MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ea16682c6d48eb737c1857beceadc3d3077921c03fa62d9dad44d551d92729d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ea16682c6d48eb737c1857beceadc3d3077921c03fa62d9dad44d551d92729d
SHA3-384 hash: 7761d93a254aa3c2116929f619859fcc6abb66a74f718d579a8eb983091f04cf6ce333a513711955a1fc6967f9362824
SHA1 hash: 7c0199921dc0cb8eca7d9bc1a417853ede3ea1c1
MD5 hash: 1fbf74602dd86ce47486ccfd07d8d949
humanhash: cardinal-violet-minnesota-lamp
File name:Quote&Invoice.pif
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:320'512 bytes
First seen:2020-08-05 08:09:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:uAem0IySOe3rvMTo/8zfXwY1FutpM5Wq6uWS:uAZ0+Oeuo/8zAY1UpMWlS
Threatray 786 similar samples on MalwareBazaar
TLSH 8C642912A3E84996F4AE1178C472A71817236F676535CE4914E932DA8EE3343C4F7BCB
Reporter abuse_ch
Tags:pif RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: slot0.gammersd.xyz
Sending IP: 104.168.236.98
From: Sales Manager <info@gammersd.xyz>
Reply-To: reinaluis55@yahoo.com
Subject: Please send me your best favourable prices 11
Attachment: QuoteInvoice.zip (contains "Quote&Invoice.pif")

RemcosRAT C2:
185.172.111.213:27015

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/39169/
Detection(s):
SecuriteInfo.com.Trojan.Inject3.48374.4417.659.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Launching a process
Running batch commands
Creating a process with a hidden window
Connection attempt
Creating a file
Sending a UDP request
Setting a global event handler for the keyboard
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/410506
Signature
Connects to many ports of the same IP (likely port scanning)
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Detected Remcos RAT
Drops PE files to the startup folder
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 257511 Sample: Quote&Invoice.pif Startdate: 05/08/2020 Architecture: WINDOWS Score: 100 74 Malicious sample detected (through community Yara rule) 2->74 76 Detected Remcos RAT 2->76 78 Yara detected Remcos RAT 2->78 80 5 other signatures 2->80 11 Quote&Invoice.exe 4 2->11         started        process3 file4 66 C:\Users\user\AppData\Roaming\cos, PE32 11->66 dropped 68 C:\Users\user\AppData\...\HJdyTuap.exe, PE32 11->68 dropped 70 C:\Users\user\AppData\...\cos:Zone.Identifier, ASCII 11->70 dropped 90 Drops PE files to the startup folder 11->90 92 Writes to foreign memory regions 11->92 94 Maps a DLL or memory area into another process 11->94 96 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->96 15 Quote&Invoice.exe 1 11->15         started        18 RegAsm.exe 2 1 11->18         started        21 cmd.exe 1 11->21         started        signatures5 process6 dnsIp7 102 Writes to foreign memory regions 15->102 104 Maps a DLL or memory area into another process 15->104 23 Quote&Invoice.exe 1 15->23         started        26 cmd.exe 1 15->26         started        28 RegAsm.exe 15->28         started        72 185.172.111.213, 27015 BLADESERVERSNL Netherlands 18->72 106 Contains functionality to steal Chrome passwords or cookies 18->106 108 Contains functionality to capture and log keystrokes 18->108 110 Contains functionality to inject code into remote processes 18->110 112 Contains functionality to steal Firefox passwords or cookies 18->112 30 conhost.exe 21->30         started        32 choice.exe 1 21->32         started        signatures8 process9 signatures10 86 Writes to foreign memory regions 23->86 88 Maps a DLL or memory area into another process 23->88 34 Quote&Invoice.exe 1 23->34         started        37 cmd.exe 1 23->37         started        39 RegAsm.exe 23->39         started        41 conhost.exe 26->41         started        43 choice.exe 1 26->43         started        process11 signatures12 82 Writes to foreign memory regions 34->82 84 Maps a DLL or memory area into another process 34->84 45 Quote&Invoice.exe 34->45         started        48 cmd.exe 34->48         started        50 RegAsm.exe 34->50         started        52 conhost.exe 37->52         started        54 choice.exe 1 37->54         started        process13 signatures14 98 Writes to foreign memory regions 45->98 100 Maps a DLL or memory area into another process 45->100 56 cmd.exe 45->56         started        58 RegAsm.exe 45->58         started        60 conhost.exe 48->60         started        62 choice.exe 48->62         started        process15 process16 64 conhost.exe 56->64         started       
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4ea16682c6d48eb737c1857beceadc3d3077921c03fa62d9dad44d551d92729d/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-08-05 00:35:36 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=j2qwnawg2shlon6bqv56z2w4huyhpeq4ap5gfwo22rgvkhmsokoq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
485c1301f4bc84bc2d274f53222cf7ca5fbd8af8728d1aaa977a6574f577fb87
RemcosRAT
6c882aeb918e424cefe1068a6d3fbff5526c31e185716bf3a0d5ae0295772f09
RemcosRAT
7720da8dd623a00812870efdb75c2f2571417599ebfabcff48d2bd95cd029ea2
RemcosRAT
83eb442b175e4fe5a2fde6e8d72618eee280398f89a81da1f9c118d2c46032d4
RemcosRAT
9930543939f97818319ed031530d9e084994331aa4b06a304faeb321bbcc63db
RemcosRAT
a1c561c21720c4f1c3626276db6afc2c12b1aae9304c78518763eb78454f84b8
RemcosRAT
c232e05f633d3e2bd0a1486a955d7f72eb9155408a635666306d922b333809b2
RemcosRAT
c86bcfe4e22cb50054b44e38fc4fb79624c4ed5bf9a26174754dbb5c1a6baff8
RemcosRAT
e39c2e98071d4440d02e6d1aa86111536d6d01554489bd71f890455c05e424d3
RemcosRAT
eb1230ab4a5408a3d264bb51f1ff311fcf52aa97d52b801738cd5add365e77d2
RemcosRAT
+ 776 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
rat family:remcos
Link:
https://tria.ge/reports/200805-39qn29yc9e/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Drops startup file
Remcos
Malware Config
C2 Extraction:
185.172.111.213:27015
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4ea16682c6d48eb737c1857beceadc3d3077921c03fa62d9dad44d551d92729d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip 293f90fc550689f46c39bb87ca866648086ff32786890a8a63de1ef4f983a07e

RemcosRAT

Executable exe 4ea16682c6d48eb737c1857beceadc3d3077921c03fa62d9dad44d551d92729d

(this sample)

  
Dropped by
MD5 84f52e6c293da20e0a5ef6b41e79f0aa
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 293f90fc550689f46c39bb87ca866648086ff32786890a8a63de1ef4f983a07e
Cape
Cape
https://www.capesandbox.com/analysis/39169/

Comments