MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ccfbfb6751aca04fdefe4f96f95a322ac9684d62dd79c5f7d142c24f30eb5e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ccfbfb6751aca04fdefe4f96f95a322ac9684d62dd79c5f7d142c24f30eb5e8
SHA3-384 hash: 4bc590cd2274f3e9ed28ca5809a36b23858ade3c14c3d2f1be04fe22b4907138dd23261081702fb3e4759e6395c99149
SHA1 hash: 7916166229867d620b4b07a359d0bf92e6574b47
MD5 hash: 8b7fed1914705666e4826519ebf2ebe7
humanhash: comet-lactose-fruit-september
File name:AW QUOTE 6677 HQ1-Scan-068703_PDF.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'672'704 bytes
First seen:2021-09-20 00:17:05 UTC
Last seen:2021-09-20 07:06:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:cHgaU3wDVCEBaCZHx/U0rHLLWdYUDShFYRb9iZUXpmw/Y0IjtI8bfGPxVine3sUM:J4CCHx/U0fiaAShCVcKXp3Yjt1cxVoN
Threatray 614 similar samples on MalwareBazaar
TLSH T1AC754F254D6696F7D3EFC32CD05C0B8EDBF5A483BB919F0E988186C2066770BE98854D
Reporter GovCERT_CH
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
166
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AW QUOTE 6677 HQ1-Scan-068703_PDF.exe
Verdict:
Malicious activity
Analysis date:
2021-09-20 00:19:21 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/92353b84-0e60-4e0b-bbc5-2ab9c1e24775

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189162/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.26743.23934.12017.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file in the system32 subdirectories
Enabling the 'hidden' option for recently created files
Launching cmd.exe command interpreter
Running batch commands
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking the User Account Control
Deleting of the original file
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ddbc0ba2-3d9e-46a6-860c-c372544109e3
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/853681
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates an autostart registry key pointing to binary in C:\Windows
Delayed program exit found
Deletes itself after installation
Detected Remcos RAT
Drops executables to the windows directory (C:\Windows) and starts them
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Sigma detected: WScript or CScript Dropper
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 486111 Sample: AW QUOTE 6677 HQ1-Scan-0687... Startdate: 20/09/2021 Architecture: WINDOWS Score: 100 105 Malicious sample detected (through community Yara rule) 2->105 107 Detected Remcos RAT 2->107 109 Yara detected Remcos RAT 2->109 111 14 other signatures 2->111 12 AW QUOTE 6677 HQ1-Scan-068703_PDF.exe 6 2->12         started        16 Vlc.exe 2->16         started        18 Vlc.exe 4 2->18         started        21 Vlc.exe 2->21         started        process3 dnsIp4 93 C:\Users\user\AppData\...\WHQGmSHSPvC.exe, PE32 12->93 dropped 95 C:\Users\user\AppData\Local\...\tmpA6D0.tmp, XML 12->95 dropped 97 AW QUOTE 6677 HQ1-...-068703_PDF.exe.log, ASCII 12->97 dropped 125 Injects a PE file into a foreign processes 12->125 23 AW QUOTE 6677 HQ1-Scan-068703_PDF.exe 5 5 12->23         started        27 schtasks.exe 1 12->27         started        127 Drops executables to the windows directory (C:\Windows) and starts them 16->127 29 schtasks.exe 16->29         started        31 Vlc.exe 16->31         started        41 2 other processes 16->41 101 192.168.2.1 unknown unknown 18->101 33 schtasks.exe 18->33         started        35 Vlc.exe 18->35         started        37 schtasks.exe 21->37         started        39 Vlc.exe 21->39         started        file5 signatures6 process7 file8 87 C:\Windows\SysWOW64\VLC\Vlc.exe, PE32 23->87 dropped 89 C:\Windows\...\Vlc.exe:Zone.Identifier, ASCII 23->89 dropped 91 C:\Users\user\AppData\Local\...\install.vbs, data 23->91 dropped 117 Creates an autostart registry key pointing to binary in C:\Windows 23->117 43 wscript.exe 1 23->43         started        46 cmd.exe 1 23->46         started        48 conhost.exe 27->48         started        50 conhost.exe 29->50         started        52 conhost.exe 33->52         started        54 conhost.exe 37->54         started        signatures9 process10 signatures11 121 Deletes itself after installation 43->121 56 cmd.exe 1 43->56         started        123 Uses cmd line tools excessively to alter registry or file data 46->123 58 conhost.exe 46->58         started        60 reg.exe 1 46->60         started        process12 process13 62 Vlc.exe 5 56->62         started        66 conhost.exe 56->66         started        file14 99 C:\Users\user\AppData\Local\...\Vlc.exe.log, ASCII 62->99 dropped 129 Machine Learning detection for dropped file 62->129 131 Contains functionality to steal Chrome passwords or cookies 62->131 133 Contains functionality to steal Firefox passwords or cookies 62->133 135 2 other signatures 62->135 68 Vlc.exe 62->68         started        72 schtasks.exe 62->72         started        signatures15 process16 dnsIp17 103 103.114.104.136, 2404, 49797, 49800 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 68->103 113 Detected Remcos RAT 68->113 115 Installs a global keyboard hook 68->115 74 cmd.exe 68->74         started        77 iexplore.exe 68->77         started        79 svchost.exe 68->79         started        81 conhost.exe 72->81         started        signatures18 process19 signatures20 119 Uses cmd line tools excessively to alter registry or file data 74->119 83 conhost.exe 74->83         started        85 reg.exe 74->85         started        process21
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4ccfbfb6751aca04fdefe4f96f95a322ac9684d62dd79c5f7d142c24f30eb5e8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 00:18:07 UTC
AV detection:
14 of 45 (31.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jth37ntvdlfaj7pp4t4w7fndekwjnbgwfxlzyx35cqwcj4yowxua._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
354da6fb77b3ee3bdb54e8c160fd24f542ff0f4a3aff092c19df3058c4228277
RemcosRAT
41ab72f9ce1e64f569029d8b3f8c2fdf680fb75113b8d7451bc8d988cd5f6bd2
RemcosRAT
453e07776e07268a23e0f90a6dde1e3bc9f55179a6bf55853e5d60fc25f85f72
RemcosRAT
5000f900d0d52fb1b6634d0437711ab10c9184d080c852f17b2fb114a35446a8
RemcosRAT
77ce24c903d75a340e3d5664091c7b72a2529640931e662b80b8dc3fb9226929
RemcosRAT
860e16c192167d5dd823b8e533858cdada7aa9b3173254f2f57031af68b84e0c
RemcosRAT
87284733f84447db5f12697e7ce2fb44671cbf404e040cf85085b223eab02b95
RemcosRAT
b2beeab94f7cbc38143e2a050c263476419bb48d2ec37470df5b1ee0da812f50
RemcosRAT
d83290b80bf412884168a6d24a06fad12edb578cc612ea555476b422a4499613
RemcosRAT
f5502d660f4b1f1110b7ba4fd0eab36ec5b44ff97c12b146a48ff8e38efa4745
RemcosRAT
+ 604 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:rdcrd brand:microsoft evasion persistence phishing rat trojan
Link:
https://tria.ge/reports/210920-almpraceh8/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Detected potential entity reuse from brand microsoft.
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Loads dropped DLL
Executes dropped EXE
Remcos
UAC bypass
Malware Config
C2 Extraction:
103.114.104.136:2404
Unpacked files
SH256 hash:
9479c67c4dabde9db9968bf81ace761b553e220ae60a22823dcf9e35b1f25cd1
MD5 hash:
b3fa26088636899cc34598e3b0c3c6d1
SHA1 hash:
c87dd08f29f63d5f25b1272610273eaae793aefb
Detections:
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/2d5386db-edc7-4829-90f2-aa041b21fdd8/
SH256 hash:
090b8a17091796774408f53049a709dfd88774945231db9508ad18c66fcbde84
MD5 hash:
0037df50e3a304cb6b28f28e25662cf1
SHA1 hash:
7bb9d0adcb8d162fe30464ce62dd17de152b03d0
Link:
https://www.unpac.me/results/2d5386db-edc7-4829-90f2-aa041b21fdd8/
SH256 hash:
43e38f251dbca9aa20f3470167e5427a7e7a7cdcd25f0b6b045ae8577cd3e345
MD5 hash:
f62ab5d3528d5a3b9e270ea1f9347868
SHA1 hash:
6a74e87711c615adbd9145f829a33f55b7e42dd6
Link:
https://www.unpac.me/results/2d5386db-edc7-4829-90f2-aa041b21fdd8/
SH256 hash:
4ccfbfb6751aca04fdefe4f96f95a322ac9684d62dd79c5f7d142c24f30eb5e8
MD5 hash:
8b7fed1914705666e4826519ebf2ebe7
SHA1 hash:
7916166229867d620b4b07a359d0bf92e6574b47
Link:
https://www.unpac.me/results/2d5386db-edc7-4829-90f2-aa041b21fdd8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/4ccfbfb6751aca04fdefe4f96f95a322ac9684d62dd79c5f7d142c24f30eb5e8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 4ccfbfb6751aca04fdefe4f96f95a322ac9684d62dd79c5f7d142c24f30eb5e8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/189162/

Comments