MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 492823289d0cbc07c789546fda1d7bbee05327c29964f5738f70e82ae7c4f4ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 492823289d0cbc07c789546fda1d7bbee05327c29964f5738f70e82ae7c4f4ad
SHA3-384 hash: 0f36252e1a6e08ebb4e6845a18dff2b5bd09559ae1f4c1dd93df316025da2138d0803b91ddfa45a312d449d732713b6c
SHA1 hash: 1b6b677dc0195cc31a58451e81489edc3e9ecb59
MD5 hash: 198fc5e4c09bbb50e74b047cccc88ddf
humanhash: equal-lemon-crazy-five
File name:Purchase Order.bat
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:70'880 bytes
First seen:2021-03-09 10:50:14 UTC
Last seen:2021-03-09 13:26:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'643 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 768:2aS4ztVBnZL+4aHyf7fLryxwvBONoTItBdpqr27c27Z27R27ND+0BhQ:2Ts5k4aADXyqZINpjx8
Threatray 219 similar samples on MalwareBazaar
TLSH C16395C556461CB3C0EE1CF507BA36281669AF8DDC404F0EBC898E242DF7519DEACCA6
Reporter abuse_ch
Tags:bat RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: lucky1.263xmail.com
Sending IP: 211.157.147.133
From: 张贵强 <sale20@chinachuangxin.net>
Subject: Valid Prices
Attachment: Valid Prices.z (contains "Purchase Order.bat")

RemcosRAT C2:
feromo.duckdns.org:8087

Intelligence

File Origin
# of uploads :
2
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase Order.bat
Verdict:
Malicious activity
Analysis date:
2021-03-09 10:58:13 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/51414586-20eb-45d2-805d-0b130c9fef13

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/123149/
Detection(s):
SecuriteInfo.com.Artemis198FC5E4C09B.18943.16659.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Sending a UDP request
Creating a file
Moving a recently created file
Creating a window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a service
Deleting a recently created file
Launching a process
Running batch commands
Adding an access-denied ACE
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Setting a single autorun event
Blocking the User Account Control
Setting a global event handler for the keyboard
Adding exclusions to Windows Defender
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/632565
Signature
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Country aware sample found (crashes after keyboard check)
Delayed program exit found
Detected Remcos RAT
Drops PE files with benign system names
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 365246 Sample: Purchase Order.bat Startdate: 09/03/2021 Architecture: WINDOWS Score: 100 67 Multi AV Scanner detection for domain / URL 2->67 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 15 other signatures 2->73 7 Purchase Order.exe 23 14 2->7         started        12 explorer.exe 2->12         started        14 explorer.exe 2->14         started        16 7 other processes 2->16 process3 dnsIp4 65 liverpoolofcfanclub.com 172.67.174.240, 49724, 49732, 49735 CLOUDFLARENETUS United States 7->65 51 C:\Program Files\Common Files\...\svchost.exe, PE32 7->51 dropped 53 C:\...\svchost.exe:Zone.Identifier, ASCII 7->53 dropped 55 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 7->55 dropped 85 Writes to foreign memory regions 7->85 87 Adds a directory exclusion to Windows Defender 7->87 89 Hides threads from debuggers 7->89 91 Injects a PE file into a foreign processes 7->91 18 AppLaunch.exe 7->18         started        23 AdvancedRun.exe 1 7->23         started        25 cmd.exe 7->25         started        33 4 other processes 7->33 27 svchost.exe 12->27         started        29 svchost.exe 14->29         started        31 WerFault.exe 16->31         started        file5 signatures6 process7 dnsIp8 57 feromo.duckdns.org 185.157.161.113, 49730, 8078 OBE-EUROPEObenetworkEuropeSE Sweden 18->57 47 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 18->47 dropped 75 Contains functionality to steal Chrome passwords or cookies 18->75 77 Contains functionality to capture and log keystrokes 18->77 79 Contains functionality to inject code into remote processes 18->79 83 2 other signatures 18->83 59 192.168.2.1 unknown unknown 23->59 35 AdvancedRun.exe 23->35         started        37 conhost.exe 25->37         started        39 timeout.exe 25->39         started        61 liverpoolofcfanclub.com 27->61 81 System process connects to network (likely due to code injection or exploit) 27->81 63 liverpoolofcfanclub.com 29->63 49 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 29->49 dropped 41 conhost.exe 33->41         started        43 conhost.exe 33->43         started        45 conhost.exe 33->45         started        file9 signatures10 process11
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-03-09 07:23:51 UTC
AV detection:
19 of 46 (41.30%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jeucgke5bs6apr4jkrx5uhl3x3qfgj6ctfspk44poducvz6e6swq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
26c230cde9fb7544f7e3762f1abac39f6c8f0d2db0689178b223e0e68d2a6a0a
RemcosRAT
2760abb67bdb754b7e7878df83549c332785054b337800e7598a4f394a81da12
RemcosRAT
57a1ee826afb333572965abe745c06597d0111f75494c586619d6b23d9ceda10
RemcosRAT
5abccf199b1e503db7c810a9dcbe1310b6a6b78441b091dae6f45c92d3c3add1
RemcosRAT
9e6fdb6456dfaf737767adb44ebdb84910cec8be91a12c2b7a37c84b5aed6104
RemcosRAT
a0ebcb3078763eb8acca534831ef9ca1a213347328698aa3cda7c5bd23cd81d8
RemcosRAT
b782581b1ca3da09fdf3ecbb173ee3ca1f313f5f325f407df976601cad8ce839
RemcosRAT
d6bb7d0218b0894bcc733065261069c1cb4e151b4ca367f37e888d2beacc0dd9
RemcosRAT
e4e47b27c701e89ac6a550ab1f8ecb6058c79d9f9bca9a56ec71e3baf01dc545
RemcosRAT
ef6ac1293cdfda22c8d940f96c5433f406a4c3666e6941e4f094a8cf50d04ac1
RemcosRAT
+ 209 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos evasion persistence rat trojan
Link:
https://tria.ge/reports/210309-c2kqperrke/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Windows security modification
Executes dropped EXE
Nirsoft
Modifies Windows Defender Real-time Protection settings
Remcos
Turns off Windows Defender SpyNet reporting
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
feromo.duckdns.org:8078
Unpacked files
SH256 hash:
492823289d0cbc07c789546fda1d7bbee05327c29964f5738f70e82ae7c4f4ad
MD5 hash:
198fc5e4c09bbb50e74b047cccc88ddf
SHA1 hash:
1b6b677dc0195cc31a58451e81489edc3e9ecb59
Link:
https://www.unpac.me/results/4ae8f204-31b5-4ab0-a1a5-d898f7144972/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/492823289d0cbc07c789546fda1d7bbee05327c29964f5738f70e82ae7c4f4ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip cd63f226472363f922bbdd9d21c1821c0b97a12b9b369e53d482d0c412df63af

RemcosRAT

Executable exe 492823289d0cbc07c789546fda1d7bbee05327c29964f5738f70e82ae7c4f4ad

(this sample)

  
Dropped by
MD5 833afa81bb417fd53807d5bc23a743b6
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 cd63f226472363f922bbdd9d21c1821c0b97a12b9b369e53d482d0c412df63af
Cape
Cape
https://www.capesandbox.com/analysis/123149/

Comments