MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22ac80592400a2e2ed64392413d1bc5ecbbb09f10a811d3243c7212252f75a2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 9

Intelligence 9 IOCs YARA 7 File information Comments

SHA256 hash:	22ac80592400a2e2ed64392413d1bc5ecbbb09f10a811d3243c7212252f75a2c
SHA3-384 hash:	c6340de7fbe6369290a11d275f113746765e7760cce569085c7b88568f2fcb59ca52dbd4f9460f9ab9cc1312b592265c
SHA1 hash:	14b694c80ac0ca7ea064d40c90e2364f7693dd02
MD5 hash:	cb4a9e8af1f4176a50ce0fec01c61f1c
humanhash:	diet-purple-connecticut-glucose
File name:	Offer Request 6100003768.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	904'984 bytes
First seen:	2021-02-22 07:09:56 UTC
Last seen:	2021-02-22 08:41:26 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	123e9c36cc1595f744449f97bcf23cbf (6 x RemcosRAT, 1 x Loki, 1 x Formbook)
ssdeep	24576:KYUkRHVFnyXv1qhqV7ANT8QNE1C5h7bmhNs:KY9b0UhqnhS
Threatray	80 similar samples on MalwareBazaar
TLSH	121560B19B4A4F12F05B143DCD4AE6FA0712BC01372B99B61ED8F7478AA6781B9D0077
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

abuse_ch

Malspam distributing RemcosRAT:

HELO: vmmail02.ridsa.com.ar
Sending IP: 190.103.224.9
From: Farizal Marlias <direct@my.ibm.com>
Subject: Offer Request 6100003768
Attachment: Offer Request 6100003768.iso (contains "Offer Request 6100003768.exe")

RemcosRAT C2:
marstonstyl247.ddns.net:3234

Intelligence

File Origin

# of uploads :

# of downloads :

103

Origin country :

n/a

Vendor Threat Intelligence

Detection:

DLAgent07

Link:

https://www.capesandbox.com/analysis/118210/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

DNS request

Sending a custom TCP request

Creating a file

Deleting a recently created file

Launching a process

Creating a file in the %AppData% subdirectories

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process

Setting a global event handler for the keyboard

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/613701

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Creates a thread in another existing process (thread injection)

Delayed program exit found

Detected Remcos RAT

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Sigma detected: Remcos

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/22ac80592400a2e2ed64392413d1bc5ecbbb09f10a811d3243c7212252f75a2c/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2021-02-22 06:25:41 UTC

AV detection:

16 of 47 (34.04%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ekwiawjeacrof3lehesbhun4l3f3wcprbkar2msdy4qseuxxliwa._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

20fe5347a7254b7f5d75c7fce2542b88abdb8d1939afe621544c61d35e45bdee

RemcosRAT

2a344d464465069aa8739a45ecba1b6de4ef4ba4cc2b8128af5a54112c507058

RemcosRAT

350d9e0fce3c72fb6c63235194c1e9c986d38c13866e756f85c31faa95f4ef2b

RemcosRAT

71f60a985d2cc9fc47c6845a88eea4da19303a96a2ff69daae70276f70dcdae0

RemcosRAT

7372fe2e6401cdbca755f752e7e8407a8a5fbaf81ca5e692705a9819977dc447

RemcosRAT

969c356e48ffb2e13979513881838131bf9f61f5bfbe14e4314fece49d9e01ad

RemcosRAT

b6e24ae319f72f87dbf9d5e6fc2394737b938f7eb391a39c5043114458f31733

RemcosRAT

cbf5b54d5d1c70086efefea16f38b80a329cb96bb5a59e709b0ab2304acb157c

RemcosRAT

f436b8e7b214f3f56d0c62326e37653f87184760b406ab4f6eae79a5c34297b1

RemcosRAT

+ 70 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos persistence rat

Link:

https://tria.ge/reports/210222-lhy1ydzawe/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Adds Run key to start application

Remcos

Malware Config

C2 Extraction:

marstonstyl247.ddns.net:3234

Unpacked files

SH256 hash:

0e7586027be2b00d10dcc585232de1b4fe8f23be8298dad1f3bc86475946b5c9

MD5 hash:

ee5230700e4a146fed27eab5f8d9caa6

SHA1 hash:

809225fca3c38e5cd30eb35b9b667393becfb516

Link:

https://www.unpac.me/results/25ba0e02-f502-4b64-b73f-874d3636e460/

SH256 hash:

22ac80592400a2e2ed64392413d1bc5ecbbb09f10a811d3243c7212252f75a2c

MD5 hash:

cb4a9e8af1f4176a50ce0fec01c61f1c

SHA1 hash:

14b694c80ac0ca7ea064d40c90e2364f7693dd02

Link:

https://www.unpac.me/results/25ba0e02-f502-4b64-b73f-874d3636e460/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

iso e129a5b26c193726c2347fd1718a71502b068359d2b9dce15413dfa79d2c28be

RemcosRAT

exe 22ac80592400a2e2ed64392413d1bc5ecbbb09f10a811d3243c7212252f75a2c

(this sample)

Dropped by

MD5 a1302890613444c9dd7d167125d21490

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/118210/

Dropped by

SHA256 e129a5b26c193726c2347fd1718a71502b068359d2b9dce15413dfa79d2c28be

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample