MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2cc63ed4b98c0457f975339ddb58fc82f9dac01a15fd096804ee3ce16c968dcc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2cc63ed4b98c0457f975339ddb58fc82f9dac01a15fd096804ee3ce16c968dcc
SHA3-384 hash: 53fb71951b88a806c9abd827f5035a8efcd4ad9f702fd80d7f1cca359f93d7903c6e2bcc5b90dc474585c8799920c38b
SHA1 hash: 2907d112545d3fdd0d4bb412a9e94be74a98be66
MD5 hash: 3f82dcbe0c24893a3fe8a177ecf82495
humanhash: iowa-three-kentucky-mirror
File name:confirmación bancaria,pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:811'520 bytes
First seen:2021-09-16 14:04:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 91f41270d021c09d2e59583bf5cdff98 (5 x RemcosRAT, 1 x Formbook)
ssdeep 24576:W0WE0AyOVWoKcwdZAGIZHrIzvlZwXI7Dyj3SaH+MJu:W0WEoQhudZf
Threatray 337 similar samples on MalwareBazaar
TLSH T133053D9A6258A43BE02E29395D09C7CED51ABC947D16EC7412BCE9376A3C3D02DF904F
dhash icon 88c7ce3cbddc2f31 (24 x RemcosRAT, 12 x Formbook, 8 x Loki)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
215
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
confirmación bancaria,pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-09-16 14:08:36 UTC
Tags:
installer
Link:
https://app.any.run/tasks/685e519c-1fce-4a02-a1b8-d03e613417ac

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.29888.4200.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger
Link:
https://www.filescan.io/uploads/61752323db358dd15ed92838/reports/bdf93186-5853-4192-ae30-f7469753a271/overview
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/73e0f244-0266-4527-a890-4db98508cd69
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/852120
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 484550 Sample: confirmaci#U00f3n bancaria,... Startdate: 16/09/2021 Architecture: WINDOWS Score: 100 44 newlogs.ddns.net 2->44 64 Multi AV Scanner detection for domain / URL 2->64 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 5 other signatures 2->70 9 confirmaci#U00f3n bancaria,pdf.exe 1 21 2->9         started        14 Mvxpppzm.exe 15 2->14         started        16 Mvxpppzm.exe 15 2->16         started        signatures3 process4 dnsIp5 50 onedrive.live.com 9->50 52 gsgqlg.dm.files.1drv.com 9->52 54 dm-files.fe.1drv.com 9->54 42 C:\Users\Public\Libraries\Mvxpppzm.exe, PE32 9->42 dropped 78 Writes to foreign memory regions 9->78 80 Creates a thread in another existing process (thread injection) 9->80 82 Injects a PE file into a foreign processes 9->82 18 logagent.exe 2 9->18         started        22 cmd.exe 1 9->22         started        24 cmd.exe 1 9->24         started        56 onedrive.live.com 14->56 60 2 other IPs or domains 14->60 84 Multi AV Scanner detection for dropped file 14->84 26 dialer.exe 14->26         started        58 onedrive.live.com 16->58 62 2 other IPs or domains 16->62 28 DpiScaling.exe 16->28         started        file6 signatures7 process8 dnsIp9 46 newlogs.ddns.net 185.140.53.11, 49754, 49755, 49756 DAVID_CRAIGGG Sweden 18->46 48 192.168.2.1 unknown unknown 18->48 72 Contains functionality to inject code into remote processes 18->72 74 Contains functionality to steal Firefox passwords or cookies 18->74 76 Delayed program exit found 18->76 30 reg.exe 1 22->30         started        32 conhost.exe 22->32         started        34 cmd.exe 1 24->34         started        36 conhost.exe 24->36         started        signatures10 process11 process12 38 conhost.exe 30->38         started        40 conhost.exe 34->40         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2cc63ed4b98c0457f975339ddb58fc82f9dac01a15fd096804ee3ce16c968dcc/
Threat name:
Win32.Infostealer.BestaFera
Create hunting rule
Status:
Malicious
First seen:
2021-09-15 20:30:36 UTC
AV detection:
28 of 44 (63.64%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ftdd5vfzrqcfp6lvgoo5wwh4ql45vqa2cx6qs2ae5y6oc3ewrxga._file
Verdict:
malicious
Similar samples:
0d182038f62a038b380a4d3c3769d5eb389b08b194b7dce13606252e7e1aff1c
RemcosRAT
3ff150613fc6d76d5634ae77e3c7bddde0361478d25d11a1830da71910b391da
RemcosRAT
4b989ceef83817dd4a14c9322a2b127a14f98d85dafb99625fe3483cd58dc6dc
RemcosRAT
5145f1759e79b4d29641c6c604173b0bae2a3d7b156b49e8c267da63e0cd94d6
RemcosRAT
7df259f7873239aee108522c3efd6fca233db83a268a3c9fad4766994c5a029d
RemcosRAT
960cd364b10841b71b638aca1807d5667cf340e76102389d45d7df4c17401ed2
RemcosRAT
9d71b356bc7e51729a4726433111be12297dd9403a82cff2e20902944c0af748
RemcosRAT
c5e3325814325c5f2f3d1df8c7d2885668afede1ea40c016266428a0e43b3d15
RemcosRAT
d79ba47a55b5dcb4cf6e76ac13bd3179e1523d5904483232d9ce9d39915dbc69
RemcosRAT
+ 327 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:kings persistence rat
Link:
https://tria.ge/reports/210916-rdt8asgdep/
Behaviour
Modifies registry key
Suspicious use of WriteProcessMemory
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
newlogs.ddns.net:6565
Unpacked files
SH256 hash:
519197f521aa39b7a7ab34b4500a304a7329d967115c2e48fe1b6eb201e39af1
MD5 hash:
3da921c9355d01d335cf03159a950030
SHA1 hash:
3be3f4ea8f289a123dcd1f6ac97c6f34a503c9cf
Link:
https://www.unpac.me/results/a5128836-8cc7-452a-9f64-3c220b428d56/
SH256 hash:
2cc63ed4b98c0457f975339ddb58fc82f9dac01a15fd096804ee3ce16c968dcc
MD5 hash:
3f82dcbe0c24893a3fe8a177ecf82495
SHA1 hash:
2907d112545d3fdd0d4bb412a9e94be74a98be66
Link:
https://www.unpac.me/results/a5128836-8cc7-452a-9f64-3c220b428d56/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/2cc63ed4b98c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2cc63ed4b98c0457f975339ddb58fc82f9dac01a15fd096804ee3ce16c968dcc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EnvVarScheduledTasks
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC (ab)using Environment Variables in Scheduled Tasks
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 2cc63ed4b98c0457f975339ddb58fc82f9dac01a15fd096804ee3ce16c968dcc

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments