MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e0aa65ef76cde02b030850f1895a64fbe866b948f5f29ce7b2d6f9e064b4f84. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e0aa65ef76cde02b030850f1895a64fbe866b948f5f29ce7b2d6f9e064b4f84
SHA3-384 hash: 5adf474daa13f7cdcc7ad46bf5dd74123379c3362b5ccd4fd7fcfb19a075b71ebdbbfbcdf4f2682f8a651add4cdf1352
SHA1 hash: cd34d61e924681eb5d67c4ab9072e8416d6f33ea
MD5 hash: 5b4309d7aabb8ca44a4aa15ab49ea964
humanhash: papa-jupiter-virginia-carolina
File name:Quotation.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:730'368 bytes
First seen:2021-02-01 09:56:39 UTC
Last seen:2021-02-01 11:39:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 24a535ed8116cc9ffb1d6169e0ad68d3 (6 x RemcosRAT, 3 x Loki)
ssdeep 12288:zisrdZXlPa+jC/V3oFVaUHHh8K1Ly6Mx+QXX1x6tvz:zb59jC/VQaqHhbnM4QVqz
Threatray 4 similar samples on MalwareBazaar
TLSH 29F47C6561641236F06267B9FD0A4AE4A2A67D3F3D644F82D6E446CF0B2F2C07D4A07F
Reporter abuse_ch
Tags:exe RemcosRAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mx.pec.aruba.it
Sending IP: 95.110.216.96
From: Jonny<office@ardepcare.com>
Subject: RE: Request for Quotation
Attachment: Quotation.rar (contains "Quotation.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Quotation.exe
Verdict:
Suspicious activity
Analysis date:
2021-02-01 09:58:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e69bb5f1-294a-4dcb-a935-4f4641625664

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/114472/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Launching a process
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Connection attempt to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
n/a
Score:
24 / 100
Link:
https://www.joesandbox.com/analysis/595196
Signature
Initial sample is a PE file and has a suspicious name
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1e0aa65ef76cde02b030850f1895a64fbe866b948f5f29ce7b2d6f9e064b4f84/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-02-01 09:57:33 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dyfkmxxxntpafmbqquhrrfngj67im24ur5psttt3fvxz4bslj6ca._file
Verdict:
suspicious
Similar samples:
035cba8ea6bbe0336a0221e86b571e530764939150df17f636fd23ad30db3f27
RemcosRAT
24dc8d2b9fccf41707ebb888dd8e76bec1878faefbe46a0a17deac49f85b1a50
RemcosRAT
553caa644cbf9022987290140354f878981f281eb487847afa5017eca470c279
RemcosRAT
fba3d4ba50f90278e79e343a17fed702332df04a787dfcfdcd31e000bf32f79b
RemcosRAT
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat
Link:
https://tria.ge/reports/210201-1l8t3tty6e/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
whatgodcannotdodoestnotexist.duckdns.org:2559
Unpacked files
SH256 hash:
c7385cf608325b7521aec35e1cc1d096ee6d1523f06677ee9761d5b52e9e56b6
MD5 hash:
7f252ebbd7f09b34f16e03f806db27c0
SHA1 hash:
c44771e4a7123d45261b0a87851f69f8c9d6eef6
Link:
https://www.unpac.me/results/63dc7686-49c6-4d7f-bd5b-926fe426dc22/
SH256 hash:
1e0aa65ef76cde02b030850f1895a64fbe866b948f5f29ce7b2d6f9e064b4f84
MD5 hash:
5b4309d7aabb8ca44a4aa15ab49ea964
SHA1 hash:
cd34d61e924681eb5d67c4ab9072e8416d6f33ea
Link:
https://www.unpac.me/results/63dc7686-49c6-4d7f-bd5b-926fe426dc22/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1e0aa65ef76cde02b030850f1895a64fbe866b948f5f29ce7b2d6f9e064b4f84

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

rar 9782c082b22d6fbb6c4b1b8fdfa05ddedffc1002d6ab4c7180a10595b9d92068

RemcosRAT

Executable exe 1e0aa65ef76cde02b030850f1895a64fbe866b948f5f29ce7b2d6f9e064b4f84

(this sample)

  
Dropped by
MD5 fbd550d956ec6d394450498065bc28f8
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 9782c082b22d6fbb6c4b1b8fdfa05ddedffc1002d6ab4c7180a10595b9d92068
Cape
Cape
https://www.capesandbox.com/analysis/114472/

Comments