MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ab84e93828d782ad5eda161c3780b9bb7b4ef767df36ba07e6d61a5aa5388b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ab84e93828d782ad5eda161c3780b9bb7b4ef767df36ba07e6d61a5aa5388b1
SHA3-384 hash: c9c552802f8a5d4fe5009c8d01fa535147ddd0edefd4c9a612d436ec4d3fe6b9c2e8d62afcfec7352dad8357db7e44dc
SHA1 hash: cb841cb367ba4b00075615578c693fa8278b8a1c
MD5 hash: 4939b852848a95bc4cd388987f080b2d
humanhash: king-stairway-three-blossom
File name:759c16891bcf2446ce85056f90d4dd6b.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:753'664 bytes
First seen:2021-03-10 17:01:25 UTC
Last seen:2021-03-10 18:52:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:0FzIszBF+KcndgKzXicuEjIN2ujByVlO6wlbkSqCNwedE+sqnW7omsvMnx:0FzEbfj620MO6ak82eaqWLy
TLSH 65F41269326471EDC893F6359A9B2C7DAB6038A7C32F424B940325DD9A0DA97DF050F3
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: slot0.cliveit.com
Sending IP: 194.31.96.114
From: Hakan Yaman <postmaster@cliveit.com>
Reply-To: Hakan Yaman <sdmarine861000@gmail.com>
Subject: Re: Re: new order
Attachment: 759c16891bcf2446ce85056f90d4dd6b.tar (contains "759c16891bcf2446ce85056f90d4dd6b.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
759c16891bcf2446ce85056f90d4dd6b.exe
Verdict:
Malicious activity
Analysis date:
2021-03-10 17:07:33 UTC
Tags:
rat remcos stealer keylogger trojan
Link:
https://app.any.run/tasks/40c3d5be-5914-414c-962f-2da556091af9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.PWS-FCXD4939B852848A.24717.18966.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Deleting a recently created file
Running batch commands
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/635994
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Sigma detected: Remcos
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses dynamic DNS services
Yara detected AntiVM_3
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 366972 Sample: 759c16891bcf2446ce85056f90d... Startdate: 11/03/2021 Architecture: WINDOWS Score: 100 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 12 other signatures 2->75 11 759c16891bcf2446ce85056f90d4dd6b.exe 3 2->11         started        15 remcos.exe 2 2->15         started        17 remcos.exe 2 2->17         started        process3 file4 55 759c16891bcf2446ce85056f90d4dd6b.exe.log, ASCII 11->55 dropped 85 Detected unpacking (changes PE section rights) 11->85 87 Contains functionality to steal Chrome passwords or cookies 11->87 89 Contains functionality to capture and log keystrokes 11->89 93 4 other signatures 11->93 19 759c16891bcf2446ce85056f90d4dd6b.exe 4 5 11->19         started        91 Injects a PE file into a foreign processes 15->91 22 remcos.exe 15->22         started        24 remcos.exe 15->24         started        26 remcos.exe 17->26         started        signatures5 process6 file7 51 C:\Users\user\AppData\Roaming\...\remcos.exe, PE32 19->51 dropped 53 C:\Users\user\...\remcos.exe:Zone.Identifier, ASCII 19->53 dropped 28 wscript.exe 1 19->28         started        process8 process9 30 cmd.exe 1 28->30         started        process10 32 remcos.exe 3 30->32         started        35 conhost.exe 30->35         started        signatures11 61 Multi AV Scanner detection for dropped file 32->61 63 Detected unpacking (changes PE section rights) 32->63 65 Machine Learning detection for dropped file 32->65 67 Injects a PE file into a foreign processes 32->67 37 remcos.exe 3 3 32->37         started        process12 dnsIp13 57 fieldsdegreenf.duckdns.org 79.134.225.79, 49721, 49722, 6553 FINK-TELECOM-SERVICESCH Switzerland 37->57 77 Injects a PE file into a foreign processes 37->77 41 remcos.exe 37->41         started        44 remcos.exe 37->44         started        47 svchost.exe 37->47         started        49 2 other processes 37->49 signatures14 process15 dnsIp16 79 Tries to steal Instant Messenger accounts or passwords 41->79 81 Tries to steal Mail credentials (via file access) 41->81 59 192.168.2.1 unknown unknown 44->59 83 Tries to harvest and steal browser information (history, passwords, etc) 44->83 signatures17
Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-03-10 17:02:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
24 of 47 (51.06%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jk4e5e4crv4cvvpnufq4g6alto33j33wpxzwxid6nvq2lkstrcyq._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat spyware stealer
Link:
https://tria.ge/reports/210310-g88jvnkjye/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
fieldsdegreenf.duckdns.org:6553
aaeeerbbbeee.duckdns.org:6553
Unpacked files
SH256 hash:
bd320585af29c2a8f383529ff1d1d5ebe5020a640b38f3f514fa28886c95075e
MD5 hash:
b34b2efa1e56aceaf11080f7136687a3
SHA1 hash:
f628381f156a74c0ddf9604d1636f0c00b0e658a
Link:
https://www.unpac.me/results/b46a6c5e-3a17-4e0c-ad05-2709e85827d5/
SH256 hash:
1510861928b533e1529c1ffe7c6d57d9e5e928830d0afb28fd0fa730ff83fbdc
MD5 hash:
8f85df46a482b5b068ae7667bf1a33d6
SHA1 hash:
a210d369311aa4d709dc962c634174738576907e
Link:
https://www.unpac.me/results/b46a6c5e-3a17-4e0c-ad05-2709e85827d5/
SH256 hash:
f057ee46174c11db2ff2e0542e4d5c8e32bbfe9db924850be58b3d8ddc8f63c2
MD5 hash:
341fd7abbe8e34342a21baf150fc35dd
SHA1 hash:
7838928fbaaac533a7a3c4f86a0dd994bde83159
Detections:
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/b46a6c5e-3a17-4e0c-ad05-2709e85827d5/
Parent samples :
6b19b6261188bd102c2139595fa66347ee5717906e85d9fa90fd20e4209a91b0
4ab84e93828d782ad5eda161c3780b9bb7b4ef767df36ba07e6d61a5aa5388b1
SH256 hash:
4ab84e93828d782ad5eda161c3780b9bb7b4ef767df36ba07e6d61a5aa5388b1
MD5 hash:
4939b852848a95bc4cd388987f080b2d
SHA1 hash:
cb841cb367ba4b00075615578c693fa8278b8a1c
Link:
https://www.unpac.me/results/b46a6c5e-3a17-4e0c-ad05-2709e85827d5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.49
Link:
https://yomi.yoroi.company/submissions/4ab84e93828d782ad5eda161c3780b9bb7b4ef767df36ba07e6d61a5aa5388b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

tar b2b560f0e4888aaffca3177fbdfbccf2464f04a48195a1b1f0a8ebe282324b79

RemcosRAT

Executable exe 4ab84e93828d782ad5eda161c3780b9bb7b4ef767df36ba07e6d61a5aa5388b1

(this sample)

  
Dropped by
MD5 8655306e9560b00700f3097f435739c3
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 b2b560f0e4888aaffca3177fbdfbccf2464f04a48195a1b1f0a8ebe282324b79

Comments