MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3483cf3d7087f312aa5e6de882cd7893e2add074a30158141173a242443cd6c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 9

Intelligence 9 IOCs YARA 10 File information Comments

SHA256 hash:	3483cf3d7087f312aa5e6de882cd7893e2add074a30158141173a242443cd6c0
SHA3-384 hash:	5f05b079b534b695e09fdf28d083ba37923160a6a3032bd4b86e1b742ee3886cebb41d6318e737e3c67e8f9c1068c6e9
SHA1 hash:	ff61ab63858cd853bd3117f3ea7d6a962ce311d8
MD5 hash:	81e45dd92ab7f7f8dfb13dd6f04cbefa
humanhash:	georgia-stream-angel-vermont
File name:	ADL244790111H6551,pdf.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'234'064 bytes
First seen:	2021-03-03 18:11:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d219889eb62c908c0fa1513db83e881e (1 x RemcosRAT, 1 x AveMariaRAT)
ssdeep	12288:RrfuW+EGFR19bOzxRUv9tXNdTcrmurqu+reffSFamnUtQNZAkxxKbSDalBFyX+4i:hGzFRDbOzLSt9d42YICQNyJ8u4JNHi
TLSH	36457D21A78348B2C42B07745E7F4B755C27BE526929664A3AEC3C3C7FB73923823546
Reporter	abuse_ch
Tags:	DHL exe nVpn RAT RemcosRAT

abuse_ch

Malspam distributing RemcosRAT:

HELO: v198.ncsrv.de
Sending IP: 89.110.144.212
From: DHL <gina.ruiz@dhl.com>
Subject: ***Virus*** Re: DHL Delivery
Attachment: ADL244790111H6551,pdf.CAB (contains "ADL244790111H6551,pdf.exe")

RemcosRAT C2:
goddywin.freedynamicdns.net:6712 (194.5.97.244)

Pointing to nVpn:

% Information related to '194.5.97.0 - 194.5.97.255'

% Abuse contact for '194.5.97.0 - 194.5.97.255' is 'abuse@privacyfirst.sh'

inetnum: 194.5.97.0 - 194.5.97.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-UK5
country: GB
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
mnt-by: PRIVACYFIRST-MNT
status: SUB-ALLOCATED PA
created: 2018-07-23T09:31:45Z
last-modified: 2020-08-26T17:48:55Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ADL244790111H6551,pdf.exe

Verdict:

Malicious activity

Analysis date:

2021-03-03 18:18:46 UTC

Tags:

trojan rat remcos

Link:

https://app.any.run/tasks/b4e9a877-0d96-4f5d-b9e7-bfadf109328c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/121930/

Detection(s):

Win.Dropper.Fareit-9838566-0

Result

Verdict:

Malware

Maliciousness:

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Remcos

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/626516

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Creates a thread in another existing process (thread injection)

Detected Remcos RAT

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Writes to foreign memory regions

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3483cf3d7087f312aa5e6de882cd7893e2add074a30158141173a242443cd6c0/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2021-03-03 18:12:08 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=gsb46plqq7zrfks6nxuiftlysprk3uduumavqfarooreerb423aa._file

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos rat

Link:

https://tria.ge/reports/210303-98dq7s1wf2/

Behaviour

Suspicious use of WriteProcessMemory

Remcos

Malware Config

C2 Extraction:

goddywin.freedynamicdns.net:6712

Unpacked files

SH256 hash:

019110090b8fb5a72c1f9c11318ee1581219dc128f3bcbd14c10e1f6ebb7fe13

MD5 hash:

c7943d89aa5262975fc0061c348ddc85

SHA1 hash:

c20f30f9e9d0e5cebaca0d9b514892b318f0d88a

Link:

https://www.unpac.me/results/0bab0a4b-43a6-4dcb-a884-5217047393d2/

SH256 hash:

ab3a9f5968c3466954aa999dc3aeda28c260e05f9dc8cc768df8416b6220f8dd

MD5 hash:

0c400e43710b552a92958188514b416c

SHA1 hash:

867db18def92abe4bfc6459cf92eadb29afc5867

Link:

https://www.unpac.me/results/0bab0a4b-43a6-4dcb-a884-5217047393d2/

SH256 hash:

03dbe36a6fccefbfda577c80b9f8575c9dc1f1f3c43d481d4db5780b2c4a8b9d

MD5 hash:

fbaeb2c640c0d08eedf1a96cafc68a25

SHA1 hash:

4ce2e5fec374565e2023e60d699447bcdb6551f0

Link:

https://www.unpac.me/results/0bab0a4b-43a6-4dcb-a884-5217047393d2/

SH256 hash:

3483cf3d7087f312aa5e6de882cd7893e2add074a30158141173a242443cd6c0

MD5 hash:

81e45dd92ab7f7f8dfb13dd6f04cbefa

SHA1 hash:

ff61ab63858cd853bd3117f3ea7d6a962ce311d8

Link:

https://www.unpac.me/results/0bab0a4b-43a6-4dcb-a884-5217047393d2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Remcos

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3483cf3d7087f312aa5e6de882cd7893e2add074a30158141173a242443cd6c0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	INDICATOR_KB_CERT_56f008e69a7c4c3feb389c66eaf58259 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator