MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5edcaa5dd9d8d6726e02b8bd53b8c8695d781d9c324ac4805da72daf3cf5df0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 9

Intelligence 9 IOCs YARA 7 File information Comments

SHA256 hash:	5edcaa5dd9d8d6726e02b8bd53b8c8695d781d9c324ac4805da72daf3cf5df0d
SHA3-384 hash:	669383e30f7c008fb583c73958b41934a354c2991b87f447384218b03978cd8fcefdec4ff27d0eaf4c83e3de36076802
SHA1 hash:	abc475e1f64ba70bdb66c4b38baa461ca7cf30a4
MD5 hash:	7669f38afc005a2bb5a894bdc35385ca
humanhash:	spaghetti-cat-neptune-india
File name:	DHL_409011 documento de recibo,pdf.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	765'184 bytes
First seen:	2021-02-05 18:46:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3006b9ec633343c82818c9662a67f7ee (3 x RemcosRAT)
ssdeep	12288:j9VGYp+A0bI8LK1cofUCje+OTDD+1TW+n/nRdEtsCz:jHiA0MWnOUCjl2DuTW+vRmxz
Threatray	49 similar samples on MalwareBazaar
TLSH	E6F46BE952811832D07A16B88C4B6244CD6B7CC3265C373D97E4F9CE5A3478C3A9B97B
Reporter	abuse_ch
Tags:	DHL ESP exe geo nVpn RAT RemcosRAT

abuse_ch

Malspam distributing RemcosRAT:

HELO: mail10.tri--sure.com
Sending IP: 161.35.230.137
From: DHL Support<support@dhl.com>
Subject: Re: Notificación de envío de DHL
Attachment: DHL_409011 documento de recibo,pdf.iso (contains "DHL_409011 documento de recibo,pdf.exe")

RemcosRAT C2:
insidelife1.ddns.net:2021 (185.140.53.130)

Pointing to nVpn:

% Information related to '185.140.53.0 - 185.140.53.255'

% Abuse contact for '185.140.53.0 - 185.140.53.255' is 'abuse@privacyfirst.sh'

inetnum: 185.140.53.0 - 185.140.53.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2016-10-17T23:24:00Z
last-modified: 2020-11-06T23:02:44Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

DHL_409011 documento de recibo,pdf.exe

Verdict:

Malicious activity

Analysis date:

2021-02-05 18:48:56 UTC

Tags:

rat remcos

Link:

https://app.any.run/tasks/77867d56-d231-4d9e-826a-c88682efed47

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/115793/

Detection(s):

PUA.Win.Packer.BorlandDelphi-15

Win.Malware.Delf-9828784-0

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

DNS request

Sending a custom TCP request

Creating a file

Deleting a recently created file

Launching a process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process

Connection attempt to an infection source

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/600627

Signature

Allocates memory in foreign processes

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Creates a thread in another existing process (thread injection)

Delayed program exit found

Detected Remcos RAT

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Sigma detected: Remcos

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5edcaa5dd9d8d6726e02b8bd53b8c8695d781d9c324ac4805da72daf3cf5df0d/

Threat name:

Win32.Infostealer.BestaFera

Status:

Malicious

First seen:

2021-02-05 18:47:07 UTC

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=l3okuxoz3dlhe3qcxc6vhoginfoxqhm4gjfmjac5u4w26phv34gq._file

Verdict:

malicious

RemcosRAT

2f85c41ee13d69e68454d97153252e8ba9a3a0e85573427eac0600d41fa6824d

RemcosRAT

357ab6a0cf97d36af99606bce098c476c4a24085f4d972038b11b3570486d620

RemcosRAT

553caa644cbf9022987290140354f878981f281eb487847afa5017eca470c279

RemcosRAT

6cef436fd5577158e43bd7cc85ea84cdac90044d8e9f93c254ee7ed119fa7aed

RemcosRAT

719bb30fb8ff3d79fd0216bdbc9f9d1b377c1456a20c8d9a26f1a19e283352ba

RemcosRAT

a8889ff384c38b97b5a48ef4e9586df7c281f40e2719fe248b0d252832969521

RemcosRAT

cacfd3f384737f85e02f8c4dfad0689a71b228c8b930995c24da43582f688a64

RemcosRAT

d96b554a08cd2f503d6a1ffe5303b34f8bd6f91b369bd95e9d16642b4fece2cb

RemcosRAT

f5b21be44a7076a4414adf52f6bae43d0dfbcd460bc35921e5ea81549ea16f4a

RemcosRAT

+ 39 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos persistence rat

Link:

https://tria.ge/reports/210205-9kltgfr8bj/

Behaviour

Suspicious use of WriteProcessMemory

Adds Run key to start application

Remcos

Unpacked files

SH256 hash:

38919c96274afe44c440fa298fc363e1217dfa355da38dd4de2ef213808870c2

MD5 hash:

c3d226b590a22cb9f1aa308748ff47dd

SHA1 hash:

64504ed945df46476fc3ac19dd42972966206e52

Link:

https://www.unpac.me/results/7c212b4c-cc2c-4d29-86dd-bb7450177843/

SH256 hash:

5edcaa5dd9d8d6726e02b8bd53b8c8695d781d9c324ac4805da72daf3cf5df0d

MD5 hash:

7669f38afc005a2bb5a894bdc35385ca

SHA1 hash:

abc475e1f64ba70bdb66c4b38baa461ca7cf30a4

Link:

https://www.unpac.me/results/7c212b4c-cc2c-4d29-86dd-bb7450177843/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5edcaa5dd9d8d6726e02b8bd53b8c8695d781d9c324ac4805da72daf3cf5df0d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

iso cd5ce62f3c8c38be03b60518a82806f84088d972c7a0a6a262de97a29fe2faaa

RemcosRAT

exe 5edcaa5dd9d8d6726e02b8bd53b8c8695d781d9c324ac4805da72daf3cf5df0d

(this sample)

Dropped by

MD5 fe0cfcb2bd2f5f20e5dba70ec5d79960

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/115793/

Dropped by

SHA256 cd5ce62f3c8c38be03b60518a82806f84088d972c7a0a6a262de97a29fe2faaa

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample