MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 657c44fbc121eac691e32be9aa80b9ca59d2018df9bf39e7f20e770fc1ede5a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 657c44fbc121eac691e32be9aa80b9ca59d2018df9bf39e7f20e770fc1ede5a0
SHA3-384 hash: b12370aef08f39069abf553e4287cd22ab671735ecaaaa3ab61e8bcac393703fec917f856d6421404c3d7e2cee52311c
SHA1 hash: 5d258aae43af536a02ae53a0b923c8460109ec7f
MD5 hash: 444c78b55439c5e2f8b9b5290a9f1037
humanhash: jig-utah-november-victor
File name:P_Order Flex Saneh.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'096'192 bytes
First seen:2021-02-23 15:58:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b7d2d22d5303b7a3256c7306e3bf2245 (3 x RemcosRAT, 1 x Loki)
ssdeep 24576:T53qrkzqFJEtaWcYilxt+nSUyCjXb/PBW9Buz15z7:T56AglzWf
Threatray 88 similar samples on MalwareBazaar
TLSH B73528B2EA168FE2F45B093DFD0BE5F51601BD1C362E54A72EE43B099AAF78174101B1
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: poydorus.t.mk
Sending IP: 195.26.152.36
From: Flex Saneh <vesna.v@tinex.com.mk>
Subject: ORDER Z7289 -- SANEF FLEXIBILITY COMPANY
Attachment: P_Order Flex Saneh.rar (contains "P_Order Flex Saneh.exe")

RemcosRAT C2:
export.zapto.org:4021

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/118697/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader36.43761.21093.9113.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Unauthorized injection to a recently created process
Connecting to a non-recommended domain
Connection attempt
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/615708
Signature
C2 URLs / IPs found in malware configuration
Detected Remcos RAT
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Remcos
Sigma detected: Suspicious Program Location Process Starts
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/657c44fbc121eac691e32be9aa80b9ca59d2018df9bf39e7f20e770fc1ede5a0/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-02-23 10:33:29 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mv6ej66behvmnepdfpu2vafzzjm5eamn7g7ttz7sbz3q7qpn4wqa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1a1dced1428208836f04f4ec0654f13786b2fb5244891eaffc48da37c87af8ec
RemcosRAT
1e5a328f760c35f905390fb4bcf0eefa75936c79a43e22ca7557da0e315c72ed
RemcosRAT
20fe5347a7254b7f5d75c7fce2542b88abdb8d1939afe621544c61d35e45bdee
RemcosRAT
558791ef8ee4a269644ecce15552270a2e8f287603308069084793370ba9451d
RemcosRAT
71f60a985d2cc9fc47c6845a88eea4da19303a96a2ff69daae70276f70dcdae0
RemcosRAT
926da3334135961ff0c19ecf4358201ba4734ab01186061c423deeb081ec1cff
RemcosRAT
c062b4a790666b338f7955ea792605bf0244a8d36cb1050c602727ff6d654e36
RemcosRAT
cbf5b54d5d1c70086efefea16f38b80a329cb96bb5a59e709b0ab2304acb157c
RemcosRAT
d00cdc47ecf61320c65927dd2cd3ec52e5d1496264ba527b019eebca8d9b3410
RemcosRAT
f436b8e7b214f3f56d0c62326e37653f87184760b406ab4f6eae79a5c34297b1
RemcosRAT
+ 78 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat
Link:
https://tria.ge/reports/210223-gyb99bgbte/
Behaviour
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
export.zapto.org:4021
Unpacked files
SH256 hash:
24eabda41c38329fa233999b2512ac12126a358730464f72d2f3e2952d977470
MD5 hash:
3ad6b316fdf43cda7b29bd0815d29120
SHA1 hash:
fdaa834dd6936538a123242a54c9f18da2bb3c6d
Link:
https://www.unpac.me/results/29618704-fc6d-4bab-931d-685ed476d3ac/
SH256 hash:
01835bc033bb8fbf7c32a2e3003e2904d3d369729983bd20cea424a733743584
MD5 hash:
68a1764d191bddc4c52470f7f23dee29
SHA1 hash:
86b86a3f01fe284347ecaf055a1fc2f74192b2f2
Link:
https://www.unpac.me/results/29618704-fc6d-4bab-931d-685ed476d3ac/
SH256 hash:
657c44fbc121eac691e32be9aa80b9ca59d2018df9bf39e7f20e770fc1ede5a0
MD5 hash:
444c78b55439c5e2f8b9b5290a9f1037
SHA1 hash:
5d258aae43af536a02ae53a0b923c8460109ec7f
Link:
https://www.unpac.me/results/29618704-fc6d-4bab-931d-685ed476d3ac/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/657c44fbc121eac691e32be9aa80b9ca59d2018df9bf39e7f20e770fc1ede5a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

rar 00e92a17c7f6a1eedee5c20eb52f6e0d6e85c5bd36e8cf1db31326eca253b732

RemcosRAT

Executable exe 657c44fbc121eac691e32be9aa80b9ca59d2018df9bf39e7f20e770fc1ede5a0

(this sample)

  
Dropped by
MD5 a95444d48650875c276824d244312888
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/118697/
  
Dropped by
SHA256 00e92a17c7f6a1eedee5c20eb52f6e0d6e85c5bd36e8cf1db31326eca253b732

Comments