MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c74f4542101eb419934b0d6fb2765e688314ef1edcd7cf41203d6d3935eef98. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c74f4542101eb419934b0d6fb2765e688314ef1edcd7cf41203d6d3935eef98
SHA3-384 hash: 240eabffed13bec3473ca83d57a36f217da2290ff6f047034bbf9a9e7c747d199b30e64b399e445ddab5bf8312ed1dcb
SHA1 hash: 615f1958c8802ff2c5519603b3e2a088e3bfbf02
MD5 hash: 771d123d429ad8ea7a853632e7ee722e
humanhash: batman-mountain-pennsylvania-pennsylvania
File name:Re Confirmación de pedido-7645,pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:718'848 bytes
First seen:2021-09-23 21:08:04 UTC
Last seen:2021-10-04 11:49:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9a7ebf1a69de9b324d0d1f73a7d054a0 (6 x RemcosRAT, 1 x Formbook)
ssdeep 12288:mftAn+lE3hGAJNmUaxoSThjcmmQgMM4PW:4uwEwomU1SFAND
Threatray 185 similar samples on MalwareBazaar
TLSH T10DE45D2353509DBDF3232F3DCCC85191761BBE5038A54D4E0A703E7A6BB68E5BA16293
File icon (PE):PE icon
dhash icon c4dcf8c6d6d0c8d4 (21 x RemcosRAT, 3 x Formbook, 1 x AveMariaRAT)
Reporter abuse_ch
Tags:ESP exe geo RAT RemcosRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
138
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Re Confirmación de pedido-7645,pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-09-23 21:12:46 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/1f9fe002-041a-4d89-ac22-96fa4acb4bfe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/190882/
Detection(s):
SecuriteInfo.com.Variant.Zusy.401770.19738.641.UNOFFICIAL
Create hunting rule

Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5649ebb9-647e-455f-8ef7-0c68e351c21c
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/856952
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 489382 Sample: Re Confirmaci#U00f3n de ped... Startdate: 23/09/2021 Architecture: WINDOWS Score: 100 44 ongod4life.ddns.net 2->44 64 Multi AV Scanner detection for domain / URL 2->64 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 5 other signatures 2->70 9 Re Confirmaci#U00f3n de pedido-7645,pdf.exe 1 22 2->9         started        14 Gnbytgi.exe 15 2->14         started        16 Gnbytgi.exe 17 2->16         started        signatures3 process4 dnsIp5 50 pturhg.db.files.1drv.com 9->50 52 onedrive.live.com 9->52 54 db-files.fe.1drv.com 9->54 42 C:\Users\Public\Libraries\...behaviorgraphnbytgi.exe, PE32 9->42 dropped 80 Writes to foreign memory regions 9->80 82 Creates a thread in another existing process (thread injection) 9->82 84 Injects a PE file into a foreign processes 9->84 18 logagent.exe 2 9->18         started        22 cmd.exe 1 9->22         started        24 cmd.exe 1 9->24         started        56 pturhg.db.files.1drv.com 14->56 60 2 other IPs or domains 14->60 86 Multi AV Scanner detection for dropped file 14->86 26 DpiScaling.exe 14->26         started        58 pturhg.db.files.1drv.com 16->58 62 2 other IPs or domains 16->62 28 mobsync.exe 16->28         started        file6 signatures7 process8 dnsIp9 46 ongod4life.ddns.net 185.140.53.15, 4336, 49754, 49756 DAVID_CRAIGGG Sweden 18->46 48 192.168.2.1 unknown unknown 18->48 72 Contains functionality to inject code into remote processes 18->72 74 Contains functionality to steal Firefox passwords or cookies 18->74 76 Delayed program exit found 18->76 30 reg.exe 1 22->30         started        32 conhost.exe 22->32         started        34 cmd.exe 1 24->34         started        36 conhost.exe 24->36         started        78 Contains functionality to steal Chrome passwords or cookies 26->78 signatures10 process11 process12 38 conhost.exe 30->38         started        40 conhost.exe 34->40         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4c74f4542101eb419934b0d6fb2765e688314ef1edcd7cf41203d6d3935eef98/
Threat name:
Win32.Downloader.FormBook
Create hunting rule
Status:
Malicious
First seen:
2021-09-23 16:08:36 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jr2pivbbahvudgjuwdlpwj3f42edctxr5xgxz5asaplnhe2656ma._file
Verdict:
malicious
Similar samples:
03811a474b07747d26379d33ee6788366f0d49bf993334d16607b361093463af
RemcosRAT
198a6c69303e222c1e37be51ff9cf68615b4879fb2b152f96aad90daf49c7df1
RemcosRAT
1ddb357041ae22e5c39f309d8432bf9b64e5b07ee9fcf578b7d94543005714fa
RemcosRAT
27bc88fd389ded5b1102d7ef23245aceeb4a516c7291afc954abb876898aa42f
RemcosRAT
5f14d3a74387554c330e7ee790f26fb55c5bfeb1dbefc6f2de93ba69d46383e8
RemcosRAT
8bc32885f532e286073afa7781733d97338f3bab7b22f55680b38fe1926d103b
RemcosRAT
a1adbdad4e1d0b04ddbac043a174b0b9e2731402fd9422085243c32c8e575fdf
RemcosRAT
b17c3b52340b1f33f4c2e5ce9eb6de617bd28c9525d12b56de031f5367bf7f9a
RemcosRAT
c7079003367b65e2995cb47d1a688a659e3b54215b8abca7a99bf4c791b216e3
RemcosRAT
fb55f300cbcea6d62e33eb76a196849d1a67ce91c46255d2180fcd6a2cdc43f9
RemcosRAT
+ 175 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat
Link:
https://tria.ge/reports/210923-zywwmafcg2/
Behaviour
Modifies registry key
Suspicious use of WriteProcessMemory
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
ongod4life.ddns.net:4336
Unpacked files
SH256 hash:
18498f5add7c31c1af213a720891708124ce271e4a1f4eef7427ff9ceff44767
MD5 hash:
af315fe318bcbca468841006ccc57e0a
SHA1 hash:
9b18984c1d4fcafc7bde26250a937aff6c41a375
Link:
https://www.unpac.me/results/9e5fec49-ad58-495d-8108-bc146df937cf/
SH256 hash:
4c74f4542101eb419934b0d6fb2765e688314ef1edcd7cf41203d6d3935eef98
MD5 hash:
771d123d429ad8ea7a853632e7ee722e
SHA1 hash:
615f1958c8802ff2c5519603b3e2a088e3bfbf02
Link:
https://www.unpac.me/results/9e5fec49-ad58-495d-8108-bc146df937cf/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4c74f4542101/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/4c74f4542101eb419934b0d6fb2765e688314ef1edcd7cf41203d6d3935eef98

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EnvVarScheduledTasks
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC (ab)using Environment Variables in Scheduled Tasks
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 4c74f4542101eb419934b0d6fb2765e688314ef1edcd7cf41203d6d3935eef98

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/190882/

Comments