MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18e7778ca7011e78b0c8bcf8e4c72d7c7ee26bbe4ea30d4003c799cb5740fa40. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 18e7778ca7011e78b0c8bcf8e4c72d7c7ee26bbe4ea30d4003c799cb5740fa40
SHA3-384 hash: 822cf70978702ff95deacfe491ab577dec0169a3f6b395e17e6b1302e91cc17ed59cdaa20e4e45132bfe607b564d3e2d
SHA1 hash: 78aa67003ec0e5a9a87dfbaff5387902a58d196c
MD5 hash: 78494e99e7a22f253bf3d4af2eb0c104
humanhash: shade-foxtrot-utah-eight
File name:RFQAP65425652032421 urgentes,pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:718'848 bytes
First seen:2021-09-27 13:57:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9a7ebf1a69de9b324d0d1f73a7d054a0 (6 x RemcosRAT, 1 x Formbook)
ssdeep 12288:mftAn+lE3hGAJNmUaxoSThjcUmQgMM4PW:4uwEwomU1SFALD
Threatray 482 similar samples on MalwareBazaar
TLSH T13DE45AA6A380A83EF2B2353ECCCB82E4349FBD1175654C8F19B17E4A6599DC1381D2D7
File icon (PE):PE icon
dhash icon c4dcf8c6d6d0c8d4 (21 x RemcosRAT, 3 x Formbook, 1 x AveMariaRAT)
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
185.140.53.130:6642

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.140.53.130:6642 https://threatfox.abuse.ch/ioc/227067/

Intelligence

File Origin
# of uploads :
1
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQAP65425652032421 urgentes,pdf.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-27 14:06:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b702e34a-c1d7-4573-b7e9-3b0a9b0115ed

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/192132/
Detection(s):
SecuriteInfo.com.Variant.Zusy.401770.18517.18716.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/22d8f819-f5e4-4aab-9319-af6a6e8e8a3a
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/859226
Signature
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 491661 Sample: RFQAP65425652032421 urgente... Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 44 manneedmoney.ddns.net 2->44 70 Malicious sample detected (through community Yara rule) 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 Detected Remcos RAT 2->74 76 2 other signatures 2->76 9 Gnrfjjx.exe 15 2->9         started        13 RFQAP65425652032421 urgentes,pdf.exe 1 22 2->13         started        16 Gnrfjjx.exe 15 2->16         started        signatures3 process4 dnsIp5 48 sn-files.fe.1drv.com 9->48 56 2 other IPs or domains 9->56 78 Multi AV Scanner detection for dropped file 9->78 80 Writes to foreign memory regions 9->80 82 Creates a thread in another existing process (thread injection) 9->82 18 logagent.exe 9->18         started        50 sn-files.fe.1drv.com 13->50 58 2 other IPs or domains 13->58 42 C:\Users\Public\Libraries\...behaviorgraphnrfjjx.exe, PE32 13->42 dropped 84 Injects a PE file into a foreign processes 13->84 21 secinit.exe 2 13->21         started        24 cmd.exe 1 13->24         started        26 cmd.exe 1 13->26         started        52 192.168.2.1 unknown unknown 16->52 54 sn-files.fe.1drv.com 16->54 60 2 other IPs or domains 16->60 28 secinit.exe 16->28         started        file6 signatures7 process8 dnsIp9 62 Contains functionality to steal Chrome passwords or cookies 18->62 64 Contains functionality to inject code into remote processes 18->64 66 Contains functionality to steal Firefox passwords or cookies 18->66 46 manneedmoney.ddns.net 185.140.53.130, 49751, 49752, 49755 DAVID_CRAIGGG Sweden 21->46 68 Delayed program exit found 21->68 30 reg.exe 1 24->30         started        32 conhost.exe 24->32         started        34 cmd.exe 1 26->34         started        36 conhost.exe 26->36         started        signatures10 process11 process12 38 conhost.exe 30->38         started        40 conhost.exe 34->40         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/18e7778ca7011e78b0c8bcf8e4c72d7c7ee26bbe4ea30d4003c799cb5740fa40/
Threat name:
Win32.Downloader.FormBook
Create hunting rule
Status:
Malicious
First seen:
2021-09-24 00:13:22 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ddtxpdfhaephrmgixt4ojrznpr7oe256j2rq2qady6m4wv2a7jaa._file
Verdict:
malicious
Similar samples:
1ddb357041ae22e5c39f309d8432bf9b64e5b07ee9fcf578b7d94543005714fa
RemcosRAT
4c74f4542101eb419934b0d6fb2765e688314ef1edcd7cf41203d6d3935eef98
RemcosRAT
71c5a4261cc336e193cef7e3e397e160a1a24998185a9458338276e5a8091d63
RemcosRAT
7b553acec118b0b160926e390d4ee76e308d20f722492e1d749e4331d755ee85
RemcosRAT
7e575f55174bf857fbd7329e43985db8bbd23f657289c4abe710a6be3743b800
RemcosRAT
7ede77932ce7a1fb54f227934c436ce1d0f746efce80e66a7664a4f7bfc909cf
RemcosRAT
a1adbdad4e1d0b04ddbac043a174b0b9e2731402fd9422085243c32c8e575fdf
RemcosRAT
b6788527f99a436b0e8925eb14c8800ced61fd406edd4182aa00072b3f74f39e
RemcosRAT
d4bd7d642e2ddcab2e7e6990d7e41b50826bb0354531b42926ba989cb3109880
RemcosRAT
da3b4c6a3fc81e733843987e557efb53beab50fa9ad528aa1a0d7a0f0e1c6e94
RemcosRAT
+ 472 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:gr8est persistence rat
Link:
https://tria.ge/reports/210927-q9te7shbdq/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
manneedmoney.ddns.net:6642
Unpacked files
SH256 hash:
18498f5add7c31c1af213a720891708124ce271e4a1f4eef7427ff9ceff44767
MD5 hash:
af315fe318bcbca468841006ccc57e0a
SHA1 hash:
9b18984c1d4fcafc7bde26250a937aff6c41a375
Link:
https://www.unpac.me/results/24b57b5e-16c2-4858-9e18-ef2e5faf34fa/
SH256 hash:
18e7778ca7011e78b0c8bcf8e4c72d7c7ee26bbe4ea30d4003c799cb5740fa40
MD5 hash:
78494e99e7a22f253bf3d4af2eb0c104
SHA1 hash:
78aa67003ec0e5a9a87dfbaff5387902a58d196c
Link:
https://www.unpac.me/results/24b57b5e-16c2-4858-9e18-ef2e5faf34fa/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/18e7778ca701/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/18e7778ca7011e78b0c8bcf8e4c72d7c7ee26bbe4ea30d4003c799cb5740fa40

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EnvVarScheduledTasks
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC (ab)using Environment Variables in Scheduled Tasks
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/192132/

Comments