MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20913ef76e86c0e3222ad67afaadaa44912595513a32d08345dba6ec3de019c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 13

Intelligence 13 IOCs YARA 8 File information Comments

SHA256 hash:	20913ef76e86c0e3222ad67afaadaa44912595513a32d08345dba6ec3de019c5
SHA3-384 hash:	619f4a748ace0c3a516511217965e18023d393c147b6766daac5a4a991bd8013d86eb2ff571734eafb9788c929427cfa
SHA1 hash:	e64cb36f84cfae5bc3df874062b56bbefc67abe4
MD5 hash:	f46570f8573752848e4b38e514b3342e
humanhash:	princess-butter-comet-stream
File name:	Doc_IMAGE-587HTY-9545-55401.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'166'336 bytes
First seen:	2021-03-16 10:47:17 UTC
Last seen:	2021-03-16 12:49:47 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	24576:wm1PlynMoIDiM3/m9YoHUZZTeF7jOhbVheOY:wcIMoIh3/m6oHcegh
Threatray	128 similar samples on MalwareBazaar
TLSH	C645D0FC7500BC8FCC17AE3689561C28AA306976D30BD347E12715AE9E5EA97DE005F2
Reporter	abuse_ch
Tags:	exe Rackspace RemcosRAT

abuse_ch

Malspam distributing unidentified malware:

HELO: smtp68.iad3a.emailsrvr.com
Sending IP: 173.203.187.68
From: Ajay Kumar <ajay@fairair.in>
Subject: FW: RTGS Payment sent
Attachment: Doc_IMAGE-587HTY-9545-55401.rar (contains "Doc_IMAGE-587HTY-9545-55401.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

174

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Doc_IMAGE-587HTY-9545-55401.exe

Verdict:

Malicious activity

Analysis date:

2021-03-16 10:53:02 UTC

Tags:

rat remcos

Link:

https://app.any.run/tasks/f47c78cf-49c5-4a1c-ad83-689bf1606a1e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.Win32.Save.a.20802.25714.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Sending a UDP request

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Creating a file

DNS request

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for recently created files

Setting a global event handler for the keyboard

Connection attempt to an infection source

Enabling autorun by creating a file

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/44368b7b-9c64-4629-bbeb-0970b2912b4a

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/640610

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Detected Remcos RAT

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/20913ef76e86c0e3222ad67afaadaa44912595513a32d08345dba6ec3de019c5/

Threat name:

ByteCode-MSIL.Ransomware.TeslaCrypt

Status:

Malicious

First seen:

2021-03-16 04:59:35 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

28 of 47 (59.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ecit553oq3aogirk2z5pvlnkisislfkrhiznba2f3otoyppadhcq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

5932fcc4c5d01a0d7667dfe1e6d10dd8c540b2ac57623c8c4b99dfdcd43cd63e

RemcosRAT

5d20ab723dbc30184582ccec3877af8fbb8fc78f90d09fd680bf784325951ca3

RemcosRAT

88908ef35a39d6295a1b5775b08f2f44b3ccfad8bec6bf4e4a067428ed95262e

RemcosRAT

8c38dbbc3834ab600313e6cd32e0e1a077726f002a608b5cbf9baa87ff11f90f

RemcosRAT

b0dad01939e09e869b27e59d7a7d7c79fdd31bb4a8c52153844c23c3c34bf368

RemcosRAT

b782581b1ca3da09fdf3ecbb173ee3ca1f313f5f325f407df976601cad8ce839

RemcosRAT

d6bb7d0218b0894bcc733065261069c1cb4e151b4ca367f37e888d2beacc0dd9

RemcosRAT

ef6ac1293cdfda22c8d940f96c5433f406a4c3666e6941e4f094a8cf50d04ac1

RemcosRAT

ff8dd2511c1721a535a31eb7e8c4f813ba114a2ec963f4b85f8808fa99d47422

RemcosRAT

+ 118 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos rat

Link:

https://tria.ge/reports/210316-5wqcql8msa/

Behaviour

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Uses the VBS compiler for execution

Remcos

Malware Config

C2 Extraction:

www.pakehoob.com:16108

Unpacked files

SH256 hash:

fc3e4c8f452556e360c2cfd18883050273afa42f83c2a3258be27f88f124cde2

MD5 hash:

e35cbd4f46d32a9edf0bbc58bf4e9afc

SHA1 hash:

cea7e56c4a3f2a623b297f9ef94794522de9f999

Detections:

win_remcos_g0

Link:

https://www.unpac.me/results/d158d631-b1e2-4df5-bfec-15993ceb3d61/

SH256 hash:

0a6b546031de3c68b121e4ae36046d849d98e964524d20e63a0f100be2e95a5d

MD5 hash:

b72cdbbd3edad77e1d504fb9d8d146fe

SHA1 hash:

c12663045078f255d707fe35b02a75eaa6eb93e8

Link:

https://www.unpac.me/results/d158d631-b1e2-4df5-bfec-15993ceb3d61/

SH256 hash:

1510861928b533e1529c1ffe7c6d57d9e5e928830d0afb28fd0fa730ff83fbdc

MD5 hash:

8f85df46a482b5b068ae7667bf1a33d6

SHA1 hash:

a210d369311aa4d709dc962c634174738576907e

Link:

https://www.unpac.me/results/d158d631-b1e2-4df5-bfec-15993ceb3d61/

SH256 hash:

20913ef76e86c0e3222ad67afaadaa44912595513a32d08345dba6ec3de019c5

MD5 hash:

f46570f8573752848e4b38e514b3342e

SHA1 hash:

e64cb36f84cfae5bc3df874062b56bbefc67abe4

Link:

https://www.unpac.me/results/d158d631-b1e2-4df5-bfec-15993ceb3d61/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/20913ef76e86c0e3222ad67afaadaa44912595513a32d08345dba6ec3de019c5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	win_remcos_g0 Create hunting rule
Author:	Daniel Plohmann <daniel.plohmann<at>fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

rar 432f71ffe8228503c7696e5981fc8da33d44e0727f06ba6c756b9e733586a5a1

RemcosRAT

exe 20913ef76e86c0e3222ad67afaadaa44912595513a32d08345dba6ec3de019c5

(this sample)

Dropped by

MD5 fe13038f3db82296d07781ce38443bd0

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 432f71ffe8228503c7696e5981fc8da33d44e0727f06ba6c756b9e733586a5a1

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample