MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 462062209acc090a567e2bd571acd1d52c19d0d80ee56da256a3c58aaf3b12e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 11

Intelligence 11 IOCs YARA 7 File information Comments

SHA256 hash:	462062209acc090a567e2bd571acd1d52c19d0d80ee56da256a3c58aaf3b12e9
SHA3-384 hash:	ce3c35ba8f2289f1cd8f37c7040aa46409332ae5d37f0a82b13b40e3c4176dadab0665ea0a44cd1901b2a787ad66a98e
SHA1 hash:	6a8ef4cdd29fa41d8d45559aadec3e44a90e792f
MD5 hash:	643c3d9c512e0e53cacb2b1725f83d90
humanhash:	kilo-avocado-bluebird-stream
File name:	Pdf Attached.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	749'056 bytes
First seen:	2021-09-03 17:24:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	683e36fe1155994747e39b9f335ec7e3 (3 x RemcosRAT)
ssdeep	12288:KAQ4TXPbFLYhC0MPsgGsXxItIwX/m/zOOMH9L9T5kLvRJ:KZaZUhJOskXOt5vmb6kLJ
Threatray	2'470 similar samples on MalwareBazaar
TLSH	T1B8F48D427BF007BAE37B2BB24C337A399D21BF14192960547FE55E4E0E7C544632D2AA
dhash icon	03372481b95d1d3f (8 x RemcosRAT, 4 x Formbook)
Reporter	GovCERT_CH
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

835

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Pdf Attached.exe

Verdict:

Malicious activity

Analysis date:

2021-09-03 17:25:24 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e835be4c-f19d-4ffe-9e92-68cc440537a6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/185225/

Detection(s):

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

DNS request

Connection attempt

Sending a custom TCP request

Creating a file

Launching a process

Creating a file in the %AppData% subdirectories

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Setting a global event handler for the keyboard

Unauthorized injection to a system process

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/37e48850-1d2c-4fa0-a584-e25e67dc53e8

Result

Threat name:

Remcos

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/845004

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Creates a thread in another existing process (thread injection)

Detected Remcos RAT

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/462062209acc090a567e2bd571acd1d52c19d0d80ee56da256a3c58aaf3b12e9/

Threat name:

Win32.Trojan.Remcos

Status:

Malicious

First seen:

2021-09-03 17:25:16 UTC

AV detection:

13 of 28 (46.43%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=iyqgeie2zqequvt6fpkxdlgr2uwbtugyb3sw3iswupcyvlz3cluq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

1d61d1e99f05f85dbe885fc183a1b5fe81c0d47350868484186705d491a6577a

RemcosRAT

3483cf3d7087f312aa5e6de882cd7893e2add074a30158141173a242443cd6c0

RemcosRAT

52fa8487efeb8b203fb1f37501c366088b71de4ded620695ba2e34e8c0f446a2

RemcosRAT

63546d7293b43b8c746bbddddcfe798478d99e5786fceff8d1fcfb52b9a64aed

RemcosRAT

66eb53699937b049b917bbcfa13b9b5d2f8449753dcbbf9e35405a766cdc9a70

RemcosRAT

798fc4066cf0b5e0c6711d32ca8d43afc7d4b99f333c184b7fd0b7d3b7eb7559

RemcosRAT

7df259f7873239aee108522c3efd6fca233db83a268a3c9fad4766994c5a029d

RemcosRAT

b9a4e85c7d4645fd515eb3f8b883ee8e5990ff4381a90b5a8f42bff007fbb386

RemcosRAT

e65bff9943ab7ccc3713619a8d908f6caf5392c0c47defe3b66ca9009d2177ed

RemcosRAT

+ 2'460 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:modiloader family:remcos botnet:remotehost persistence rat trojan

Link:

https://tria.ge/reports/210903-vzaybsgfck/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Adds Run key to start application

Blocklisted process makes network request

ModiLoader, DBatLoader

Remcos

Malware Config

C2 Extraction:

rem1.camdvr.org:2404
rem16.hopto.org:2404
rem1666.hopto.org:2404
rem16.camdvr.org:2404
remmusic.freeddns.org:2404
sunwap1.ddns.net:2404
rem166.hopto.org:2404

Unpacked files

SH256 hash:

462062209acc090a567e2bd571acd1d52c19d0d80ee56da256a3c58aaf3b12e9

MD5 hash:

643c3d9c512e0e53cacb2b1725f83d90

SHA1 hash:

6a8ef4cdd29fa41d8d45559aadec3e44a90e792f

Link:

https://www.unpac.me/results/e2c740e4-9d37-4bf9-9a62-c4fb01ab20a5/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/462062209acc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Remcos

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/462062209acc090a567e2bd571acd1d52c19d0d80ee56da256a3c58aaf3b12e9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

exe 462062209acc090a567e2bd571acd1d52c19d0d80ee56da256a3c58aaf3b12e9

(this sample)

Dropped by

RemcosRAT

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/185225/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample