MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5932fcc4c5d01a0d7667dfe1e6d10dd8c540b2ac57623c8c4b99dfdcd43cd63e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5932fcc4c5d01a0d7667dfe1e6d10dd8c540b2ac57623c8c4b99dfdcd43cd63e
SHA3-384 hash: 9d620eae0b696fb8ec46e73a62c7d0ee775f4a3102d2edac7d869a2c950d8762fab32936e817e0790d374c88c740378a
SHA1 hash: b45d5031d3a61668a829637b7062f3fcd454362a
MD5 hash: 29b2e21109872369edba9abaab7704b5
humanhash: fruit-sodium-california-speaker
File name:Purchase Order.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:58'944 bytes
First seen:2021-03-10 17:12:17 UTC
Last seen:2021-03-10 18:52:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 768:rwuouorCu5Ye5R5G215OKGmsf1Pfg0GflvXGfhGflvx/FIwJGuKGflvx/FIwJGuT:U7LrCxev02GJmqlfAz16y
Threatray 241 similar samples on MalwareBazaar
TLSH 144386EDAA5948EBF56CF875C0D0E002A931D97F28104A6F41CA91E3C816FD274D82EF
Reporter abuse_ch
Tags:exe OVPN RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: lucky1.263xmail.com
Sending IP: 211.157.147.132
From: 张贵强 <sale20@chinachuangxin.net>
Subject: Valid Prices
Attachment: 0784645_2021_048890000748944994.pdf.7z (contains "Purchase Order.exe")

RemcosRAT C2:
feromo.duckdns.org:8087 (185.157.161.113)

Intelligence

File Origin
# of uploads :
2
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase Order.exe
Verdict:
Malicious activity
Analysis date:
2021-03-10 18:22:39 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/17ba8b05-b082-45ee-8576-d99525011b24

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.14612.3569.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Sending a UDP request
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/634954
Signature
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates an autostart registry key pointing to binary in C:\Windows
Delayed program exit found
Detected Remcos RAT
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 366449 Sample: Purchase Order.exe Startdate: 10/03/2021 Architecture: WINDOWS Score: 100 57 liverpoolofcfanclub.com 2->57 73 Found malware configuration 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 Multi AV Scanner detection for submitted file 2->77 79 16 other signatures 2->79 8 Purchase Order.exe 23 15 2->8         started        13 explorer.exe 2->13         started        15 explorer.exe 2->15         started        17 11 other processes 2->17 signatures3 process4 dnsIp5 69 liverpoolofcfanclub.com 104.21.31.39, 49704, 49705, 49706 CLOUDFLARENETUS United States 8->69 49 C:\Windows\Resources\Themes\...\svchost.exe, PE32 8->49 dropped 51 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 8->51 dropped 53 C:\Users\user\...\Purchase Order.exe.log, ASCII 8->53 dropped 55 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 8->55 dropped 81 Creates an autostart registry key pointing to binary in C:\Windows 8->81 83 Adds a directory exclusion to Windows Defender 8->83 19 Purchase Order.exe 2 3 8->19         started        23 AdvancedRun.exe 1 8->23         started        25 powershell.exe 8 8->25         started        34 2 other processes 8->34 27 svchost.exe 13->27         started        85 Drops executables to the windows directory (C:\Windows) and starts them 15->85 30 svchost.exe 15->30         started        71 127.0.0.1 unknown unknown 17->71 87 Changes security center settings (notifications, updates, antivirus, firewall) 17->87 32 MpCmdRun.exe 1 17->32         started        file6 signatures7 process8 dnsIp9 59 feromo.duckdns.org 185.157.161.113, 50308, 8078 OBE-EUROPEObenetworkEuropeSE Sweden 19->59 47 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 19->47 dropped 36 AdvancedRun.exe 23->36         started        39 conhost.exe 25->39         started        61 172.67.174.240, 50311, 50314, 50315 CLOUDFLARENETUS United States 27->61 63 liverpoolofcfanclub.com 27->63 89 System process connects to network (likely due to code injection or exploit) 27->89 91 Multi AV Scanner detection for dropped file 27->91 65 liverpoolofcfanclub.com 30->65 41 conhost.exe 32->41         started        43 conhost.exe 34->43         started        45 conhost.exe 34->45         started        file10 signatures11 process12 dnsIp13 67 192.168.2.1 unknown unknown 36->67
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Emotet
Create hunting rule
Status:
Suspicious
First seen:
2021-03-10 17:12:25 UTC
AV detection:
11 of 28 (39.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lezpzrgf2ana25th37q6nuin3dcubmvmk5rdzdclthp5zvb42y7a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
26c230cde9fb7544f7e3762f1abac39f6c8f0d2db0689178b223e0e68d2a6a0a
RemcosRAT
492823289d0cbc07c789546fda1d7bbee05327c29964f5738f70e82ae7c4f4ad
RemcosRAT
88908ef35a39d6295a1b5775b08f2f44b3ccfad8bec6bf4e4a067428ed95262e
RemcosRAT
b0dad01939e09e869b27e59d7a7d7c79fdd31bb4a8c52153844c23c3c34bf368
RemcosRAT
b782581b1ca3da09fdf3ecbb173ee3ca1f313f5f325f407df976601cad8ce839
RemcosRAT
bd2130b9722512ac8b0e510c2c6ca47186055272b3835754a0e2469989baecfd
RemcosRAT
d6bb7d0218b0894bcc733065261069c1cb4e151b4ca367f37e888d2beacc0dd9
RemcosRAT
e4e47b27c701e89ac6a550ab1f8ecb6058c79d9f9bca9a56ec71e3baf01dc545
RemcosRAT
ef6ac1293cdfda22c8d940f96c5433f406a4c3666e6941e4f094a8cf50d04ac1
RemcosRAT
ff8dd2511c1721a535a31eb7e8c4f813ba114a2ec963f4b85f8808fa99d47422
RemcosRAT
+ 231 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos evasion persistence rat trojan
Link:
https://tria.ge/reports/210310-kbnx99pve6/
Behaviour
System policy modification
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Windows security modification
Executes dropped EXE
Nirsoft
Modifies Windows Defender Real-time Protection settings
Remcos
Turns off Windows Defender SpyNet reporting
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
feromo.duckdns.org:8078
Unpacked files
SH256 hash:
5932fcc4c5d01a0d7667dfe1e6d10dd8c540b2ac57623c8c4b99dfdcd43cd63e
MD5 hash:
29b2e21109872369edba9abaab7704b5
SHA1 hash:
b45d5031d3a61668a829637b7062f3fcd454362a
Link:
https://www.unpac.me/results/155055ad-081b-4d47-88d2-0e0cef3c35da/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.10
Link:
https://yomi.yoroi.company/submissions/5932fcc4c5d01a0d7667dfe1e6d10dd8c540b2ac57623c8c4b99dfdcd43cd63e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Matiex

zip d71d346b485960529fd9b619882ad951513ef5c110cda89f66cf8cd259fe0e37

RemcosRAT

Executable exe 5932fcc4c5d01a0d7667dfe1e6d10dd8c540b2ac57623c8c4b99dfdcd43cd63e

(this sample)

  
Dropped by
MD5 b5ce5b5e37b4698b257a77a9c651aa65
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d71d346b485960529fd9b619882ad951513ef5c110cda89f66cf8cd259fe0e37

Comments