MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 604bc26afab3f25d1c4d98e45872e798eef3061cc8720be0db28d900bddb277c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 7 File information Comments

SHA256 hash:	604bc26afab3f25d1c4d98e45872e798eef3061cc8720be0db28d900bddb277c
SHA3-384 hash:	d35b4a45b6d49aec792739b80653fdbd63ea9e9b463a7e6042582a2487418abec62b2f93ccb4d1291c4732c4f0ca1ba9
SHA1 hash:	2022f2fb77afd3b0e56bdc8850fcbcc2de679d6b
MD5 hash:	ec7468402d496a82ac08fa2402827ab2
humanhash:	ink-leopard-green-blossom
File name:	Document (2).exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	862'728 bytes
First seen:	2021-03-04 15:26:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ec744fd3c932ace305ae4fea2c8994bb (2 x RemcosRAT)
ssdeep	12288:QaefnCzDZeGMM2uv/tuyOLnSTspTZzTlWQv9Q2ZwHRUhLCKWgjjG:Q5/cZeGMMDv/t4rSTUVwQF/KHRGWYe
Threatray	107 similar samples on MalwareBazaar
TLSH	3B058DF2A3914432C3921F350C2B72E76939BAE125D9A04ABAFD5D0C6F3D6D33929095
Reporter	abuse_ch
Tags:	DHL exe RAT RemcosRAT

abuse_ch

Malspam distributing RemcosRAT:

HELO: mail.issuedelivery.xyz
Sending IP: 161.97.147.167
From: Dhl Customer Support <dhl@orderstop.xyz>
Subject: Delivery Failed
Attachment: Attachment1.iso (contains "Document (2).exe")

RemcosRAT C2:
bruno.camdvr.org

Intelligence

File Origin

# of uploads :

# of downloads :

162

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Document (2).exe

Verdict:

Malicious activity

Analysis date:

2021-03-04 15:28:10 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d56eafb5-0211-4bcb-b542-23e895a83da9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/122297/

Detection(s):

Win.Dropper.Fareit-9838621-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Sending a UDP request

DNS request

Creating a file

Deleting a recently created file

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

52 / 100

Link:

https://www.joesandbox.com/analysis/628785

Signature

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/604bc26afab3f25d1c4d98e45872e798eef3061cc8720be0db28d900bddb277c/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2021-03-04 15:27:09 UTC

AV detection:

17 of 28 (60.71%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=mbf4e2x2wpzf2hcntdsfq4xhtdxpgbq4zbzaxyg3fdmqbpo3e56a._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

1009dfd8b0678ec363efae43da9bb4eac2f44ae77a7f7f89ccc120a592f20a78

RemcosRAT

2d8d2fd56753dde1e4b495c73f4d1b68e4b347633d8cd79a687b9cb98573f189

RemcosRAT

49a4c95599f7bfe481ed85792ded20eae37d7a3889d43f81c349314cf87e6219

RemcosRAT

4a74ac9210751c192d84ad49d567de4cc5f7d005f62767b59a6a7901051a5304

RemcosRAT

86eb335425ab87285d7fc03826498925262e64a466fac29d22c8ae1a806feaae

RemcosRAT

b782581b1ca3da09fdf3ecbb173ee3ca1f313f5f325f407df976601cad8ce839

RemcosRAT

c3d5cfa19bb7af77abe161135bd85506171d67dca3f86fa6a68340d05e203f64

RemcosRAT

e418958dc7d42216f8f151aef40df718df0a6a20d7d70c9954f7bd82953707a7

RemcosRAT

ef6ac1293cdfda22c8d940f96c5433f406a4c3666e6941e4f094a8cf50d04ac1

RemcosRAT

+ 97 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos persistence rat

Link:

https://tria.ge/reports/210304-tfkvnqjzce/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Adds Run key to start application

Enumerates connected drives

Remcos

Malware Config

C2 Extraction:

Bruno.camdvr.org:2404
Bruno1.camdvr.org:2404
Bruno2.camdvr.org:2404

Unpacked files

SH256 hash:

0220a2314e0f066178abaae785b5e6a5b739a6bd987425bf4b41e779b58cf13a

MD5 hash:

35040ad9d0d7e11b1d4c076059f7d3ea

SHA1 hash:

5798e8c6719601df58bef14770f4a22a77080c06

Link:

https://www.unpac.me/results/05ae411f-2eba-4bc1-97df-8b6735712d67/

SH256 hash:

f9f8a2abd0de5a2052dee5631163e4cd6124873fe5ee6e80089a6be9f2b209a3

MD5 hash:

2dadb1d18f8141233c7b74fd7bb31306

SHA1 hash:

5101e36d15db1f5592af8b05934b1854d9a93d8a

Link:

https://www.unpac.me/results/05ae411f-2eba-4bc1-97df-8b6735712d67/

SH256 hash:

604bc26afab3f25d1c4d98e45872e798eef3061cc8720be0db28d900bddb277c

MD5 hash:

ec7468402d496a82ac08fa2402827ab2

SHA1 hash:

2022f2fb77afd3b0e56bdc8850fcbcc2de679d6b

Link:

https://www.unpac.me/results/05ae411f-2eba-4bc1-97df-8b6735712d67/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/604bc26afab3f25d1c4d98e45872e798eef3061cc8720be0db28d900bddb277c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

iso 9414fa2c6ee491dcd25c4266b67d29da01c918a13803419890e5f282bc371ff9

RemcosRAT

exe 604bc26afab3f25d1c4d98e45872e798eef3061cc8720be0db28d900bddb277c

(this sample)

Dropped by

MD5 69989c33b50d5e350c89aa4f71e23edb

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 9414fa2c6ee491dcd25c4266b67d29da01c918a13803419890e5f282bc371ff9

Cape

https://www.capesandbox.com/analysis/122297/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample