MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20cc3f25b59d83cbfd3f6908726114e8b0442907fabfc58da5f1eee4ae2ece81. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 20cc3f25b59d83cbfd3f6908726114e8b0442907fabfc58da5f1eee4ae2ece81
SHA3-384 hash: b2898654ad34739b0b48ea655d488e17c005f711a31b3dd9468d0ad7a126c25ca4d308c015846cb1ec648f5d73f1f5a2
SHA1 hash: 7b307d1bf98764405ba713009f2b0d8a91e8976c
MD5 hash: 3d4d8630f3f0080bed661797ad1f21a8
humanhash: music-four-sweet-monkey
File name:orders2.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:466'944 bytes
First seen:2021-01-14 06:57:54 UTC
Last seen:2021-01-14 08:52:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a3dd289e085cdb130e7e60c52ab293af (3 x RemcosRAT, 2 x Formbook, 1 x NetWire)
ssdeep 6144:VF0f3sHOmVYAO3YANcEwXZtBsJr2Y40kAOT6WArShIiSB2PYI7Yu:V2fYfWwp7y2eOT7gS6wwkN
Threatray 1'381 similar samples on MalwareBazaar
TLSH CBA419DE12F1106BD12945B4A959EFE05560FC787B61C226BE80FCCEAF323E154622F6
Reporter abuse_ch
Tags:exe Hostwinds RemcosRAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: hwsrv-824517.hostwindsdns.com
Sending IP: 23.238.43.35
From: imports@welfare.top
Subject: Request For Quotation And Price Listing
Attachment: New order.iso (contains "orders2.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
orders2.exe
Verdict:
Malicious activity
Analysis date:
2021-01-14 07:34:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f0d90b78-f182-4b07-87fb-07cf748ff6c5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/111947/
Detection(s):
SecuriteInfo.com.Variant.Strictor.105210.10740.26993.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a UDP request
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a window
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/581176
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Detected Remcos RAT
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 339623 Sample: orders2.exe Startdate: 14/01/2021 Architecture: WINDOWS Score: 100 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for dropped file 2->49 51 Antivirus / Scanner detection for submitted sample 2->51 53 10 other signatures 2->53 8 orders2.exe 4 8 2->8         started        12 costlyRemi.exe 1 2->12         started        14 costlyRemi.exe 1 2->14         started        process3 file4 35 C:\Users\user\AppData\...\costlyRemi.exe, PE32 8->35 dropped 37 C:\Users\user\AppData\Local\...\remmyiles.exe, PE32 8->37 dropped 39 C:\Users\...\costlyRemi.exe:Zone.Identifier, ASCII 8->39 dropped 41 C:\...\b15716d40a204d2893de5f2eeabebb99.xml, XML 8->41 dropped 55 Contains functionalty to change the wallpaper 8->55 57 Contains functionality to steal Chrome passwords or cookies 8->57 59 Contains functionality to capture and log keystrokes 8->59 61 3 other signatures 8->61 16 wscript.exe 1 8->16         started        18 cmd.exe 1 8->18         started        20 costlyRemi.exe 1 12->20         started        signatures5 process6 process7 22 cmd.exe 1 16->22         started        24 conhost.exe 18->24         started        26 schtasks.exe 1 18->26         started        process8 28 costlyRemi.exe 2 5 22->28         started        33 conhost.exe 22->33         started        dnsIp9 45 185.140.53.136, 1818, 49742, 49743 DAVID_CRAIGGG Sweden 28->45 43 C:\Users\user\AppData\Roaming\...\logs.dat, data 28->43 dropped 63 Antivirus detection for dropped file 28->63 65 Multi AV Scanner detection for dropped file 28->65 67 Contains functionalty to change the wallpaper 28->67 69 4 other signatures 28->69 file10 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/20cc3f25b59d83cbfd3f6908726114e8b0442907fabfc58da5f1eee4ae2ece81/
Threat name:
Win32.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2021-01-14 06:58:16 UTC
AV detection:
20 of 46 (43.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=edgd6jnvtwb4x7j7neeheyiu5cyeikih7k74ldnf6hxojlroz2aq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
00b65900131d5d5cac9d48c65ff2e53677418d7c50f0c09480af43e80845bef3
RemcosRAT
01c59004eb5e4390f96dc41ca001c9bd036068645fb55a922cded1ee1ecf014c
RemcosRAT
1a6757ed0fa8dfc6a0ecc4dcfecc7dacb2b4ff435c15eefeb9edde8b913e1811
RemcosRAT
4c61692f5b36f6b2b136958c7c315113899a1bdb1cfe7415f37c0acfdaab01a7
RemcosRAT
4c73230621e55c51c6e4a32e354dca5e8fd3aaaa2df450b73991e6e21257a742
RemcosRAT
5fdecb2c511ec2b584766991bc2126ae802ed2618a80a227046df5379f12e745
RemcosRAT
aea8b826c919840c0757bde7e31b915fda0439bd28b10418479aa17c53f91e12
RemcosRAT
b67361c9d7c2bcbe7e94b698f4d5abd1e6ffd96429d2c66dcfd92a573303e4f0
RemcosRAT
bfe8692e2e6e89e7d77482f315a22b3679e511e50eab20ba852cabc06dc4e5fa
RemcosRAT
fe719ecb5f04ed964bd5fdecc2085bdb1518358c65d12462fcddb66a6015740d
RemcosRAT
+ 1'371 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat
Link:
https://tria.ge/reports/210114-a37ej2d8bn/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SetWindowsHookEx
Adds Run key to start application
Executes dropped EXE
Remcos
Unpacked files
SH256 hash:
0f4a74a1ffbe31099a2513f79e1de1547ee5c5a5ae6b0ffb2f53952271ee3176
MD5 hash:
97d9bb42179b727f6af8952fff430063
SHA1 hash:
0f9f00ad2f159e1c48be0aa4c728983f91a8a283
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/22ae092a-f84f-4324-976c-9ea2b6b187de/
SH256 hash:
20cc3f25b59d83cbfd3f6908726114e8b0442907fabfc58da5f1eee4ae2ece81
MD5 hash:
3d4d8630f3f0080bed661797ad1f21a8
SHA1 hash:
7b307d1bf98764405ba713009f2b0d8a91e8976c
Link:
https://www.unpac.me/results/22ae092a-f84f-4324-976c-9ea2b6b187de/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/20cc3f25b59d83cbfd3f6908726114e8b0442907fabfc58da5f1eee4ae2ece81

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

iso 03c9cca134170890bcb20f0e690fe65d9cd9a9477dfe5db7e2d2f22ed4a776ce

RemcosRAT

Executable exe 20cc3f25b59d83cbfd3f6908726114e8b0442907fabfc58da5f1eee4ae2ece81

(this sample)

  
Dropped by
MD5 dd124b7190aa12f076c730807b844691
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 03c9cca134170890bcb20f0e690fe65d9cd9a9477dfe5db7e2d2f22ed4a776ce
Cape
Cape
https://www.capesandbox.com/analysis/111947/

Comments