MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2fb4862367a755e48fdc223af9a1324ba792d3ac05f36125c3e39886505afa09. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2fb4862367a755e48fdc223af9a1324ba792d3ac05f36125c3e39886505afa09
SHA3-384 hash: b033242d32b9583433db4623a4eb00b9f79b202ccfbcfddac8900a2af0eb58575229077b3c5a1e363a1392d43ffdb159
SHA1 hash: f4007fc03e8706ea9576ddbbf5fe98dfad2c3feb
MD5 hash: 5055c574e0b18416c1593e487ed94d4c
humanhash: freddie-jig-wisconsin-sink
File name:New order Quotation PO#897211,pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'060'184 bytes
First seen:2020-12-09 13:39:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b533f6ccb714ea0a0f83e1cff60dbfe0 (8 x ModiLoader, 2 x RemcosRAT)
ssdeep 24576:vklbZpRNhPXNH/yLjaKuOflQeE7D/cX+2hu0aQ:vkhRXNNKuOtQx/2vhuxQ
Threatray 1'294 similar samples on MalwareBazaar
TLSH 0935BFE2F2D0453EF13605749D0795796828EE182EDEA84627FD2E0C4F7C6C6381B99B
Reporter lowmal3
Tags:RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New order Quotation PO_897211_pdf.exe
Verdict:
Malicious activity
Analysis date:
2020-12-10 12:38:50 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/0e14071e-d91f-436d-90f3-403b07ae3185

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/107477/
Detection(s):
PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

PUA.Win.Adware.Qjwmonkey-6892535-0
Create hunting rule

SecuriteInfo.com.BehavesLike.Win32.AdwareDealPly.fc.17878.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Gathering data
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/559103
Signature
Allocates memory in foreign processes
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2fb4862367a755e48fdc223af9a1324ba792d3ac05f36125c3e39886505afa09/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-12-09 13:40:06 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f62imi3hu5k6jd64ei5ptijsjotzfu5maxzwcjod4omimuc27ieq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
04f271742dac058c042af388562d7678536a47273846d692649926bad5dce1a0
RemcosRAT
14a8520afb80692ed77075a5a9e797fa2822a91e5eb43603762669fb65ef2144
RemcosRAT
5fb4f85646ca28a28ebcbdf6abc944530a57222c7c57b90538a3fb1e436632d5
RemcosRAT
74b843d9cabf046a044581d20033d93eecf9d8ea590ce9557569e40d990e6241
RemcosRAT
835109646cd221028859f7d4c7de74be962091d60840952ca85053e396fdc593
RemcosRAT
91ed2df39c53d7246eb84f3023072797925fa037f3a35c585247afc38322c649
RemcosRAT
bd86ba6f082dfd404bc2f3544f5b39ce04084742b334ab00a80f0c12c94daa46
RemcosRAT
c0442a7a63a5291b747e22a8e0eabe4abe3e344e6fbc3e4f1a0465895a29b5b2
RemcosRAT
e7def582e6c764fb35cad598da8b83da969897d37241402df8c8bac2b870432f
RemcosRAT
e8001e686b3c1972277296e3ed20992b8fd67e7c7f8dc16a827e09d3f22b02e0
RemcosRAT
+ 1'284 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos persistence rat trojan
Link:
https://tria.ge/reports/201209-6d38gpyr3n/
Behaviour
Modifies system certificate store
Suspicious use of WriteProcessMemory
Adds Run key to start application
ServiceHost packer
ModiLoader, DBatLoader
Remcos
Unpacked files
SH256 hash:
ebc9ec41719886fb4534b864699a0043ece45190389d5a8a37a1265bcea78cc7
MD5 hash:
d94101e11d30657dfde5c7789e640926
SHA1 hash:
20c184e1b906d35e0f163caa5e7190eb5c7d1a2a
Link:
https://www.unpac.me/results/8ddbdf6d-32fe-400a-891f-9613d7ee348a/
SH256 hash:
2fb4862367a755e48fdc223af9a1324ba792d3ac05f36125c3e39886505afa09
MD5 hash:
5055c574e0b18416c1593e487ed94d4c
SHA1 hash:
f4007fc03e8706ea9576ddbbf5fe98dfad2c3feb
Link:
https://www.unpac.me/results/8ddbdf6d-32fe-400a-891f-9613d7ee348a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/2fb4862367a755e48fdc223af9a1324ba792d3ac05f36125c3e39886505afa09

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 2fb4862367a755e48fdc223af9a1324ba792d3ac05f36125c3e39886505afa09

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/107477/

Comments