MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e31a4916e479c18347d59e0a98dc12738efb5acbad3ba3e677fb24fd87e7adc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e31a4916e479c18347d59e0a98dc12738efb5acbad3ba3e677fb24fd87e7adc
SHA3-384 hash: 6f9c3d646e0e1b776e45585adf6f75b0c2d6701dd1961e8e406dd4cea6a80ae4e213414d7c09aacacec3cf427656acab
SHA1 hash: 54226c763412ca16832d5e11e1d9165c1df13534
MD5 hash: 848bfb3ad0bfdf896826370e1e567fcc
humanhash: winter-delta-cat-uncle
File name:QUOTATION.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'125'888 bytes
First seen:2021-01-18 07:59:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:5cQnyC3p6dJxgUygWpE0hQ/aAyd2N/Ro2mZlh:5cAyC0dJxggWpQ/bMiSl
Threatray 554 similar samples on MalwareBazaar
TLSH 32358C1093DCDB20E3BC57F49910826067A9E546F668E37CFDBEA0C25F619A449DFB80
Reporter abuse_ch
Tags:exe nVpn RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: gmail.com
Sending IP: 37.49.225.129
From: anabeltaylor93@gmail.com
Subject: QUOTATION
Attachment: QUOTATION.gz (contains "QUOTATION.exe")

RemcosRAT C2:
79.134.225.100:1011

Hosted on nVpn:

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
QUOTATION.exe
Verdict:
Malicious activity
Analysis date:
2021-01-18 08:01:47 UTC
Tags:
trojan rat remcos stealer keylogger
Link:
https://app.any.run/tasks/4e7748a3-8953-466d-b0a4-3777504f622d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/112437/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/583420
Signature
.NET source code contains potential unpacker
Detected Remcos RAT
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 340745 Sample: QUOTATION.exe Startdate: 18/01/2021 Architecture: WINDOWS Score: 100 41 Sigma detected: Scheduled temp file as task from temp location 2->41 43 Detected Remcos RAT 2->43 45 Yara detected AntiVM_3 2->45 47 8 other signatures 2->47 7 QUOTATION.exe 7 2->7         started        process3 file4 29 C:\Users\user\AppData\Roaming\uSaartra.exe, PE32 7->29 dropped 31 C:\Users\...\uSaartra.exe:Zone.Identifier, ASCII 7->31 dropped 33 C:\Users\user\AppData\Local\...\tmp8EA6.tmp, XML 7->33 dropped 35 C:\Users\user\AppData\...\QUOTATION.exe.log, ASCII 7->35 dropped 55 Writes to foreign memory regions 7->55 57 Injects a PE file into a foreign processes 7->57 11 vbc.exe 2 3 7->11         started        16 schtasks.exe 1 7->16         started        signatures5 process6 dnsIp7 39 79.134.225.100, 1011, 49748, 49749 FINK-TELECOM-SERVICESCH Switzerland 11->39 37 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 11->37 dropped 59 Tries to steal Mail credentials (via file registry) 11->59 61 Injects a PE file into a foreign processes 11->61 18 vbc.exe 1 11->18         started        21 vbc.exe 1 11->21         started        23 vbc.exe 1 11->23         started        27 7 other processes 11->27 25 conhost.exe 16->25         started        file8 signatures9 process10 signatures11 49 Tries to steal Instant Messenger accounts or passwords 18->49 51 Tries to steal Mail credentials (via file access) 18->51 53 Tries to harvest and steal browser information (history, passwords, etc) 27->53
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5e31a4916e479c18347d59e0a98dc12738efb5acbad3ba3e677fb24fd87e7adc/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-01-18 05:59:14 UTC
AV detection:
4 of 44 (9.09%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lyy2jeloi6obqnd5lhqktdobe44o7nnmxlj3upthp6ze7wd6ploa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
11b16ba733f2f4f10ac58021eecaf5668551a73e2a1acfae99745c50bfccbb44
RemcosRAT
5ab68910c53ccaea0aa6c9e51fa8ad92433cba369163f99f636973b32abda555
RemcosRAT
6b090efc032911140a9b027ae65b205eb4b6aef2ab0dec995e473470f6706240
RemcosRAT
9972434ebdd96cf98cbc8849f08d6ca3120e5cf2553b3416bc0fccc5396c74b5
RemcosRAT
99d0abe691cea3ff0e8462f7cca0649a52507a03387bda27e95a20bd72a6b37b
RemcosRAT
a9bb3e9f775ca73baaac71ef7e7b4a5d7c467aef99d3b8f34856f16dbb3afe26
RemcosRAT
c032e316eefbacca4b3ddfe7fc2ee9ac5f86daea767232d2322f7fdfe4b18993
RemcosRAT
cdcc8531c42e3ede33c0ecbcb82f7a6e5445e959eee3796475258df830a18813
RemcosRAT
f3dd0364478f5e8db5e914033bf34cd7e0a1cc3a66698883a3798ef35f61a36c
RemcosRAT
f7e29cbf47c9804eb341836873ea6837be7a46639978f44d9ba2670d47e68d56
RemcosRAT
+ 544 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos rat
Link:
https://tria.ge/reports/210118-ab8bpwnwb6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Remcos
Malware Config
C2 Extraction:
79.134.225.100:1011
Unpacked files
SH256 hash:
1d6ecf546163882d34d4bb2b7afa3889506ca3036ed536c4ed972ed89bdf5035
MD5 hash:
fb169513679d349cb2a7e4121bacfd4a
SHA1 hash:
26619d7ce0a175b9fc4fbfd7f4b105050562924f
Link:
https://www.unpac.me/results/b5be9f4f-a8aa-474a-91d2-638b8092b058/
SH256 hash:
5e31a4916e479c18347d59e0a98dc12738efb5acbad3ba3e677fb24fd87e7adc
MD5 hash:
848bfb3ad0bfdf896826370e1e567fcc
SHA1 hash:
54226c763412ca16832d5e11e1d9165c1df13534
Link:
https://www.unpac.me/results/b5be9f4f-a8aa-474a-91d2-638b8092b058/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5e31a4916e479c18347d59e0a98dc12738efb5acbad3ba3e677fb24fd87e7adc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

gz 389c3abcf37c308e58ba85937504e2c38117b70553738120e9d5d444b4ca4302

RemcosRAT

Executable exe 5e31a4916e479c18347d59e0a98dc12738efb5acbad3ba3e677fb24fd87e7adc

(this sample)

  
Dropped by
MD5 81d6da7472e2729c08307332bb58100c
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/112437/
  
Dropped by
SHA256 389c3abcf37c308e58ba85937504e2c38117b70553738120e9d5d444b4ca4302

Comments