MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49a4c95599f7bfe481ed85792ded20eae37d7a3889d43f81c349314cf87e6219. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 6


Intelligence 6 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49a4c95599f7bfe481ed85792ded20eae37d7a3889d43f81c349314cf87e6219
SHA3-384 hash: 277596b6f72d60c4f441d7f2feef12cad78b9dbcddc453e5d97ac36411f3bad0e07ccd868ef40a8597ae9935fb8e4496
SHA1 hash: 57bf6c471e04ae794cb50572a892a8403ba1d7db
MD5 hash: 6248bbc6bb534f8b55411c680159f249
humanhash: fillet-nevada-enemy-artist
File name:PurchaseOrdersCSTtyres004786587.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:21'216 bytes
First seen:2021-02-20 08:27:34 UTC
Last seen:2021-02-20 10:51:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 384:eRY2bt7TzCueplLZUotznib8gBM2BgEYxgEQUFgE0IhZx:erbxfNYeIgBMWgEUgEjFgExhZx
Threatray 145 similar samples on MalwareBazaar
TLSH 7492F914F6D85E13E439783520F236099773EAC26AC6E6376F8CA6F956036C36E5C348
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: slot0.abutatodam.xyz
Sending IP: 203.159.80.137
From: VERONICA MAIO <office@abutatodam.xyz>
Subject: QUOTATION REQUEST FOR ORDER Urgent Supply
Attachment: PurchaseOrdersCSTtyres004786587.rar (contains "PurchaseOrdersCSTtyres004786587.exe")

RemcosRAT C2:
greatglass.servebeer.com

Intelligence

File Origin
# of uploads :
2
# of downloads :
244
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/118082/
Detection(s):
SecuriteInfo.com.Win32.Heur.KVM019.a.kcloud.13723.27632.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/613219
Signature
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to capture and log keystrokes
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Country aware sample found (crashes after keyboard check)
Creates an autostart registry key pointing to binary in C:\Windows
Delayed program exit found
Detected Remcos RAT
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Remcos
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 355625 Sample: PurchaseOrdersCSTtyres00478... Startdate: 20/02/2021 Architecture: WINDOWS Score: 100 64 greatglass.servebeer.com 2->64 80 Found malware configuration 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 Detected Remcos RAT 2->84 86 10 other signatures 2->86 8 PurchaseOrdersCSTtyres004786587.exe 23 9 2->8         started        13 explorer.exe 2->13         started        15 explorer.exe 2->15         started        17 10 other processes 2->17 signatures3 process4 dnsIp5 76 coroloboxorozor.com 104.21.71.230, 49720, 80 CLOUDFLARENETUS United States 8->76 58 C:\Windows\Resources\Themes\...\svchost.exe, PE32 8->58 dropped 60 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 8->60 dropped 62 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 8->62 dropped 88 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->88 90 Contains functionality to steal Chrome passwords or cookies 8->90 92 Contains functionality to capture and log keystrokes 8->92 98 9 other signatures 8->98 19 PurchaseOrdersCSTtyres004786587.exe 8->19         started        23 AdvancedRun.exe 1 8->23         started        25 cmd.exe 8->25         started        34 4 other processes 8->34 94 Drops executables to the windows directory (C:\Windows) and starts them 13->94 27 svchost.exe 13->27         started        30 svchost.exe 15->30         started        78 127.0.0.1 unknown unknown 17->78 96 Changes security center settings (notifications, updates, antivirus, firewall) 17->96 32 MpCmdRun.exe 17->32         started        file6 signatures7 process8 dnsIp9 66 greatglass.servebeer.com 194.5.97.248, 1961, 49733, 49737 DANILENKODE Netherlands 19->66 52 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 19->52 dropped 68 192.168.2.1 unknown unknown 23->68 36 AdvancedRun.exe 23->36         started        38 conhost.exe 25->38         started        40 timeout.exe 25->40         started        70 coroloboxorozor.com 27->70 54 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 27->54 dropped 100 System process connects to network (likely due to code injection or exploit) 27->100 42 AdvancedRun.exe 27->42         started        72 172.67.172.17, 49742, 49748, 80 CLOUDFLARENETUS United States 30->72 74 coroloboxorozor.com 30->74 56 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 30->56 dropped 102 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 30->102 44 AdvancedRun.exe 30->44         started        46 conhost.exe 34->46         started        48 conhost.exe 34->48         started        50 conhost.exe 34->50         started        file10 signatures11 process12
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/49a4c95599f7bfe481ed85792ded20eae37d7a3889d43f81c349314cf87e6219/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jgsmsvmz6676japnqv4s33ja5lrx26ryrhkd7aodjeyuz6d6mimq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
07971958696b43eead2da2114b7a3965b492cdae39843078f16d56ad331427fe
RemcosRAT
126f752c7dec6c513804a0737e5d0a03cd8a1082923d68aec35979f3a7db7d60
RemcosRAT
19ea2b24f4d65b8169f982300901dba2253a880e3bd3f07dfcf933c0fe67a139
RemcosRAT
2ddbf5aed765723b948699526bc2a9a49864dc1181e21f4c51fe613aa8d0ca7e
RemcosRAT
3afef4ab289c49f347ed065f4d272cec7ea413b5c84fb4c2e6aa9adad2716db6
RemcosRAT
638c7d6859e792cc15836509bd58bf468b755fee3dcf669d2dcf328dd0029f12
RemcosRAT
a0f4dd8f54f51cb4d1243ecf21b2e5d578464ec54ba9b8e98b1afdb17465b4bc
RemcosRAT
c3d5cfa19bb7af77abe161135bd85506171d67dca3f86fa6a68340d05e203f64
RemcosRAT
db3691bd029c0e2db482666cdae1be9dbd30e488eeffc6fbffb1b52976705c99
RemcosRAT
ea34ce44176906af3dd7ec1e4d9db0df144f5769ce3298d88864698c54164c9b
RemcosRAT
+ 135 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos evasion persistence rat trojan
Link:
https://tria.ge/reports/210220-cfwjcvqm9n/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Maps connected drives based on registry
Checks BIOS information in registry
Loads dropped DLL
Windows security modification
Executes dropped EXE
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Nirsoft
Modifies Windows Defender Real-time Protection settings
Remcos
Turns off Windows Defender SpyNet reporting
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
greatglass.servebeer.com:1961
Unpacked files
SH256 hash:
49a4c95599f7bfe481ed85792ded20eae37d7a3889d43f81c349314cf87e6219
MD5 hash:
6248bbc6bb534f8b55411c680159f249
SHA1 hash:
57bf6c471e04ae794cb50572a892a8403ba1d7db
Link:
https://www.unpac.me/results/fee25d81-6615-42fd-baaf-40f0be797d27/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

rar f8fca4cbca313b76d8808a6b36fc975ee638c1ac82e8ed86ebf22411d789386a

RemcosRAT

Executable exe 49a4c95599f7bfe481ed85792ded20eae37d7a3889d43f81c349314cf87e6219

(this sample)

  
Dropped by
MD5 890f73c4316e66b91eb69cf1deac8f0e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/118082/
  
Dropped by
SHA256 f8fca4cbca313b76d8808a6b36fc975ee638c1ac82e8ed86ebf22411d789386a

Comments