MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24dc8d2b9fccf41707ebb888dd8e76bec1878faefbe46a0a17deac49f85b1a50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 9

Intelligence 9 IOCs YARA 9 File information Comments

SHA256 hash:	24dc8d2b9fccf41707ebb888dd8e76bec1878faefbe46a0a17deac49f85b1a50
SHA3-384 hash:	826066bb35de090c5ac68e600776d5c3ce6d19f8de8175750510724cad8a53c8f9ca719faca68a157e6ec32e17857426
SHA1 hash:	76e96ee4e0a594fed4618a4ce89f563758a2aa05
MD5 hash:	71d278e3ab10f852b659af2921fed771
humanhash:	video-five-blue-sierra
File name:	1764AIR200151251-CRE001,pdf.SCR
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	730'368 bytes
First seen:	2021-02-01 09:06:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	24a535ed8116cc9ffb1d6169e0ad68d3 (6 x RemcosRAT, 3 x Loki)
ssdeep	12288:zisrdZXlPa+jC/V3oFVaUHo8K1Ly6Mx+QXX1x6tvz:zb59jC/VQaqobnM4QVqz
Threatray	1'507 similar samples on MalwareBazaar
TLSH	9FF47CA161605635F062A7B8E94A069876E6BD3F3D341F46C6E45ACB0B2F7C07C5A03F
Reporter	abuse_ch
Tags:	DHL nVpn RAT RemcosRAT scr

abuse_ch

Malspam distributing RemcosRAT:

HELO: mail2.brandsloveki.com
Sending IP: 209.97.154.18
From: DHL EXPRESS <750172@dhl.com>
Subject: Varış Bildirimi package
Attachment: 1764AIR200151251-CRE001,pdf.cab (contains "1764AIR200151251-CRE001,pdf.SCR")

RemcosRAT C2:
goddywin.freedynamicdns.net:6712 (79.134.225.69)

Pointing to nVpn:

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

112

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1764AIR200151251-CRE001,pdf.SCR

Verdict:

Malicious activity

Analysis date:

2021-02-01 09:10:06 UTC

Tags:

trojan rat remcos

Link:

https://app.any.run/tasks/448fcfa0-9e7b-4e64-9d3a-be83dfd91314

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/114431/

Result

Verdict:

Clean

Maliciousness:

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/595122

Signature

Allocates memory in foreign processes

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Creates a thread in another existing process (thread injection)

Detected Remcos RAT

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Sigma detected: Remcos

Writes to foreign memory regions

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/24dc8d2b9fccf41707ebb888dd8e76bec1878faefbe46a0a17deac49f85b1a50/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2021-02-01 09:07:09 UTC

AV detection:

16 of 46 (34.78%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=etoi2k47zt2bob7lxcen3dtwx3aypd5o7psgucqx32wet6c3djia._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

40ac0f2418edf402cc41fbb78bb902a261df8b6fb3355574accbf894f81b85b8

RemcosRAT

46ff7f6619eda7e3b2c5b36a2d3f21b154749d31ae2695c4d23c992361ce1f58

RemcosRAT

47d694226b7f034e868ded9f3ebc12b1afbf9bbccb791f4a98c61955f10efa19

RemcosRAT

5b1f1843bbb992e3d5c635aa69d8409de4ae4d3f04cf19994d8e953e99cf451a

RemcosRAT

77d6912281d64f3630f1d1361c33e5f2eb10ecc7100b44d2c05fdc37ac9d7da4

RemcosRAT

91622a9d48459e615ea429ef8b03411ce90df650cedd5c451436ee36123593a9

RemcosRAT

970e593b7c2c52df8da7bba34b54056690264c4dd3c56b8a5e7d221e3bac2ca9

RemcosRAT

b8c6d9ced99143d34fd8829125c6ff46bc0c55569f401ec4d1354f3d0825c4c4

RemcosRAT

ce30dea0b1d4fa181753600eb63c1d2f1a7de1bd848dcdbe196f6a35afef0ea9

RemcosRAT

+ 1'497 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos persistence rat

Link:

https://tria.ge/reports/210201-dg7cf7wcrs/

Behaviour

Suspicious use of WriteProcessMemory

Adds Run key to start application

Remcos

Unpacked files

SH256 hash:

c7385cf608325b7521aec35e1cc1d096ee6d1523f06677ee9761d5b52e9e56b6

MD5 hash:

7f252ebbd7f09b34f16e03f806db27c0

SHA1 hash:

c44771e4a7123d45261b0a87851f69f8c9d6eef6

Link:

https://www.unpac.me/results/f6e735f8-ed01-4db0-a9ad-0c37b59a3e46/

SH256 hash:

24dc8d2b9fccf41707ebb888dd8e76bec1878faefbe46a0a17deac49f85b1a50

MD5 hash:

71d278e3ab10f852b659af2921fed771

SHA1 hash:

76e96ee4e0a594fed4618a4ce89f563758a2aa05

Link:

https://www.unpac.me/results/f6e735f8-ed01-4db0-a9ad-0c37b59a3e46/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/24dc8d2b9fccf41707ebb888dd8e76bec1878faefbe46a0a17deac49f85b1a50

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator