MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 586e6d87926659657100318f4efc9407706ceb71106b4d97757c30d100168d41. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 586e6d87926659657100318f4efc9407706ceb71106b4d97757c30d100168d41
SHA3-384 hash: 68ae832ad5d1282b99351e1267ae48a29c0fa2cf21e2afa07ec0eeaf8ae5ae95007851ea4ce268d16a20d886d67ffe46
SHA1 hash: 2928da0e10462afb7a4f49f7183dfc82ccf5def2
MD5 hash: 413978821e2051205e7d01f03b3d4e2f
humanhash: berlin-video-coffee-delta
File name:DL7593462,Shipment Document,pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:518'656 bytes
First seen:2020-10-26 10:16:38 UTC
Last seen:2020-10-26 11:58:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:+08ADHmunZIgJkfgUj7r+mh9kbnzPxZ+b7QO9C:BDHYYwrhkTj3DO
Threatray 1'025 similar samples on MalwareBazaar
TLSH 08B4D022738C9741E57997F95422C030A7F5BC86DB32E6283DE47ADF35B1E858B26702
Reporter abuse_ch
Tags:DHL exe RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: vps.dureamprad.com
Sending IP: 45.95.170.139
From: DHL Express Cargo <delivery@dhl.com>
Subject: RV: DHL CARGO DELIVERY
Attachment: DL7593462,Shipment Document,pdf.iso (contains "DL7593462,Shipment Document,pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.424.19070.18057.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file in the %AppData% subdirectories
Creating a file
Creating a process from a recently created file
Running batch commands
Sending a UDP request
Creating a window
Creating a file in the Windows subdirectories
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/511532
Signature
.NET source code contains potential unpacker
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Detected Remcos RAT
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 304915 Sample: DL7593462,Shipment Document... Startdate: 26/10/2020 Architecture: WINDOWS Score: 100 70 doublegrace2020.ddns.net 2->70 76 Malicious sample detected (through community Yara rule) 2->76 78 Multi AV Scanner detection for dropped file 2->78 80 Sigma detected: Scheduled temp file as task from temp location 2->80 82 14 other signatures 2->82 11 DL7593462,Shipment Document,pdf.exe 8 2->11         started        15 Mael.exe 5 2->15         started        17 Mael.exe 2->17         started        signatures3 process4 file5 66 C:\Users\user\AppData\Roaming\wcNPHkuk.exe, PE32 11->66 dropped 68 C:\Users\user\AppData\Local\...\tmpE925.tmp, XML 11->68 dropped 84 Injects a PE file into a foreign processes 11->84 19 schtasks.exe 1 11->19         started        21 DL7593462,Shipment Document,pdf.exe 4 5 11->21         started        24 BackgroundTransferHost.exe 11->24         started        27 DL7593462,Shipment Document,pdf.exe 11->27         started        29 schtasks.exe 15->29         started        31 Mael.exe 15->31         started        33 schtasks.exe 17->33         started        35 Mael.exe 17->35         started        signatures6 process7 dnsIp8 37 conhost.exe 19->37         started        62 C:\Users\user\AppData\Roaming\...\Mael.exe, PE32 21->62 dropped 39 wscript.exe 1 21->39         started        74 192.168.2.1 unknown unknown 24->74 41 conhost.exe 29->41         started        43 conhost.exe 33->43         started        file9 process10 process11 45 Mael.exe 5 37->45         started        48 conhost.exe 37->48         started        50 cmd.exe 1 39->50         started        signatures12 86 Multi AV Scanner detection for dropped file 45->86 88 Contains functionality to steal Chrome passwords or cookies 45->88 90 Contains functionality to capture and log keystrokes 45->90 92 2 other signatures 45->92 52 Mael.exe 2 4 45->52         started        56 schtasks.exe 1 45->56         started        58 Mael.exe 45->58         started        process13 dnsIp14 72 doublegrace2020.ddns.net 185.19.85.135, 49740, 49741, 49744 DATAWIRE-ASCH Switzerland 52->72 64 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 52->64 dropped 60 conhost.exe 56->60         started        file15 process16
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/586e6d87926659657100318f4efc9407706ceb71106b4d97757c30d100168d41/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-25 21:43:21 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lbxg3b4smzmwk4iagghu57eua5ygz23rcbvu3f3vpqyncaawrvaq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
20fa81d1aaeb9c0b8a15f71c939d71f6fac6e6a36e6fda77c5c23c50a773b08d
RemcosRAT
2323e3fa9e42ca85d8c33196bbb4b5273403e1eae415e42be8b055df1a560337
RemcosRAT
263fefe63ffef92b66516f9de917b4af09783ef5e3b6ba93b030d91c624c7925
RemcosRAT
26e21e90ec6431d87ffd66ee6f0cce3c2f1854a98390670b1002332632f297de
RemcosRAT
2829f8bf819c13d753f3c6b33726df8c46a533f3040b550a86ca0ab34f967e92
RemcosRAT
3f3daa13de0dde36e87f536f9cbcabc3170a6ddc4bd261d8ad3d3cd8515f6790
RemcosRAT
60c5937025d6f55a67d64ba824bb2ea0ba3aedd9dd949429544aaec829b98410
RemcosRAT
6b45c7c7eff3349f69bbe88ee3209c8557e3ec32b1985e1a3053392354ae64ca
RemcosRAT
8a525d55d517847b7379170a844775e1ea1ddc79816e4650d74787da63141d65
RemcosRAT
bb07625dfa5d6a83097fe8ca97e3b03973086c48f05d0a4af05317ec4ad99449
RemcosRAT
+ 1'015 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
rat family:remcos persistence
Link:
https://tria.ge/reports/201026-3x7avrjam6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Remcos
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

iso fc2cd7af625a34d4db1f8d60b07dc5f0577c5859ca9ec64fef7e5f27b207783b

RemcosRAT

Executable exe 586e6d87926659657100318f4efc9407706ceb71106b4d97757c30d100168d41

(this sample)

  
Dropped by
MD5 4abd1045e78be060ac6b5ef274bc668e
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 fc2cd7af625a34d4db1f8d60b07dc5f0577c5859ca9ec64fef7e5f27b207783b

Comments