MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3cc981a7b504f9c20ee0a8497581f43b007eb3c412d85b87ef7f0cd0c5a145b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3cc981a7b504f9c20ee0a8497581f43b007eb3c412d85b87ef7f0cd0c5a145b6
SHA3-384 hash: 723a5a5b12eda470f64f14174dad1dc74cc2bad32bc72ada333bec68012df09b7e97fe3d0580d52025e5973170e0c659
SHA1 hash: 74ad1277557d02a35729144fbdd6a7aaf1bd5de7
MD5 hash: b560c1126b2e27ec044832743f163000
humanhash: happy-don-carbon-tennessee
File name:New Order request Ref E100-#3175704534,pdf.e.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:652'104 bytes
First seen:2021-04-07 07:55:09 UTC
Last seen:2021-04-07 09:01:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash af52f63bf30089caa8a0bd17b5f786c5 (3 x RemcosRAT, 1 x AveMariaRAT, 1 x ModiLoader)
ssdeep 12288:/3e7vWhDoA/ytg+9qfAsVfbv3APwU/OyVF:/O7HA/jfzb4IUDVF
Threatray 1'698 similar samples on MalwareBazaar
TLSH 00D49E32A6E14437E1B32B7C9D6FB7644C26BE0139E5B44E2BE41C0D5F38B817929396
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
194.5.97.14:6712

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.5.97.14:6712 https://threatfox.abuse.ch/ioc/7120/

Intelligence

File Origin
# of uploads :
2
# of downloads :
149
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New Order request Ref E100-#3175704534,pdf.e.exe
Verdict:
Malicious activity
Analysis date:
2021-04-07 07:58:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/91c5fb8c-09a8-4511-b5df-0f76b8867ea6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132796/
Detection(s):
PUA.Win.Packer.PrivateEXEProtector4-6192998-2
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Launching a process
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/668400
Signature
Allocates memory in foreign processes
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the user root directory
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Sigma detected: Remcos
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 383130 Sample: New Order request Ref  E100... Startdate: 07/04/2021 Architecture: WINDOWS Score: 100 55 goddywin.freedynamicdns.net 2->55 75 Multi AV Scanner detection for domain / URL 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 Detected Remcos RAT 2->79 81 8 other signatures 2->81 11 New Order request Ref  E100-#3175704534,pdf.e.exe 1 26 2->11         started        16 Wbspve.exe 16 2->16         started        18 Wbspve.exe 16 2->18         started        signatures3 process4 dnsIp5 59 opeb2a.bn.files.1drv.com 11->59 67 2 other IPs or domains 11->67 49 C:\Users\Public49etplwiz.exe, PE32+ 11->49 dropped 51 C:\Users\Public51ETUTILS.dll, PE32+ 11->51 dropped 53 C:\Users\Public\Libraries\Wbspve\Wbspve.exe, PE32 11->53 dropped 83 Writes to foreign memory regions 11->83 85 Creates a thread in another existing process (thread injection) 11->85 87 Injects a PE file into a foreign processes 11->87 20 cmd.exe 3 2 11->20         started        22 ieinstal.exe 2 11->22         started        61 opeb2a.bn.files.1drv.com 16->61 69 2 other IPs or domains 16->69 89 Multi AV Scanner detection for dropped file 16->89 91 Allocates memory in foreign processes 16->91 25 ieinstal.exe 16->25         started        63 192.168.2.1 unknown unknown 18->63 65 opeb2a.bn.files.1drv.com 18->65 71 2 other IPs or domains 18->71 27 ieinstal.exe 18->27         started        file6 signatures7 process8 dnsIp9 29 wscript.exe 1 20->29         started        31 conhost.exe 20->31         started        57 goddywin.freedynamicdns.net 194.5.97.14, 49722, 49723, 49724 DANILENKODE Netherlands 22->57 process10 process11 33 cmd.exe 5 29->33         started        37 conhost.exe 31->37         started        file12 45 C:\Windows \System3245etplwiz.exe, PE32+ 33->45 dropped 47 C:\Windows \System3247ETUTILS.dll, PE32+ 33->47 dropped 73 Drops executables to the windows directory (C:\Windows) and starts them 33->73 39 Netplwiz.exe 33->39         started        41 conhost.exe 33->41         started        signatures13 process14 process15 43 cmd.exe 1 39->43         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3cc981a7b504f9c20ee0a8497581f43b007eb3c412d85b87ef7f0cd0c5a145b6/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-04-07 07:56:05 UTC
AV detection:
15 of 48 (31.25%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hteydj5vat44edxavbexlapuhmah5m6eclmfxb7pp4gnbrnbiw3a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
11574e6b8024699ebcbd840e3dbf4adf4b93f0c5a3c120dca1bdbb29362e78af
RemcosRAT
17c742f29afb5c4352f3fb0079fbb0b2d72da1e65cfc59695f9a7259088b4615
RemcosRAT
1d61d1e99f05f85dbe885fc183a1b5fe81c0d47350868484186705d491a6577a
RemcosRAT
3483cf3d7087f312aa5e6de882cd7893e2add074a30158141173a242443cd6c0
RemcosRAT
49cd69981ba93f82911e3c5d6cd5afbd7e035001a6d9f5f0643415f5d7e61590
RemcosRAT
52fa8487efeb8b203fb1f37501c366088b71de4ded620695ba2e34e8c0f446a2
RemcosRAT
b8226d8eecce8bfdf11e59092c4e1b24fe6c232e566bb2b665530834f3e2a12c
RemcosRAT
d67dde5621d6de76562bc2812f04f986b441601b088aa936d821c0504eb4f7aa
RemcosRAT
e65bff9943ab7ccc3713619a8d908f6caf5392c0c47defe3b66ca9009d2177ed
RemcosRAT
ef842b61ba7b4de87f9c6ab12cdd68e23c97ee6100b3eabcde0078537af9feb8
RemcosRAT
+ 1'688 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos persistence rat trojan
Link:
https://tria.ge/reports/210407-srcl7mefwa/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
goddywin.freedynamicdns.net:6712
Unpacked files
SH256 hash:
31ffb1d8050b158b4c432cbb831f9da9b918443b7ed3ecca7e3d7a18a531e3f9
MD5 hash:
406f0b9cc6dacbdd1b715c557b941343
SHA1 hash:
77387463c87215e20a8592430665820cbb146660
Link:
https://www.unpac.me/results/a8e102b0-9de9-4559-9a86-6c4fc5222b24/
SH256 hash:
3cc981a7b504f9c20ee0a8497581f43b007eb3c412d85b87ef7f0cd0c5a145b6
MD5 hash:
b560c1126b2e27ec044832743f163000
SHA1 hash:
74ad1277557d02a35729144fbdd6a7aaf1bd5de7
Link:
https://www.unpac.me/results/a8e102b0-9de9-4559-9a86-6c4fc5222b24/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3cc981a7b504f9c20ee0a8497581f43b007eb3c412d85b87ef7f0cd0c5a145b6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_KB_CERT_635517466b67bd4bba805bc67ac3328c
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_DLAgent07
Create hunting rule
Author:ditekSHen
Description:Detects delf downloader agent
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/132796/

Comments