MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ef2d70f9e7fa30c9fea637c8b0c60276ca69505640ffb417a27a320575f3807. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	5ef2d70f9e7fa30c9fea637c8b0c60276ca69505640ffb417a27a320575f3807
SHA3-384 hash:	b94e8e9d1950143f2e2cf70d30e062d39f55ac90432bb55c26e7c903130f83612512610e06b43797a291846ef5bb0217
SHA1 hash:	1d9e37d09d13b13494f26c61330eb9b679e9e27a
MD5 hash:	dec6ea74b97f6b2f69d851955493bff7
humanhash:	edward-oxygen-minnesota-utah
File name:	ScanDocuments0002-pdf.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	651'264 bytes
First seen:	2020-08-19 09:28:31 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1d3807efc70a0a5a6d2ab497250e9cb5 (4 x RemcosRAT, 1 x AZORult, 1 x AveMariaRAT)
ssdeep	12288:Km/ZNPa2c/PWwuUDKcoEwWLC2W2nKjdkOdqY55w/uPXjlBeh0DF:Km/TyzPWwuUDpoEwECcKpkON/Bno0
Threatray	912 similar samples on MalwareBazaar
TLSH	52D49E62E6804837C1631578AC0B9FE9D937AF103B98AC476BF62E0C5F397D17929097
Reporter	abuse_ch
Tags:	exe RemcosRAT

abuse_ch

Malspam distributing unidentified malware:

HELO: professionaleventrun.com
Sending IP: 45.137.22.57
From: Qiqi Wang <garyk@professionaleventrun.com>
Subject: ORDER
Attachment: ScanDocuments0002-pdf.zip (contains "ScanDocuments0002-pdf.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

76

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/48340/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

DNS request

Sending a custom TCP request

Creating a file

Launching a process

Running batch commands

Creating a process with a hidden window

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for recently created files

Deleting a recently created file

Setting a single autorun event

Unauthorized injection to a recently created process by context flags manipulation

Setting a global event handler for the keyboard

Connection attempt to an infection source

Unauthorized injection to a system process

Result

Threat name:

Unknown

Detection:

suspicious

Classification:

n/a

Score:

30 / 100

Link:

https://www.joesandbox.com/analysis/437268

Signature

a

c

d

e

f

h

I

l

m

n

o

p

s

t

u

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5ef2d70f9e7fa30c9fea637c8b0c60276ca69505640ffb417a27a320575f3807/

Threat name:

Win32.Trojan.Wacatac

Status:

Malicious

First seen:

2020-08-18 21:31:00 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=l3znod46p6rqzh7kmn6iwddae5wknfifmqh7wql2e6rsav27hadq._file

Verdict:

malicious

Label(s):

remcos

Similar samples:

01de61b8b14bb1231ac14968c89b304afa74376e70ce29c7da92259a8a702b60

4096056536154e1fa5a10e3495cd3ddadf7c01022b7b65b0c35a67b2eac2bc6b

485c1301f4bc84bc2d274f53222cf7ca5fbd8af8728d1aaa977a6574f577fb87

4ea16682c6d48eb737c1857beceadc3d3077921c03fa62d9dad44d551d92729d

54c937e5b6fe28e7076e549802765e15ad6191d2ddc427b532ff9347fef2eb39

54c9967a2b3467f1a5961630d0bd429400e781de19866a383267c40e0f9acf2f

6274c01dd6783517a68267d2c6c2af38143ed35074cfc2372d8bc385a7c5f4e9

83eb442b175e4fe5a2fde6e8d72618eee280398f89a81da1f9c118d2c46032d4

c0b1ba178d886a9d71fb7ffd5b169bf023021e13c545e3cd8d15461221dd2006

eb1230ab4a5408a3d264bb51f1ff311fcf52aa97d52b801738cd5add365e77d2

+ 902 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

persistence rat family:remcos

Link:

https://tria.ge/reports/200819-n7ay4ysd4x/

Behaviour

Modifies registry key

Modifies system certificate store

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Remcos

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip fbe31f961d7fc1bf7d32752faeef0230f7b8b49327d48fdb17edf2e983059e35

exe 5ef2d70f9e7fa30c9fea637c8b0c60276ca69505640ffb417a27a320575f3807

(this sample)

Dropped by

MD5 face6bd9d9643eec14159c73fa5bf6f8

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/48340/

Dropped by

SHA256 fbe31f961d7fc1bf7d32752faeef0230f7b8b49327d48fdb17edf2e983059e35

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample