MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f416eb40a2f3043bb0e16cc684a3cecdae3fee9f340e4adf9ddb700e4bf2cfd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 11

Intelligence 11 IOCs YARA 9 File information Comments

SHA256 hash:	3f416eb40a2f3043bb0e16cc684a3cecdae3fee9f340e4adf9ddb700e4bf2cfd
SHA3-384 hash:	553b5b0ba5cc1132209ebca0d5b403c10149f1dcf3f0ea1573c63e2cb7666c86d47525af48e3ea9d31bba9981608f31d
SHA1 hash:	0d37d5f1876431cd0345f72770e38302d07b194b
MD5 hash:	43df80ded0aa1f92951742b2dc2b916e
humanhash:	west-nitrogen-steak-bluebird
File name:	DHL Delivery Shipping, PDF.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'014'784 bytes
First seen:	2021-01-13 05:58:50 UTC
Last seen:	2021-01-13 08:00:55 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:oHImn2VCHLzmtcLgTSMLD8TCznzRIWECBiWW8jd/kRPGJsQVOkg:olsWzmtcALHnTEOEPce1
Threatray	63 similar samples on MalwareBazaar
TLSH	52251A40BBD85700F3BD27BC693440615BF6FB95E6B8E31CF86C50A91BA2D5084BE762
Reporter	abuse_ch
Tags:	DHL exe RemcosRAT

abuse_ch

RemcosRAT C2:
mikegrace2021.ddns.net

Intelligence

File Origin

# of uploads :

# of downloads :

157

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

DHL Delivery Shipping, PDF.exe

Verdict:

Malicious activity

Analysis date:

2021-01-13 07:58:19 UTC

Tags:

rat remcos keylogger

Link:

https://app.any.run/tasks/b993d488-b4fb-4609-9697-bfbef0e4bbc6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/111666/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.ZGPtr.18983.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Launching a process

Creating a process with a hidden window

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/579732

Signature

.NET source code contains potential unpacker

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Detected Remcos RAT

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Sigma detected: Remcos

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM_3

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/3f416eb40a2f3043bb0e16cc684a3cecdae3fee9f340e4adf9ddb700e4bf2cfd/

Threat name:

Win32.Trojan.CrypterX

Status:

Malicious

First seen:

2021-01-13 05:59:05 UTC

AV detection:

4 of 46 (8.70%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=h5aw5nakf4yehoyoc3ggqsr45tnoh7xj6naojlpz3w3qbzf7ft6q._file

Verdict:

unknown

RemcosRAT

2fe26662d53b976914fd7bd9fbb589f5bd4114f47753c9437593b29fcd04c236

RemcosRAT

3dde92f19924860f0874ee0fe3fab80a1112c20e18d9782528bd7c471f0f2344

RemcosRAT

61248c209119bd790c6ad906dd9d12e7a03455c2b2f6e4b7d1432aed6ae92439

RemcosRAT

854943461f0cbcc761f4329a919a99ba3143b2fda953e15b9c87207eb7fe9a2d

RemcosRAT

911f22d0fdceeec6e8e6426b0111c1632e6b70f21940584aa05345ac470c4c4f

RemcosRAT

9e184fecd3e0be67e11c78d407fe8e1f5f75573b32801bf00055745ef3c86225

RemcosRAT

cc15e8a9e04355389815d8a7be4c34746c87a2a9d672e426c01b00ad0a583069

RemcosRAT

d7f09eb72021576518b37cce8a29aede8b3e49ec827a3f63e54bf1850eb93243

RemcosRAT

e1f08269363e55708c850e156f5f4cdc50acc14efdce1f3464a70c91548c7548

RemcosRAT

+ 53 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos rat

Link:

https://tria.ge/reports/210113-zbcmz7926e/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Remcos

Malware Config

C2 Extraction:

mikegrace2021.ddns.net:1999

Unpacked files

SH256 hash:

3f416eb40a2f3043bb0e16cc684a3cecdae3fee9f340e4adf9ddb700e4bf2cfd

MD5 hash:

43df80ded0aa1f92951742b2dc2b916e

SHA1 hash:

0d37d5f1876431cd0345f72770e38302d07b194b

Link:

https://www.unpac.me/results/95ca0b3d-5eae-423f-b901-99d4d90701d5/

SH256 hash:

12ea05cd4e956b8985b50df244040164e70fcd5e4e3938252bdb4335fa28febb

MD5 hash:

2613b6e99b30e5c2e60655980f59145d

SHA1 hash:

21b8b470fc5313c817d4f8efa73d6a426f74bd25

Link:

https://www.unpac.me/results/95ca0b3d-5eae-423f-b901-99d4d90701d5/

SH256 hash:

296620e9308a1069ca98d27c426f25f5c1f87d9240bb371c657571034b0261b5

MD5 hash:

4cf24d41a7882216740280e3294cb853

SHA1 hash:

6bcb31d3dc0a7d71da1067a628168664202769a4

Link:

https://www.unpac.me/results/95ca0b3d-5eae-423f-b901-99d4d90701d5/

SH256 hash:

b515f4cd7859e142c72083cf036e5770988a66f096b5a0feebece7cccb675bdb

MD5 hash:

21401a93428a64425ff6fcbb0cd5139f

SHA1 hash:

a7a9647b5e0e31a92769699c142ba7d848fc36e8

Detections:

win_remcos_g0

win_remcos_auto

Link:

https://www.unpac.me/results/95ca0b3d-5eae-423f-b901-99d4d90701d5/

Parent samples :

3f416eb40a2f3043bb0e16cc684a3cecdae3fee9f340e4adf9ddb700e4bf2cfd
8084639a37257615b09beac5c8f681aa2115ece62fcb003fc8ddadb0d833fdb7

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3f416eb40a2f3043bb0e16cc684a3cecdae3fee9f340e4adf9ddb700e4bf2cfd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

exe 3f416eb40a2f3043bb0e16cc684a3cecdae3fee9f340e4adf9ddb700e4bf2cfd

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/111666/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample