MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60d5a2df12e7d3ec47a29b7f1d2faeaa078f89cc3ec6da3965a14a6c1c11de74. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 60d5a2df12e7d3ec47a29b7f1d2faeaa078f89cc3ec6da3965a14a6c1c11de74
SHA3-384 hash: 156a227f9bf085bd6dd6758a6b6adb234a5bd60821e67521887ecaa91230a93b6bb4646ec9acb13de652b72cefa0dd94
SHA1 hash: d18cf872dc83b11318dafa31d7e9e4fcb9a58bc5
MD5 hash: af0055e6064e88d287e5324824fcbac4
humanhash: alanine-earth-summer-finch
File name:Orden CW62175Q.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:632'320 bytes
First seen:2020-10-27 09:27:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:vW81Gsgeh4jMEVd6N0CVYyWUoG1TdcoEq8zfScypxL+J9C6E:vvcs/qXy0AaUoGPjAvYxLMnE
Threatray 984 similar samples on MalwareBazaar
TLSH 4AD48D2073542B95F83D93355135C4208BF2BCA7E371E689BDF538EB29B2B814672792
Reporter abuse_ch
Tags:exe RemcosRAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: server.uthink.eu
Sending IP: 87.76.27.126
From: Diago Gimenez<compras@valmec.com.ar>
Subject: Orden CW62175Q
Attachment: Orden CW62175Q.lzh (contains "Orden CW62175Q.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/79743/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/513144
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Detected Remcos RAT
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/60d5a2df12e7d3ec47a29b7f1d2faeaa078f89cc3ec6da3965a14a6c1c11de74/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-26 15:19:02 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mdk2fxys47j6yr5ctn7r2l5ovidy7comh3dnuolfuffgyhar3z2a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
03a7c8a4e67e6739db52502fb4babb8421059e3269610dbec749b3f0aa4a4641
RemcosRAT
11b82240c0a2fbb5f71aefab2266d18d28746ffc267b585f72498006a57aa6bd
RemcosRAT
363f1e19af5976e6c19e76c71e98c405b227938e261beb7e2a0bcc27e4a44be7
RemcosRAT
485c1301f4bc84bc2d274f53222cf7ca5fbd8af8728d1aaa977a6574f577fb87
RemcosRAT
5fcc312a31029c692e592e1b70ec22e1008cfb3df910ab2fec80a193d420fe08
RemcosRAT
9866933cc0ecf8e3ddfa7ce79cdbc70b16efbe819a2426ffa28d923a12c0653a
RemcosRAT
b2b25365ac3fab2649ba188a0c113a558686c049d89bb4b8f3d7439a6e6732c0
RemcosRAT
e32decb9aac454a38a186b4f7bc59e471c78e2cf6a5fff25c0d8b68d1c46805c
RemcosRAT
e4179e2d5b9c04e7a59bf9b063c006f5695b5ec90600833006d38129ad0a48a6
RemcosRAT
fc243975dc04f097ddfbaf8f3245cd17b7967811b97c926fff0c52749e844480
RemcosRAT
+ 974 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
rat family:remcos
Link:
https://tria.ge/reports/201027-63114gddws/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Remcos
Malware Config
C2 Extraction:
uzbektourism8739.ddns.net:4354
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

d7831ed9b90743908ef19ec542b802a2

RemcosRAT

Executable exe 60d5a2df12e7d3ec47a29b7f1d2faeaa078f89cc3ec6da3965a14a6c1c11de74

(this sample)

  
Dropped by
MD5 d7831ed9b90743908ef19ec542b802a2
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/79743/

Comments