MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b637314dc7b63dfce69d3efe9b792d8fb2fbb0d9f19ea70aa0ff83ae8dbd495. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b637314dc7b63dfce69d3efe9b792d8fb2fbb0d9f19ea70aa0ff83ae8dbd495
SHA3-384 hash: 46c685200f2e1e271acc9f323729dfa9dfaeaefe5dc4b15f1cf801afb0897cb1b505ee4b53e6e803df08991449cf2d6c
SHA1 hash: 1db57f4a9b52fe133b812ba461d89afe3c978cf2
MD5 hash: d20b017687af728f54ecf935104940ed
humanhash: lactose-mobile-low-beryllium
File name:Final Order.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:832'440 bytes
First seen:2021-09-13 13:35:03 UTC
Last seen:2021-09-15 06:59:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8b9a345214cd27c19cf316e4fadca0f8 (2 x RemcosRAT, 1 x Formbook)
ssdeep 12288:RRDhGBuZrdUIyNr4L8gpSnEMgo4ehvgfxS3XLxS8tJv2dBI2xY+PA/vAAAAAAAAe:zXBvlL8gMnEMr4ehvWS3dHjOBAO
Threatray 1'086 similar samples on MalwareBazaar
TLSH T136059F17E6905533C2339B76AC4AA1504D67BD117F28B9C21BE02C9C5E3BE1374AF26B
dhash icon 48918834524ae410 (2 x RemcosRAT, 1 x Formbook)
Reporter Anonymous
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Final Order.exe
Verdict:
Malicious activity
Analysis date:
2021-09-13 13:37:03 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/94825076-426e-4771-956f-fa6e2973947e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/187481/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Modifying an executable file
Launching the default Windows debugger (dwwin.exe)
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger overlay packed
Link:
https://www.filescan.io/uploads/617502549a5a1e91c5d1fc93/reports/b4d95bee-3828-4618-bfb4-9e7375ac0876/overview
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/00ce1269-09c0-40aa-9361-c1d90356dc42
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/849833
Signature
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 482261 Sample: Final Order.exe Startdate: 13/09/2021 Architecture: WINDOWS Score: 100 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 6 other signatures 2->63 8 Dpgatvhh.exe 13 2->8         started        12 Final Order.exe 1 21 2->12         started        15 Dpgatvhh.exe 14 2->15         started        process3 dnsIp4 45 162.159.130.233, 443, 49763, 49764 CLOUDFLARENETUS United States 8->45 65 Multi AV Scanner detection for dropped file 8->65 67 Writes to foreign memory regions 8->67 69 Creates a thread in another existing process (thread injection) 8->69 17 mshta.exe 8->17         started        47 cdn.discordapp.com 162.159.133.233, 443, 49758, 49759 CLOUDFLARENETUS United States 12->47 41 C:\Users\Public\Libraries\Dpgatvhh.exe, PE32 12->41 dropped 71 Injects a PE file into a foreign processes 12->71 20 mobsync.exe 2 3 12->20         started        23 cmd.exe 1 12->23         started        25 cmd.exe 1 12->25         started        27 mshta.exe 15->27         started        file5 signatures6 process7 dnsIp8 49 Contains functionality to steal Chrome passwords or cookies 17->49 51 Contains functionality to inject code into remote processes 17->51 53 Contains functionality to steal Firefox passwords or cookies 17->53 43 emedoo.ddns.net 185.140.53.133, 35890, 49762 DAVID_CRAIGGG Sweden 20->43 55 Delayed program exit found 20->55 29 reg.exe 1 23->29         started        31 conhost.exe 23->31         started        33 cmd.exe 1 25->33         started        35 conhost.exe 25->35         started        signatures9 process10 process11 37 conhost.exe 29->37         started        39 conhost.exe 33->39         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b637314dc7b63dfce69d3efe9b792d8fb2fbb0d9f19ea70aa0ff83ae8dbd495/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-09-13 13:36:07 UTC
AV detection:
12 of 39 (30.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nnrxgfg4pnr57ttj2px6tn4s3d5s7oynt4m6u4fkb74dv2g32skq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0789e8d80d058cc3283d3041953b057ccf252b882630982b85786081a5cd5df0
RemcosRAT
34ae6e94fd8ce101fadff4baf68d7c0b8bf606d1796b7c8199e7d45a9bc57a02
RemcosRAT
40dc655d06780c3f628f6ec2c3848d797c8ba88dcc50e3397e4e464ec12aaade
RemcosRAT
481d9a1417683843ff3bf8936227f69dbb80cad91b0c408bf30a99f889c09659
RemcosRAT
747610321f9100e0dadd7c7728282b7403172ad1fc23e60eea12f4eaff28ce7e
RemcosRAT
756f9b558a3bedf13017b0e8b5214d6d074778ee2696935c883eb0248b98fb39
RemcosRAT
ba410d1931172915171c7769f798d6aaa1eab9f923c98f178f615ad75a6544f2
RemcosRAT
f0896ba259cc40a67474db857cbca2cd43099f5b49be45c3e3a3a34a06765b7f
RemcosRAT
f4dcc52b899bbe0d34ffbb44032c0186953c174beaf647c0556c7e71385c6bb4
RemcosRAT
f9e2ac4c422df790f71f3c1a4a9839edb7405862b1419144f08129400aaa1f6e
RemcosRAT
+ 1'076 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:panda persistence rat
Link:
https://tria.ge/reports/210913-qv8xcadgd8/
Behaviour
Modifies registry key
Suspicious use of WriteProcessMemory
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
emedoo.ddns.net:35890
Unpacked files
SH256 hash:
519197f521aa39b7a7ab34b4500a304a7329d967115c2e48fe1b6eb201e39af1
MD5 hash:
3da921c9355d01d335cf03159a950030
SHA1 hash:
3be3f4ea8f289a123dcd1f6ac97c6f34a503c9cf
Link:
https://www.unpac.me/results/6d8be546-8265-4624-a1bb-848d708e39ed/
SH256 hash:
6b637314dc7b63dfce69d3efe9b792d8fb2fbb0d9f19ea70aa0ff83ae8dbd495
MD5 hash:
d20b017687af728f54ecf935104940ed
SHA1 hash:
1db57f4a9b52fe133b812ba461d89afe3c978cf2
Link:
https://www.unpac.me/results/6d8be546-8265-4624-a1bb-848d708e39ed/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6b637314dc7b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.59
Link:
https://yomi.yoroi.company/submissions/6b637314dc7b63dfce69d3efe9b792d8fb2fbb0d9f19ea70aa0ff83ae8dbd495

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EnvVarScheduledTasks
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC (ab)using Environment Variables in Scheduled Tasks
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/187481/

Comments