MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2df667c2a61c1cc161df7e8e1d7dcf1407a0bc30eb7eaf881c835fecfde5f086. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2df667c2a61c1cc161df7e8e1d7dcf1407a0bc30eb7eaf881c835fecfde5f086
SHA3-384 hash: 45692498952381c429b60289b25db7b85e9189d0f8e6ad8f53a8dd9398f2f512995995fdb87457a635d3ddff64b08c79
SHA1 hash: 337fa5730d301ca3d37288ce932a04ebc0221d93
MD5 hash: a8521386eacf0f858077249faa381763
humanhash: bluebird-william-network-fanta
File name:Oxqfxohrjqryauuonybvsdergonzrywtkp.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:694'272 bytes
First seen:2021-10-15 09:02:43 UTC
Last seen:2021-10-15 09:51:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 12666343f95da9cc22c238274d75b6c6 (3 x RemcosRAT, 1 x Formbook, 1 x AveMariaRAT)
ssdeep 12288:0SvSsA2JxPaLrNgLGKXhfLeoZ10VicVp7+SnqyUz:0AdLzPCrNgLfXhaoZuVTvpqyA
Threatray 781 similar samples on MalwareBazaar
TLSH T1A4E49D5763C50332C46A2F764D4B7D10968E3E312BA828619DEC3D140F25FE9ADE936B
File icon (PE):PE icon
dhash icon fedcbf4d750f4c4c (5 x RemcosRAT, 2 x Formbook, 1 x AveMariaRAT)
Reporter lowmal3
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
303
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Bestellung 2021-10-15.xlsx
Verdict:
Malicious activity
Analysis date:
2021-10-15 09:05:51 UTC
Tags:
exploit CVE-2017-11882 loader rat remcos trojan keylogger
Link:
https://app.any.run/tasks/db7ba599-6588-4d02-8207-2eaf1c464c02

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/197719/
Detection(s):
SecuriteInfo.com.W32.Injector.AMR.genEldorado.8023.16398.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm evasive greyware keylogger
Link:
https://www.filescan.io/uploads/616943c91c2d58ba7407d5af/reports/c2988328-cb83-4477-9251-2c58ba01de11/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e136eeab-f353-4f84-899a-527093ffbecc
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/871048
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 503476 Sample: Oxqfxohrjqryauuonybvsdergon... Startdate: 15/10/2021 Architecture: WINDOWS Score: 100 63 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->63 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 4 other signatures 2->69 8 Oxqfxohrjqryauuonybvsdergonzrywtkp.exe 1 23 2->8         started        13 Oxqfxoh.exe 14 2->13         started        15 Oxqfxoh.exe 17 2->15         started        process3 dnsIp4 49 onedrive.live.com 8->49 51 ok0muq.by.files.1drv.com 8->51 53 by-files.fe.1drv.com 8->53 41 C:\Users\Public\Libraries\...\Oxqfxoh.exe, PE32 8->41 dropped 79 Writes to foreign memory regions 8->79 81 Creates a thread in another existing process (thread injection) 8->81 83 Injects a PE file into a foreign processes 8->83 17 DpiScaling.exe 2 3 8->17         started        21 cmd.exe 1 8->21         started        23 cmd.exe 1 8->23         started        55 onedrive.live.com 13->55 59 2 other IPs or domains 13->59 25 mobsync.exe 13->25         started        57 onedrive.live.com 15->57 61 2 other IPs or domains 15->61 27 DpiScaling.exe 15->27         started        file5 signatures6 process7 dnsIp8 43 rominar247.ddns.net 197.210.54.60, 7396 VCG-ASNG Nigeria 17->43 45 185.244.30.7, 49809, 7396 DAVID_CRAIGGG Netherlands 17->45 47 192.168.2.1 unknown unknown 17->47 71 Contains functionality to inject code into remote processes 17->71 73 Contains functionality to steal Firefox passwords or cookies 17->73 75 Delayed program exit found 17->75 29 reg.exe 1 21->29         started        31 conhost.exe 21->31         started        33 cmd.exe 1 23->33         started        35 conhost.exe 23->35         started        77 Contains functionality to steal Chrome passwords or cookies 25->77 signatures9 process10 process11 37 conhost.exe 29->37         started        39 conhost.exe 33->39         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2df667c2a61c1cc161df7e8e1d7dcf1407a0bc30eb7eaf881c835fecfde5f086/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-10-15 09:03:06 UTC
AV detection:
7 of 44 (15.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fx3gpqvgdqomcyo7p2hb27opcqd2bpbq5n7k7ca4qnp6z7pf6cda._file
Verdict:
malicious
Similar samples:
0b2d1bf2ca75ec2f3db69659158e685cec6efb71e4be9e277af99b3ad0508c11
RemcosRAT
3490cb5fd9a372722f95ed69c41e23d5cd274ce6b3c024ec1731962a380409d6
RemcosRAT
8f1eefd14608fae865576d9f7a24be116eb9d8dcebf89c954e2e645b06174c4e
RemcosRAT
a2067e35b12b83ddae55145931870302de477b5ccce82a5e86ea7bf8e057d8d7
RemcosRAT
a2539269c2b9200d7baed9f0dfc25b59fd4713a641d79fd9bd13272c7e1296ca
RemcosRAT
cea073b0df1f1c1d964c4acb6755b6002976c05a4e9a059ca7f0d26da84ecb35
RemcosRAT
dbafada7e8406895de0d99952e4543a123b453c9181e4b9244c8938e3cbc9d6d
RemcosRAT
ed78db064dfb4ae791498b2d08410a69bdad684ff709319d179c2383dd8e2f1c
RemcosRAT
f76c77ec8ce93ed76e97e714bb04a010ec289f3a08c321e95ac09c4f4285b2c5
RemcosRAT
ffb6236e6dd03ba2599326f3d83d2ffabf8ab18902f1865aa0a68f1881e31978
RemcosRAT
+ 771 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:octoberfm persistence rat
Link:
https://tria.ge/reports/211015-kz15eaagb9/
Behaviour
Modifies registry key
Suspicious use of WriteProcessMemory
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
rominar247.ddns.net:7396
Unpacked files
SH256 hash:
b442c8ee81830c52fea734d23e06e69c20c2b9bfe1e40d63ccb914f87057fcdc
MD5 hash:
df88ffb63d0248e61042c6cae3f3af44
SHA1 hash:
291abeefb0563cf93bb73697ff4e5db3916e0b78
Detections:
win_temple_loader_w0
Create hunting rule
Link:
https://www.unpac.me/results/69b219c5-d643-4f85-ab9d-039524faba69/
Parent samples :
2df667c2a61c1cc161df7e8e1d7dcf1407a0bc30eb7eaf881c835fecfde5f086
e36594f316d20c3f0fb948a9c12a0190b872265c7ba49ebb4ffab701f38bbdd9
ec8a52d55cce244ac7d599b9a54b6aae59b73224f6b379c9ab999ab2a567709e
636abbcfa39fd806176a81b1b72a3d55b6d2c04e32863eb33d1324382c3d79cd
ad424f679f2f0140d5d3297afa4dd1d3e1b82357b68128ab6bc8015495165a66
SH256 hash:
2df667c2a61c1cc161df7e8e1d7dcf1407a0bc30eb7eaf881c835fecfde5f086
MD5 hash:
a8521386eacf0f858077249faa381763
SHA1 hash:
337fa5730d301ca3d37288ce932a04ebc0221d93
Link:
https://www.unpac.me/results/69b219c5-d643-4f85-ab9d-039524faba69/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/2df667c2a61c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2df667c2a61c1cc161df7e8e1d7dcf1407a0bc30eb7eaf881c835fecfde5f086

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EnvVarScheduledTasks
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC (ab)using Environment Variables in Scheduled Tasks
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 2df667c2a61c1cc161df7e8e1d7dcf1407a0bc30eb7eaf881c835fecfde5f086

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/197719/
  
URLhaus
https://urlhaus.abuse.ch/url/1680922/

Comments