MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b9549bd308885348d7ec8d47bab9843456a270b53c6dbd5b7c8f849f066ff29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 6 File information Comments

SHA256 hash:	4b9549bd308885348d7ec8d47bab9843456a270b53c6dbd5b7c8f849f066ff29
SHA3-384 hash:	818688881c64ffa7976b01582adc072ca9a1af47aa03f0bf01d491d334d2f18f1ec31341dfda1db1c94df2c33ba8793f
SHA1 hash:	1cf9c1a75d2eb941f38ff3bae0f5b0b3d1164363
MD5 hash:	7fb286bbfde09834c5da4622e0044271
humanhash:	cat-two-neptune-missouri
File name:	new order #019U2117,pdf.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'052'672 bytes
First seen:	2022-07-12 18:55:19 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6a102166317d313ef57572741259ca4a (6 x RemcosRAT, 1 x Formbook, 1 x ModiLoader)
ssdeep	24576:YkH9czoiliazNQtMTMOaHRMq7JeofjkRt:Ykdq6RR/L+
TLSH	T122254B22F2B1CC33C527DA374C16B7A95E2D7E117E69B84E36E43E4C1F362812925297
TrID	92.5% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58) 1.9% (.EXE) Win32 Executable Delphi generic (14182/79/4) 1.8% (.SCR) Windows screen saver (13101/52/3) 1.4% (.EXE) Win64 Executable (generic) (10523/12/4) 0.6% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	27d0d8d6d6d8d027 (11 x RemcosRAT, 5 x Formbook, 5 x DBatLoader)
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

abuse_ch

RemcosRAT C2:
37.0.14.195:2189

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
37.0.14.195:2189	https://threatfox.abuse.ch/ioc/829928/

Intelligence

File Origin

# of uploads :

# of downloads :

386

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

new order #019U2117,pdf.exe

Verdict:

Malicious activity

Analysis date:

2022-07-12 19:00:59 UTC

Tags:

trojan rat remcos

Link:

https://app.any.run/tasks/3fa175c6-8636-45af-a8c6-15343d4a399d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/286654/

Detection(s):

SecuriteInfo.com.W32.Delf.RI.genEldorado.13516.14219.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

Sending a custom TCP request

DNS request

Creating a file

Launching a process

Sending an HTTP GET request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Query of malicious DNS domain

Sending a TCP request to an infection source

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

keylogger

Link:

https://www.filescan.io/uploads/62cdc3ffbbcf6baf2797c6a2/reports/7abf911b-58b8-43d7-950f-23632e3a417f/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/99bd0303-f422-415d-9b05-010f874a734e

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1029686

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected Remcos RAT

Yara detected UAC Bypass using ComputerDefaults

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4b9549bd308885348d7ec8d47bab9843456a270b53c6dbd5b7c8f849f066ff29/

Threat name:

Win32.Trojan.Remcos

Status:

Malicious

First seen:

2022-07-12 18:56:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jokutpjqrcctjdl6zdkhxk4yincwujylkpdnxvnxzd4et4dg74uq._file

Verdict:

malicious

Result

Malware family:

remcos

Score:

10/10

Tags:

family:modiloader family:remcos botnet:bold persistence rat suricata trojan

Link:

https://tria.ge/reports/220712-xlbntaccen/

Behaviour

Modifies system certificate store

Suspicious use of WriteProcessMemory

Adds Run key to start application

ModiLoader Second Stage

ModiLoader, DBatLoader

Remcos

suricata: ET MALWARE Remocs 3.x Unencrypted Checkin

suricata: ET MALWARE Remocs 3.x Unencrypted Server Response

Malware Config

C2 Extraction:

blessmyhustlelord.ddns.net:2189

Unpacked files

SH256 hash:

dc0377ea26efeb8d3411b8a861a20c9fa07af02308075ed1a8a7b849980893f1

MD5 hash:

5bff59b56c06a281b66ef4e919ce560c

SHA1 hash:

d8b49405898da4060988afe98219d5b62e4e2a7a

Link:

https://www.unpac.me/results/96a60212-46ad-483f-b102-52b5246bce31/

SH256 hash:

4f31af367c8d10c35c2e49fc5f87c341ce60811320a6584677542255c1a8e1b6

MD5 hash:

35ba463851ff527ad3af046f7a4a43ef

SHA1 hash:

7d97637f8650af91fc534bf6928a851d6e59ccfc

Link:

https://www.unpac.me/results/96a60212-46ad-483f-b102-52b5246bce31/

SH256 hash:

4b9549bd308885348d7ec8d47bab9843456a270b53c6dbd5b7c8f849f066ff29

MD5 hash:

7fb286bbfde09834c5da4622e0044271

SHA1 hash:

1cf9c1a75d2eb941f38ff3bae0f5b0b3d1164363

Link:

https://www.unpac.me/results/96a60212-46ad-483f-b102-52b5246bce31/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4b9549bd3088/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4b9549bd308885348d7ec8d47bab9843456a270b53c6dbd5b7c8f849f066ff29

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/286654/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample