MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 216380841574365968ee39421e67eca7875d16490721686622eda5b47f9105ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 15

Intelligence 15 IOCs YARA 7 File information Comments

SHA256 hash:	216380841574365968ee39421e67eca7875d16490721686622eda5b47f9105ad
SHA3-384 hash:	caecbb36285fe1fb33b3ea7407075e849c513ac0997bfe0474dda231e9a20298eadc9869d26ec41ad57ccf6e39e4f26d
SHA1 hash:	78a00b8a7311fb83efe122cd167119cf2e97d4c2
MD5 hash:	936b95a21de0cd97c39e824b6c912cfd
humanhash:	fix-south-pasta-neptune
File name:	Order_WJO-091120947.pdf.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	774'305 bytes
First seen:	2021-08-16 15:00:56 UTC
Last seen:	2021-08-16 15:52:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	82004e82653b7bafbfcf73a18d8cef95 (3 x Loki, 3 x RemcosRAT, 1 x RevCodeRAT)
ssdeep	12288:03mZHX34JgXZrXhcepr1klgTszv1P9V594uFsflzAKp25NIJLablNgFhBn7v/x/:03mfcepp9TsTh9VelDpANeLy3g71jl
Threatray	1'926 similar samples on MalwareBazaar
TLSH	T10FF4BF10B4C4C0B3D6B628714A7AE27118AC78746A5A55CF33982B7A6F717C1983E73F
dhash icon	8084a48cbc8ce4f8 (44 x Formbook, 20 x AveMariaRAT, 11 x SnakeKeylogger)
Reporter	malwarelabnet
Tags:	exe remcos RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

178

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Order_WJO-091120947.pdf.exe

Verdict:

Malicious activity

Analysis date:

2021-08-16 15:05:36 UTC

Tags:

rat remcos

Link:

https://app.any.run/tasks/6ae59fac-392f-4969-9087-e3b042c293bb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/179587/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Stealer.29163.26674.21979.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Connection attempt to an infection source

Sending a UDP request

Query of malicious DNS domain

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/edf77aec-1450-4a09-ae64-971cb5cd225a

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/833624

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Detected Remcos RAT

Detected unpacking (creates a PE file in dynamic memory)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Sigma detected: Dridex Process Pattern

Sigma detected: Suspicious Svchost Process

System process connects to network (likely due to code injection or exploit)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses dynamic DNS services

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/216380841574365968ee39421e67eca7875d16490721686622eda5b47f9105ad/

Threat name:

Win32.Trojan.Zenpak

Status:

Malicious

First seen:

2021-08-16 15:01:10 UTC

AV detection:

21 of 46 (45.65%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=efrybbavoq3fs2hohfbb4z7mu6dv2fsja4qwqzrc5ws3i74rawwq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

0758013f642af55d429e3688886f60ed90633a19d87173c2488de6468599456c

RemcosRAT

0dbc7401908f4c77ba9380f1f1d04ee61734a6116331745cd09d88ac368a2736

RemcosRAT

32560ccc4af2d37c587bbc551e1dd8127b8efaafb199f74c18ec111a812a7f30

RemcosRAT

446fdd51f5eb4359191e189e54a209bd96295c5495cabc1b0b07c8f11d1eb748

RemcosRAT

6ce798e776cf4fdcf419958817fc139391ae804e1f47b12998312fd8cea6621f

RemcosRAT

8ef0ab64ef4a050f29808379fa8e9448bca73be60e4944f9d13a9a6880ba33f2

RemcosRAT

bd476af0520fd90f7899f5cf82e4d04aca5df43cbecab3416c54d202513fecbf

RemcosRAT

dae7b35835c65b3586481620e925d9c899997d0e1805a948c235b04c05eb201f

RemcosRAT

e894ebaa11758fde8fc97c450d7219fa914fd4f3fd90d438883223094b2bb3a3

RemcosRAT

+ 1'916 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:max rat

Link:

https://tria.ge/reports/210816-t4431ay99a/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Remcos

Malware Config

C2 Extraction:

wealth234.ddns.net:4693

Unpacked files

SH256 hash:

49734177c0b11e16373a184e54a6b64b527f84eeca8fd5e7a8796898d29961e8

MD5 hash:

c6b75f52a6ea78df7968efad0788f198

SHA1 hash:

a53e6e6861f3f64d44c8db7ea09902977d2b1011

Detections:

win_remcos_g0

win_remcos_auto

Link:

https://www.unpac.me/results/23491208-4114-4413-901d-38080cc882c0/

SH256 hash:

216380841574365968ee39421e67eca7875d16490721686622eda5b47f9105ad

MD5 hash:

936b95a21de0cd97c39e824b6c912cfd

SHA1 hash:

78a00b8a7311fb83efe122cd167119cf2e97d4c2

Link:

https://www.unpac.me/results/23491208-4114-4413-901d-38080cc882c0/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/216380841574/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/216380841574365968ee39421e67eca7875d16490721686622eda5b47f9105ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/179587/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample