MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a344d464465069aa8739a45ecba1b6de4ef4ba4cc2b8128af5a54112c507058. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a344d464465069aa8739a45ecba1b6de4ef4ba4cc2b8128af5a54112c507058
SHA3-384 hash: 35f08d8f5c79d12700101979cab6e0c5c31b4f08e0711cb40762be8e8e280024ffe2648143d7c98b81d47cbae22b060f
SHA1 hash: 63efc1d0fe62a3930c5bf202e28587835a6b4f8f
MD5 hash: 94de7df5c9be036f9a12f8dcb48d0b88
humanhash: oscar-ceiling-oxygen-two
File name:ORDEN_FH87565635456.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:925'328 bytes
First seen:2021-02-12 19:01:19 UTC
Last seen:2021-02-12 21:02:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 185c9d25d83bce4bd974769a832573ed (3 x RemcosRAT, 1 x NetWire)
ssdeep 12288:lTDsbND5zANBIdBM3npcpRCoDaMycZ+PCv8i:lToHmBIupcpRtDoc/v8i
Threatray 115 similar samples on MalwareBazaar
TLSH 3E15A4F2AC0E8E60F05B153CE84AFA7818767CF5390941669FD47B4ADAB7318B91047B
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: server.doole.io
Sending IP: 188.40.83.134
From: Giberto <info@industrialmexicana.com>
Subject: PEDIDO DE COMPRA FH87565635456
Attachment: ORDEN_FH87565635456.iso (contains "ORDEN_FH87565635456.exe")

RemcosRAT C2:
marstonstyl247.ddns.net

Intelligence

File Origin
# of uploads :
2
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ORDEN_FH87565635456.exe
Verdict:
Malicious activity
Analysis date:
2021-02-12 19:06:36 UTC
Tags:
trojan rat remcos keylogger
Link:
https://app.any.run/tasks/3db6b2bb-4981-4ba1-b27b-27227b69f5fd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/116959/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Launching a process
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Connection attempt to an infection source
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/607096
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2a344d464465069aa8739a45ecba1b6de4ef4ba4cc2b8128af5a54112c507058/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-02-13 00:41:09 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fi2e2rsemudjvkdttjc6zoq3nxso6s5ezqvyckfpljkbclcqobma._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
035cba8ea6bbe0336a0221e86b571e530764939150df17f636fd23ad30db3f27
RemcosRAT
0d03646fdaee92061ac0ffa4ba7c737d0ef101858b30bd7432148f7e9faf279a
RemcosRAT
1e5a328f760c35f905390fb4bcf0eefa75936c79a43e22ca7557da0e315c72ed
RemcosRAT
20fe5347a7254b7f5d75c7fce2542b88abdb8d1939afe621544c61d35e45bdee
RemcosRAT
558791ef8ee4a269644ecce15552270a2e8f287603308069084793370ba9451d
RemcosRAT
926da3334135961ff0c19ecf4358201ba4734ab01186061c423deeb081ec1cff
RemcosRAT
a8889ff384c38b97b5a48ef4e9586df7c281f40e2719fe248b0d252832969521
RemcosRAT
c062b4a790666b338f7955ea792605bf0244a8d36cb1050c602727ff6d654e36
RemcosRAT
d00cdc47ecf61320c65927dd2cd3ec52e5d1496264ba527b019eebca8d9b3410
RemcosRAT
faf6463f13ccaac3980d0d71fdb44e4f56d4a519612e215e021af67140d7e855
RemcosRAT
+ 105 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat
Link:
https://tria.ge/reports/210212-1ftkxmdyg6/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
Remcos
Unpacked files
SH256 hash:
6c5faf9784abeff03bdbe2522b9da9862ac8eb9d333f608f8ef28719565968df
MD5 hash:
dff8986eae6a2b85730955c35b506f1a
SHA1 hash:
0b20d24bdd350524c25f5d513d1b3f8e4315c989
Link:
https://www.unpac.me/results/a6d64a50-9920-479d-8aec-2f9415ea0e7f/
SH256 hash:
2a344d464465069aa8739a45ecba1b6de4ef4ba4cc2b8128af5a54112c507058
MD5 hash:
94de7df5c9be036f9a12f8dcb48d0b88
SHA1 hash:
63efc1d0fe62a3930c5bf202e28587835a6b4f8f
Link:
https://www.unpac.me/results/a6d64a50-9920-479d-8aec-2f9415ea0e7f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2a344d464465069aa8739a45ecba1b6de4ef4ba4cc2b8128af5a54112c507058

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

iso eb4282c0ec92b176b50050689711315ccdfa9c928d554f4d27994a4a10d03233

RemcosRAT

Executable exe 2a344d464465069aa8739a45ecba1b6de4ef4ba4cc2b8128af5a54112c507058

(this sample)

  
Dropped by
MD5 4e31156c0e771d3730a95d7f0e6c49c1
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/116959/
  
Dropped by
SHA256 eb4282c0ec92b176b50050689711315ccdfa9c928d554f4d27994a4a10d03233

Comments