ed63f1ea820068909d727ba58c

SHA1 hash:

d66f2c3af67121075ceffff26a47cf021a7dc251

Link:

https://www.unpac.me/results/bee15078-5fa2-459e-b44b-66914c57a7d4/

SH256 hash:

0acc004be67dd16d599a5955b23f05f80d865e5c736f67e48d0bbe788459ddee

MD5 hash:

b69774059a349bb98339565c5ae1f3c7

SHA1 hash:

b68b2e8a1d724d697dd581d13925d90f21a0ee59

Link:

https://www.unpac.me/results/bee15078-5fa2-459e-b44b-66914c57a7d4/

SH256 hash:

bcae4c5ca1ad436f05f6d52fbd3ffb22aeea32492b4dd378bd715869d81622fa

MD5 hash:

c81a2fbd4541f3ede628bcffa0c0d379

SHA1 hash:

ccbe2d29399246fea9c29cd62efda8277749fe58

Detections:

win_remcos_g0

win_remcos_auto

Link:

https://www.unpac.me/results/bee15078-5fa2-459e-b44b-66914c57a7d4/

Parent samples :

d18e31c42d64a21777bb04a3b0015d415050a6303ae3d864f129ecb50f0f87bb
736bd7b09aa1e987edac64868cc8e5db0d86e709652e0588e2023d052f3def8f
857ad0bf941ee434d96692477bec16c72571ce266091ba4bcc6952f409aff198
0f0f600613b5b1d1e9d80c6229d2ec639d4477d107fa080a5f58d3f61997bceb
18beca395ea8cfba85e8fb26a3adc366bf7c047088c2fe16b4ed587cecd6e57f
7a6f6659840dc30d797d816e1b2bbeb847c36c2e330fe45369b9037a113e8bc6
a0e87c60c05c9b9a184ad81e279fabb2e997ab1d79cba0248548d846ecab8510
94f225b0d4018228ee1c69317cd8f369f3c343378145e41cdf939d4dd30b988d

SH256 hash:

02961c5677b5e3d9f0ed1bbc462b07b3eeb160e9d2f4f1af12849dbaf2467840

MD5 hash:

d2effc23227837eb9ad44dfd0f9c136c

SHA1 hash:

d86ebfc388a0a32103abf1c3c11e1110e96c9a49

Link:

https://www.unpac.me/results/bee15078-5fa2-459e-b44b-66914c57a7d4/

SH256 hash:

bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049

MD5 hash:

a92cc1f6e0a2742350dfda6726db14c0

SHA1 hash:

e5404e3ed46498deb8ad8966a774540c2b8e9c1e

Link:

https://www.unpac.me/results/bee15078-5fa2-459e-b44b-66914c57a7d4/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/18beca395ea8cfba85e8fb26a3adc366bf7c047088c2fe16b4ed587cecd6e57f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator