MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22fd2fb26af250c70cc8a88089d0feccbac2754fe7eed1d108e5891b8409f432. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 9

Intelligence 9 IOCs YARA 9 File information Comments

SHA256 hash:	22fd2fb26af250c70cc8a88089d0feccbac2754fe7eed1d108e5891b8409f432
SHA3-384 hash:	b2a94761d12b105c71193b215f719a41c1d14e79407a13c96faf2862a0ac6d2ddd4386695757dda065a4fea6c025562b
SHA1 hash:	708a8f751760146d554e3a53d66d1a72df81ac0a
MD5 hash:	891621dba903d580eb476dd9a060549e
humanhash:	fourteen-may-football-don
File name:	MRC20201030XMY,pdf.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'011'200 bytes
First seen:	2021-02-10 13:45:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0c3b8980defdb88e12547d79fd9fc724 (4 x RemcosRAT)
ssdeep	12288:Q82glUZCAYAIo4Kv8dSF8f+W2RoVep9JZdEtOw8Ps1j:r2oWPIo9v8de5+efHm78Pkj
Threatray	1'574 similar samples on MalwareBazaar
TLSH	46257DB17AA1443BE11339FA8C4A53A4692B7DACA95C540EA770BE0B7F357853CD804F
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

abuse_ch

Malspam distributing RemcosRAT:

HELO: bnf.com
Sending IP: 103.69.130.146
From: STALMED, SL <info8@stalmed.es>
Subject: Re: Revised Order MRC20201030XMY
Attachment: MRC20201030XMY,pdf.iso (contains "MRC20201030XMY,pdf.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

121

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

MRC20201030XMY,pdf.exe

Verdict:

Malicious activity

Analysis date:

2021-02-10 13:58:36 UTC

Tags:

installer trojan rat remcos

Link:

https://app.any.run/tasks/d3ac9abc-71e5-47f2-9454-fff62cc86b0f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/116564/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Clean

Maliciousness:

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Remcos

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/604567

Signature

Allocates memory in foreign processes

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Creates a thread in another existing process (thread injection)

Detected Remcos RAT

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Sigma detected: Remcos

Writes to foreign memory regions

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/22fd2fb26af250c70cc8a88089d0feccbac2754fe7eed1d108e5891b8409f432/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2021-02-10 13:46:07 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=el6s7mtk6jimodgivcaituh6zs5me5kp47xnduii4werxbaj6qza._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

5178316a133ee4ce629f5b31ddc2fdb8fd6ff8a581174c0a21f41d44ebfcd88d

RemcosRAT

63546d7293b43b8c746bbddddcfe798478d99e5786fceff8d1fcfb52b9a64aed

RemcosRAT

785790e2814af826f66cf31460fdcf7ce48513c6f451fca29fa52f101dd65b00

RemcosRAT

798fc4066cf0b5e0c6711d32ca8d43afc7d4b99f333c184b7fd0b7d3b7eb7559

RemcosRAT

97c1693cc21829a1b2139d13bc9b21a47555b18d6dc8943c4804890f1ab3b25c

RemcosRAT

9c03ceb1f14c39a8f156175a3a409a7a07e6134197609bcd2f087c4ea7b42670

RemcosRAT

adb361129e2125c0c123c123b5ead7a6785a12c77701d9d27a4b67d1bddcba34

RemcosRAT

b8d1d962744d0c6ab3abe293c4671b3ba6524f623f9d6f02361bc60eec7b4cb4

RemcosRAT

f4f0c2b0fcc641a850b0aaf356f5119f7d6568be3d4b5251a6c6dec1b3e7920f

RemcosRAT

+ 1'564 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos persistence rat

Link:

https://tria.ge/reports/210210-p2czhma2x2/

Behaviour

Suspicious use of WriteProcessMemory

Adds Run key to start application

Remcos

Unpacked files

SH256 hash:

d2f876d808e77cfce00ded4bfc541671c500f0ea9ea873c04333c554ea54a791

MD5 hash:

e561fb27b26e5d960fd61580e5fb35bd

SHA1 hash:

5df94fbbf001b70e2f20f4a3101de45d321016e5

Link:

https://www.unpac.me/results/eb6547e2-1910-4cc5-8d18-efa0f8028e10/

SH256 hash:

22fd2fb26af250c70cc8a88089d0feccbac2754fe7eed1d108e5891b8409f432

MD5 hash:

891621dba903d580eb476dd9a060549e

SHA1 hash:

708a8f751760146d554e3a53d66d1a72df81ac0a

Link:

https://www.unpac.me/results/eb6547e2-1910-4cc5-8d18-efa0f8028e10/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/22fd2fb26af250c70cc8a88089d0feccbac2754fe7eed1d108e5891b8409f432

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

27f4e4dfd5d8fae460457850c96dcdb8

RemcosRAT

exe 22fd2fb26af250c70cc8a88089d0feccbac2754fe7eed1d108e5891b8409f432

(this sample)

Dropped by

MD5 27f4e4dfd5d8fae460457850c96dcdb8

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/116564/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample