MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5df5e69f38e5fc641a089f213a2791aa1a9d9df801093a6dbd3bfb680c38884c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5df5e69f38e5fc641a089f213a2791aa1a9d9df801093a6dbd3bfb680c38884c
SHA3-384 hash: 50aaa1bbac71615a351d8610a5a1a43e006ec1deeab169df9cec98d3501640b14495a27295641ec448a2bb680de032d3
SHA1 hash: 02220971c2c31549f26dee200024c6cce84a2375
MD5 hash: 12c0f2c2f78e86429d18f146a59dec74
humanhash: mountain-mike-rugby-uncle
File name:009090INVO.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:213'504 bytes
First seen:2021-01-13 20:06:08 UTC
Last seen:2021-01-13 21:59:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e7da020c2fad0c59a3d5e97971484548 (3 x Formbook, 2 x AgentTesla, 2 x Loki)
ssdeep 6144:Sr1IZDbAQcHAORYANcIc90yJyFjnFrad1uU:W1IZfAPHY0k6FeF
Threatray 1'535 similar samples on MalwareBazaar
TLSH 5F24BFAA72E2C032C0B6027482985B73D67ABD31167480B7FBE89D5E1F70ED0597265F
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: hosted-by.rootlayer.net
Sending IP: 185.222.58.152
From: Valparaiso Direccion <bencalada@asmar.cl>
Reply-To: claritadereck22@gmail.com
Subject: Gracias
Attachment: 009090INVO.PDF.z (contains "009090INVO.exe")

RemcosRAT C2:
72.11.157.241:4445

Intelligence

File Origin
# of uploads :
2
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/111825/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader36.34921.2024.4749.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a UDP request
Unauthorized injection to a recently created process
Setting a keyboard event handler
Sending a custom TCP request
Creating a window
Creating a file in the %AppData% subdirectories
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/580702
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Detected Remcos RAT
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5df5e69f38e5fc641a089f213a2791aa1a9d9df801093a6dbd3bfb680c38884c/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-01-13 09:24:53 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lx26nhzy4x6gigqit4qtuj4rvinj3hpyaeetu3n5hp5wqdbyrbga._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
04e18fc32464a616b096a50a3ed43b646ece444e693b238a29d6f6de6ee45833
RemcosRAT
1aeb603dd60de76549e74fa97476865d66093fc0cd65b340b9d81b9e63875d91
RemcosRAT
2598d8fe011595cd74778112ae8704ae239444808cd3dd5938f800f16d8ae1b0
RemcosRAT
292fdda313c6d03852ecd9487653eb15bdf8cf6412e814365c2f176a1104cbc3
RemcosRAT
5d18283ed1cb2d7e7bd78e87821b3aa2f2ea64b01e28736098a3922fea61fe71
RemcosRAT
88fefe74a59525eecee004f0ca10e3b964462adc1f3b44a794282e17dd3dd67e
RemcosRAT
9a923858b6e0434e961118c2e0b6fc62bfddf64e1fc69b1b8acaa323d27c1d5e
RemcosRAT
b55bd6825fe91af7f39a6db95cc72d531fae8edf94266dfcbf82d44fcf1e67c7
RemcosRAT
c85e13a5030bcd0c8173ef7ff6939690fe9638fa25d3c89cbf1e1e95a89db997
RemcosRAT
e178d0ed3b308beca605b9b5f71fd420bb438dc2c12e37523982982d57df22a3
RemcosRAT
+ 1'525 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos rat upx
Link:
https://tria.ge/reports/210113-s9qcp85eqn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetThreadContext
UPX packed file
Remcos
Malware Config
C2 Extraction:
72.11.157.241:4445
Unpacked files
SH256 hash:
5df5e69f38e5fc641a089f213a2791aa1a9d9df801093a6dbd3bfb680c38884c
MD5 hash:
12c0f2c2f78e86429d18f146a59dec74
SHA1 hash:
02220971c2c31549f26dee200024c6cce84a2375
Link:
https://www.unpac.me/results/b07291dd-44f8-4609-af8e-8223029ead59/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5df5e69f38e5fc641a089f213a2791aa1a9d9df801093a6dbd3bfb680c38884c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip fbe76de5a1c012b5d861bb6cd4781053028bcd62c5bf914d184fbd23f86f7017

RemcosRAT

Executable exe 5df5e69f38e5fc641a089f213a2791aa1a9d9df801093a6dbd3bfb680c38884c

(this sample)

  
Dropped by
MD5 90482bc10cc2ea329328c775ec43c1e7
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 fbe76de5a1c012b5d861bb6cd4781053028bcd62c5bf914d184fbd23f86f7017
Cape
Cape
https://www.capesandbox.com/analysis/111825/

Comments