MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b4cda8e0f766056eadbd9c59df82298fa4acbf7a6e526d36c4168e4f511bd8b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b4cda8e0f766056eadbd9c59df82298fa4acbf7a6e526d36c4168e4f511bd8b
SHA3-384 hash: 76a5e4ebbd8c595b2ec142ab75cfc0fe838338d9fc876f127af786e62aba8d37a10ccebc157e2ecd2a987406b50fc731
SHA1 hash: 016a034624da41704712ca99951a47eb7b499a8a
MD5 hash: 9907f623d8c8ea10fc45e10ab7a1c5db
humanhash: eighteen-west-edward-kitten
File name:DIGITAL_PAYMENT_Transmitter_Puvnmteqvrpmujdxrgnnwkadmmmglrtyvq.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:585'368 bytes
First seen:2021-03-23 10:09:49 UTC
Last seen:2021-03-23 11:55:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7583405a078ff3725c7256f29caf1571 (1 x RemcosRAT)
ssdeep 6144:mpmip4MdKP2Tb1TY2grwKl3eGc3Ce2mz7BauUkv8MReEURrQa3Sd+6Aqt4co3T1X:Um64M22FTCQGs7BFUdEURsdAi7QEA
Threatray 282 similar samples on MalwareBazaar
TLSH B1C47D21A1504F72F116373BD8069259EAA5BD6CFD182342B6E4AF89573F3C13CA907B
Reporter TeamDreier
Tags:RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DIGITAL_PAYMENT_Transmitter_Puvnmteqvrpmujdxrgnnwkadmmmglrtyvq.exe
Verdict:
Malicious activity
Analysis date:
2021-03-23 10:14:51 UTC
Tags:
installer rat remcos stealer
Link:
https://app.any.run/tasks/ca984124-3777-4f47-94f7-a31d8635b3ec

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/126534/
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/649736
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 373829 Sample: DIGITAL_PAYMENT_Transmitter... Startdate: 23/03/2021 Architecture: WINDOWS Score: 100 44 Multi AV Scanner detection for domain / URL 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 7 other signatures 2->50 7 DIGITAL_PAYMENT_Transmitter_Puvnmteqvrpmujdxrgnnwkadmmmglrtyvq.exe 1 18 2->7         started        12 Puvnmt.exe 13 2->12         started        14 Puvnmt.exe 14 2->14         started        process3 dnsIp4 36 cdn.discordapp.com 162.159.135.233, 443, 49700, 49702 CLOUDFLARENETUS United States 7->36 32 C:\Users\user\Contacts\Puvnmt.exe, PE32 7->32 dropped 58 Detected unpacking (changes PE section rights) 7->58 60 Detected unpacking (overwrites its own PE header) 7->60 62 Contains functionalty to change the wallpaper 7->62 70 5 other signatures 7->70 16 DIGITAL_PAYMENT_Transmitter_Puvnmteqvrpmujdxrgnnwkadmmmglrtyvq.exe 2 7->16         started        38 162.159.133.233, 443, 49728 CLOUDFLARENETUS United States 12->38 64 Multi AV Scanner detection for dropped file 12->64 66 Machine Learning detection for dropped file 12->66 68 Injects a PE file into a foreign processes 12->68 20 Puvnmt.exe 12->20         started        22 Puvnmt.exe 14->22         started        file5 signatures6 process7 dnsIp8 34 79.134.225.23, 49722, 49723, 6666 FINK-TELECOM-SERVICESCH Switzerland 16->34 42 Injects a PE file into a foreign processes 16->42 24 DIGITAL_PAYMENT_Transmitter_Puvnmteqvrpmujdxrgnnwkadmmmglrtyvq.exe 1 16->24         started        27 DIGITAL_PAYMENT_Transmitter_Puvnmteqvrpmujdxrgnnwkadmmmglrtyvq.exe 13 16->27         started        30 DIGITAL_PAYMENT_Transmitter_Puvnmteqvrpmujdxrgnnwkadmmmglrtyvq.exe 1 16->30         started        signatures9 process10 dnsIp11 52 Tries to steal Instant Messenger accounts or passwords 24->52 54 Tries to steal Mail credentials (via file access) 24->54 40 192.168.2.1 unknown unknown 27->40 56 Tries to harvest and steal browser information (history, passwords, etc) 27->56 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b4cda8e0f766056eadbd9c59df82298fa4acbf7a6e526d36c4168e4f511bd8b/
Threat name:
Win32.Spyware.Convagent
Create hunting rule
Status:
Malicious
First seen:
2021-03-23 08:59:43 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nngnvdqpozqfn2w33hcz36bctd5evs7xu3ssnu3mifuoj5irxwfq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
015899ba7ca42d54316d63f5ed222f2f6c0ab3c784b855c646df4c89b05c71c8
RemcosRAT
57a1ee826afb333572965abe745c06597d0111f75494c586619d6b23d9ceda10
RemcosRAT
5d20ab723dbc30184582ccec3877af8fbb8fc78f90d09fd680bf784325951ca3
RemcosRAT
6b19b6261188bd102c2139595fa66347ee5717906e85d9fa90fd20e4209a91b0
RemcosRAT
8c38dbbc3834ab600313e6cd32e0e1a077726f002a608b5cbf9baa87ff11f90f
RemcosRAT
c059548509d5ca453810776ad5bdea3440fb122b361211616d7300cc3b25fac0
RemcosRAT
d6bb7d0218b0894bcc733065261069c1cb4e151b4ca367f37e888d2beacc0dd9
RemcosRAT
e4e47b27c701e89ac6a550ab1f8ecb6058c79d9f9bca9a56ec71e3baf01dc545
RemcosRAT
ef6ac1293cdfda22c8d940f96c5433f406a4c3666e6941e4f094a8cf50d04ac1
RemcosRAT
ff8dd2511c1721a535a31eb7e8c4f813ba114a2ec963f4b85f8808fa99d47422
RemcosRAT
+ 272 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat spyware stealer
Link:
https://tria.ge/reports/210323-rky67n6r5s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
79.134.225.23:6666
fgbgfyby.loseyourip.com:6666
dftyuj.duckdns.org:6666
hillsong5566.ydns.eu:6666
Unpacked files
SH256 hash:
377a0e87111bc73fea538695a41f6ed1d6b1683e794424b6dc7605fe6875c942
MD5 hash:
a6d50f077b6bb576994ce5261652987f
SHA1 hash:
923084fc4f6d16db9725d45f3c0882336605611b
Link:
https://www.unpac.me/results/c9c3a432-ddca-478e-87cb-57c339ea5490/
SH256 hash:
6b4cda8e0f766056eadbd9c59df82298fa4acbf7a6e526d36c4168e4f511bd8b
MD5 hash:
9907f623d8c8ea10fc45e10ab7a1c5db
SHA1 hash:
016a034624da41704712ca99951a47eb7b499a8a
Link:
https://www.unpac.me/results/c9c3a432-ddca-478e-87cb-57c339ea5490/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6b4cda8e0f766056eadbd9c59df82298fa4acbf7a6e526d36c4168e4f511bd8b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_0be3f393d1ef0272aed0e2319c1b5dd0
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/126534/

Comments