MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c61692f5b36f6b2b136958c7c315113899a1bdb1cfe7415f37c0acfdaab01a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c61692f5b36f6b2b136958c7c315113899a1bdb1cfe7415f37c0acfdaab01a7
SHA3-384 hash: 7f3e7f18b740394e8873fdf5e170ae205ff4afe8874f37614610de15e2ff9f69bf2da176250f9b8d0450193e87bde0b5
SHA1 hash: cf2aa59cc8e074dfd3d72b052beef746aba1fe6a
MD5 hash: a2c17f6556ae89a8a1683f889bffc7e9
humanhash: fanta-monkey-friend-nitrogen
File name:PO-Scan-Documents00012910993993.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:181'248 bytes
First seen:2021-01-13 07:32:24 UTC
Last seen:2021-01-13 09:38:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 13f6eb96e7165e986a0d233796ec15e0 (5 x Formbook, 5 x RemcosRAT, 1 x Loki)
ssdeep 3072:Q8uTokNP2/YpNkbaGhSpPF2Hyg+lHQLzeN6h15x55Ca1vhTrTCJ9oFq8vR1O4Cj:m7PcYfkbtUFQHalgesTHlhT3CJyo8Gj
Threatray 1'357 similar samples on MalwareBazaar
TLSH 5E04F14E9646C935D7A4A2BCE3A1D63797336E602234119FEF988C92132FC51ADE41CF
Reporter abuse_ch
Tags:exe RemcosRAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: sanwapearl.com.hk
Sending IP: 84.38.133.161
From: Thomas Leung <thomasleung@sanwapearl.com.hk>
Subject: Re: NEW ORDER
Attachment: PO-Scan-Documents00012910993993.r12 (contains "PO-Scan-Documents00012910993993.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO-Scan-Documents00012910993993.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-13 09:03:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f6399283-005a-431d-ac04-83a31a6b32e7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/111722/
Detection(s):
SecuriteInfo.com.Variant.Jaik.42989.5701.9581.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/579939
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Detected Remcos RAT
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 339017 Sample: PO-Scan-Documents0001291099... Startdate: 13/01/2021 Architecture: WINDOWS Score: 100 27 www.maneediem.com 2->27 33 Malicious sample detected (through community Yara rule) 2->33 35 Antivirus / Scanner detection for submitted sample 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 6 other signatures 2->39 7 owerrinta.exe 2->7         started        10 PO-Scan-Documents00012910993993.exe 4 5 2->10         started        13 owerrinta.exe 2->13         started        signatures3 process4 file5 41 Antivirus detection for dropped file 7->41 43 Multi AV Scanner detection for dropped file 7->43 45 Contains functionalty to change the wallpaper 7->45 55 2 other signatures 7->55 15 owerrinta.exe 2 4 7->15         started        23 C:\Users\user\AppData\...\owerrinta.exe, PE32 10->23 dropped 25 C:\Users\...\owerrinta.exe:Zone.Identifier, ASCII 10->25 dropped 47 Contains functionality to steal Chrome passwords or cookies 10->47 49 Contains functionality to capture and log keystrokes 10->49 51 Contains functionality to inject code into remote processes 10->51 53 Contains functionality to register a low level keyboard hook 10->53 19 wscript.exe 10->19         started        signatures6 process7 dnsIp8 29 www.maneediem.com 194.5.97.155, 2404, 49723, 49726 DANILENKODE Netherlands 15->29 31 192.168.2.1 unknown unknown 15->31 21 C:\Users\user\AppData\Roaming\...\logs.dat, Applesoft 15->21 dropped file9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4c61692f5b36f6b2b136958c7c315113899a1bdb1cfe7415f37c0acfdaab01a7/
Threat name:
Win32.Dropper.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-13 01:22:49 UTC
AV detection:
17 of 46 (36.96%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jrqwsl23g33lfmjwswghymkrcoezug63dt7hifptpqfm7wvlagtq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
00b65900131d5d5cac9d48c65ff2e53677418d7c50f0c09480af43e80845bef3
RemcosRAT
1a6757ed0fa8dfc6a0ecc4dcfecc7dacb2b4ff435c15eefeb9edde8b913e1811
RemcosRAT
5fdecb2c511ec2b584766991bc2126ae802ed2618a80a227046df5379f12e745
RemcosRAT
6da5a41c6dd6f0ddc638a3bccceeae8132814f605971a2f9eb1af58040f60eb8
RemcosRAT
7938ab5a2e1c4eaf450a144c2d451cfab20feddb85eec8310f14fefebe09e953
RemcosRAT
816f26e5b5de1be644fff419718bc3e1b8410a4a9a9f405d8db814e7758608d9
RemcosRAT
849c170a469dc6f5b1bc190923744b08c51ea0ea593e435f0121b874af58c3ec
RemcosRAT
b67361c9d7c2bcbe7e94b698f4d5abd1e6ffd96429d2c66dcfd92a573303e4f0
RemcosRAT
bfe8692e2e6e89e7d77482f315a22b3679e511e50eab20ba852cabc06dc4e5fa
RemcosRAT
e7c74f89332dcf4bf0ebaa50d960a8c82a521ca2c9608ecbb13e719e9744b5ca
RemcosRAT
+ 1'347 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat
Link:
https://tria.ge/reports/210113-cg4wlee7r6/
Behaviour
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SetWindowsHookEx
Adds Run key to start application
Deletes itself
Executes dropped EXE
Remcos
Unpacked files
SH256 hash:
4c61692f5b36f6b2b136958c7c315113899a1bdb1cfe7415f37c0acfdaab01a7
MD5 hash:
a2c17f6556ae89a8a1683f889bffc7e9
SHA1 hash:
cf2aa59cc8e074dfd3d72b052beef746aba1fe6a
Link:
https://www.unpac.me/results/2a20b7b9-5f3e-4a99-85f3-3756dc453aa7/
SH256 hash:
3d1cd3747103ae0def4f60d3d363d2c2249f2d868fa7cd70e68e514eb2594260
MD5 hash:
9d3f224db837a653e4b956a4e515324d
SHA1 hash:
9a7d2e8156b5f6ec5485b2173880503afafe38f5
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/2a20b7b9-5f3e-4a99-85f3-3756dc453aa7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.72
Link:
https://yomi.yoroi.company/submissions/4c61692f5b36f6b2b136958c7c315113899a1bdb1cfe7415f37c0acfdaab01a7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip 42c204761704f71f3de80204143e478671583df80cd62540f2fdc0f3807204e5

RemcosRAT

Executable exe 4c61692f5b36f6b2b136958c7c315113899a1bdb1cfe7415f37c0acfdaab01a7

(this sample)

  
Dropped by
MD5 c6df9e31d10450d797841d2ea678642c
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 42c204761704f71f3de80204143e478671583df80cd62540f2fdc0f3807204e5
Cape
Cape
https://www.capesandbox.com/analysis/111722/

Comments