MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 581bd1167bd9b40944de9a2d8842ed8aa841fdfc69d896c24520873095e0ac03. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 581bd1167bd9b40944de9a2d8842ed8aa841fdfc69d896c24520873095e0ac03
SHA3-384 hash: 05000fcf6b2397e21dae1fd90d7e59ed9fbbfbecb58713b7e5af8e6a794dc774ba6e57de161b57bcaf6ee047f44406cb
SHA1 hash: ede2f547aae04f958172240dfd6cd0b76990e006
MD5 hash: 7fd79d1258fa8ed52e0d49bd780acd2e
humanhash: nine-magnesium-august-arizona
File name:Original BL_pdf.scr
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:139'264 bytes
First seen:2021-01-05 09:33:19 UTC
Last seen:2021-01-05 11:39:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a58452980f47253c6c85d2302c371765 (2 x RemcosRAT, 1 x GuLoader)
ssdeep 1536:7amG9PJQ6qdxYnt6EbdHYD9E+/5EhtwCaXDdoDIlF:sQ6d4/3/6htpaBo6F
Threatray 5'935 similar samples on MalwareBazaar
TLSH C3D372D66403C8BED97F92F4191C31A49902BD34F81B681F62EB774493B87E0E5227E6
Reporter abuse_ch
Tags:RAT RemcosRAT scr


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: vps.jocmachinerys.com
Sending IP: 45.85.90.246
From: Maersk <support@bluehost.com>
Reply-To: swiftlogz@yandex.com
Subject: Re: URGENT 2021 MAERSK DELIVERY
Attachment: Original BL, CI AWB.rar (contains "Original BL_pdf.scr")

Intelligence

File Origin
# of uploads :
2
# of downloads :
216
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Original BL_pdf.scr
Verdict:
No threats detected
Analysis date:
2021-01-05 09:36:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1bb6721f-d1b8-40f8-b33f-fb0c2dd6f1bc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/110550/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Trojan.ct.743.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Unauthorized injection to a recently created process by context flags manipulation
Result
Threat name:
Remcos GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/574045
Signature
Contains functionality to hide a thread from the debugger
Creates autostart registry keys with suspicious values (likely registry only malware)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/581bd1167bd9b40944de9a2d8842ed8aa841fdfc69d896c24520873095e0ac03/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-05 09:34:07 UTC
AV detection:
3 of 46 (6.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lan5cft33g2asrg6tiwyqqxnrkued7p4nhmjnqsfecdtbfpavqbq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
11e021f5ccf8e8af0f64a10c1fae6285df671c2ad5a97d30f0d888374764128b
RemcosRAT
157447fce775d3e303f51839e30994daedd62b93460ef617385ef8027585647d
RemcosRAT
2ad1cbf24005ff5f0e634bf2e5642d37ca1cd6d9fe7001cd5b91eeb84506068b
RemcosRAT
2c32a940a48680ede0f03b2de30890a25c983ce91e2b7737d993a5ccb42677ba
RemcosRAT
308245e3b036eaa8e2b12c92852a64e5feedd6d952789d12da2ea5da9b7acced
RemcosRAT
4ea16682c6d48eb737c1857beceadc3d3077921c03fa62d9dad44d551d92729d
RemcosRAT
84a066f7294211d47a88b38b0ad9ff2f0e385973c4a3b92b39b2df25e178aca8
RemcosRAT
dde6436d3e8a969f96e4ccec6904631d562efad960e0e9a6a2a865174750f3d6
RemcosRAT
f6a9826b1e282e624092a19865e11d9d0ae85d26e2ac511c128e0dce09196a93
RemcosRAT
facb3b1bbd388588efa04a3d0a5ba963af70d863494dd180b876d590f8b1bb51
RemcosRAT
+ 5'925 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat
Link:
https://tria.ge/reports/210105-fdzwc5k5j6/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Remcos
Unpacked files
SH256 hash:
581bd1167bd9b40944de9a2d8842ed8aa841fdfc69d896c24520873095e0ac03
MD5 hash:
7fd79d1258fa8ed52e0d49bd780acd2e
SHA1 hash:
ede2f547aae04f958172240dfd6cd0b76990e006
Link:
https://www.unpac.me/results/d715acbe-6079-470f-a823-72589af026a5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/581bd1167bd9b40944de9a2d8842ed8aa841fdfc69d896c24520873095e0ac03

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

rar b5834c5958a278dd27068788692f56ed1289a14d5bbd2798e8c080cb613b8dc5

RemcosRAT

Executable exe 581bd1167bd9b40944de9a2d8842ed8aa841fdfc69d896c24520873095e0ac03

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/949331/
  
Dropped by
MD5 b9cde56d74779a6fc59d3fe926f10f35
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/110550/
  
Dropped by
SHA256 b5834c5958a278dd27068788692f56ed1289a14d5bbd2798e8c080cb613b8dc5

Comments