MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c517ddebb6f5893d52918c51a70e56f68b50dd65e0460a673cce3625a0f8a2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c517ddebb6f5893d52918c51a70e56f68b50dd65e0460a673cce3625a0f8a2b
SHA3-384 hash: 1e84f249462ef876e4fd67e8ff9f6ee9bc157f5c3625f5fdd5840f96b62ed60ba107fd098cae383ad5f57721afa35bca
SHA1 hash: 3087de7ea04b0ab83eb2f278923828a45a0823c1
MD5 hash: 7704dc911d420896f07e21986aa85746
humanhash: washington-september-nevada-skylark
File name:New purchase order PO#78904301541,pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:651'264 bytes
First seen:2020-08-19 09:23:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1d3807efc70a0a5a6d2ab497250e9cb5 (4 x RemcosRAT, 1 x AZORult, 1 x AveMariaRAT)
ssdeep 12288:Wm/ZNPa2c/PWwuUDKcoEwWLC2W2nKjdkOdqY55w/sPXjlBeh07D:Wm/TyzPWwuUDpoEwECcKpkON/vno0
Threatray 924 similar samples on MalwareBazaar
TLSH 79D49E62E6804837C1631578AC0B9FE9D937AF103B98AC476BF62E0C5F397D17929097
Reporter abuse_ch
Tags:exe RemcosRAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: cloudhost-107411.us-midwest-1.nxcli.net
Sending IP: 209.126.25.153
From: AEV Ltd <aev@aev.co.uk>
Subject: order inquiry
Attachment: New purchase order PO78904301541,pdf.iso (contains "New purchase order PO#78904301541,pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
66
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/48332/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Setting a single autorun event
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/437242
Signature
Allocates memory in foreign processes
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 271097 Sample: New purchase order PO#78904... Startdate: 19/08/2020 Architecture: WINDOWS Score: 100 29 newlogs.ddns.net 2->29 39 Malicious sample detected (through community Yara rule) 2->39 41 Detected Remcos RAT 2->41 43 Yara detected Remcos RAT 2->43 45 9 other signatures 2->45 7 New purchase order PO#78904301541,pdf.exe 1 15 2->7         started        12 Vyursec.exe 13 2->12         started        14 Vyursec.exe 13 2->14         started        signatures3 process4 dnsIp5 31 discord.com 162.159.128.233, 443, 49711, 49731 CLOUDFLARENETUS United States 7->31 33 cdn.discordapp.com 162.159.130.233, 443, 49712, 49732 CLOUDFLARENETUS United States 7->33 23 C:\Users\user\AppData\Local\Vyursec.exe, PE32 7->23 dropped 47 Writes to foreign memory regions 7->47 49 Allocates memory in foreign processes 7->49 51 Creates a thread in another existing process (thread injection) 7->51 16 ieinstal.exe 2 7->16         started        35 162.159.133.233, 443, 49728 CLOUDFLARENETUS United States 12->35 37 162.159.135.232, 443, 49727 CLOUDFLARENETUS United States 12->37 53 Injects a PE file into a foreign processes 12->53 19 ieinstal.exe 12->19         started        21 ieinstal.exe 14->21         started        file6 signatures7 process8 dnsIp9 25 newlogs.ddns.net 79.134.225.73, 49724, 49725, 49729 FINK-TELECOM-SERVICESCH Switzerland 16->25 27 192.168.2.1 unknown unknown 16->27
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1c517ddebb6f5893d52918c51a70e56f68b50dd65e0460a673cce3625a0f8a2b/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-08-18 09:31:05 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=drix3xv3n5mjhvjjddcru4hfn5ulkdowlycgbjttztrwewqprivq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
485c1301f4bc84bc2d274f53222cf7ca5fbd8af8728d1aaa977a6574f577fb87
RemcosRAT
51c81d6e49ad27baa52a1d1047fe0a5c61c209d39110b81ab07cd2aa30a221ab
RemcosRAT
7720da8dd623a00812870efdb75c2f2571417599ebfabcff48d2bd95cd029ea2
RemcosRAT
83eb442b175e4fe5a2fde6e8d72618eee280398f89a81da1f9c118d2c46032d4
RemcosRAT
a1c561c21720c4f1c3626276db6afc2c12b1aae9304c78518763eb78454f84b8
RemcosRAT
c86bcfe4e22cb50054b44e38fc4fb79624c4ed5bf9a26174754dbb5c1a6baff8
RemcosRAT
c8dda41b34e9b16da333bfa30653a6f46be67c657158ecfd2c0463903b01e54d
RemcosRAT
e39c2e98071d4440d02e6d1aa86111536d6d01554489bd71f890455c05e424d3
RemcosRAT
eb1230ab4a5408a3d264bb51f1ff311fcf52aa97d52b801738cd5add365e77d2
RemcosRAT
f54187c724636062fdf6287ad5b83c5c198e44577158b30b15d1144c287f4c17
RemcosRAT
+ 914 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
persistence rat family:remcos
Link:
https://tria.ge/reports/200819-395wr1lhks/
Behaviour
Modifies system certificate store
Suspicious use of WriteProcessMemory
Adds Run key to start application
Remcos
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

iso 37ed67616d219d00004f18381bc7f4cb67658173b0ecbc9d1fea71dda6d442d0

RemcosRAT

Executable exe 1c517ddebb6f5893d52918c51a70e56f68b50dd65e0460a673cce3625a0f8a2b

(this sample)

  
Dropped by
MD5 f032027db4ecea91a1f6112dcc322672
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/48332/
  
Dropped by
SHA256 37ed67616d219d00004f18381bc7f4cb67658173b0ecbc9d1fea71dda6d442d0

Comments