MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ebfb5f6ff23404832ee6380a09aee89b19186eccc66fea2512b2708ee00c329. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ebfb5f6ff23404832ee6380a09aee89b19186eccc66fea2512b2708ee00c329
SHA3-384 hash: 24b360982d5ef9958fdfcceacb549fc8da5de09e03160163eeff372363c68dc8bf00cde032e3ff6ce6acae3b2a701bf8
SHA1 hash: 1a8f24543e62e9af3474324f38923bb5e76ea385
MD5 hash: 1b48ca057364c1fa83ff65c677b4964d
humanhash: fish-illinois-romeo-fruit
File name:Precio de referencia - CARMAHE,pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'029'640 bytes
First seen:2021-02-26 18:04:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f70d11579cf4ff0aec924ee19e4d342a (2 x RemcosRAT)
ssdeep 12288:aSQStU1PJk6GCJKTxaN3Dp4q0MbSkv8m8RcgSLF784gNWR1BTZ/sqXPkj5UkfI:kO+XG2K0N3Dpnn8m8RcBLFXqWR1BbeZg
Threatray 96 similar samples on MalwareBazaar
TLSH E7253AB3E94B8E22F06B153ED80FCA78D816BD517A1C84B66FE17B099F6775031211B2
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: pnq64.balasai.com
Sending IP: 103.228.50.64
From: Luciatti Brian <info@carmahe.com>
Subject: RE: Precio de referencia -CARMAHE
Attachment: Precio de referencia - CARMAHE,pdf.cab (contains "Precio de referencia - CARMAHE,pdf.exe")

RemcosRAT C2:
marstonstyl247.ddns.net

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Precio de referencia - CARMAHE,pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-02-26 18:05:21 UTC
Tags:
trojan rat remcos keylogger
Link:
https://app.any.run/tasks/c35403c8-a683-4c80-9166-1e76b7c1cc13

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/119457/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Sending a UDP request
DNS request
Creating a file
Deleting a recently created file
Launching a process
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/619949
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 358968 Sample: Precio de referencia - CARM... Startdate: 26/02/2021 Architecture: WINDOWS Score: 100 32 Found malware configuration 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 Detected Remcos RAT 2->36 38 4 other signatures 2->38 6 Mrtentec.exe 2->6         started        9 Mrtentec.exe 2->9         started        11 Precio de referencia - CARMAHE,pdf.exe 1 18 2->11         started        process3 dnsIp4 40 Writes to foreign memory regions 6->40 42 Allocates memory in foreign processes 6->42 44 Creates a thread in another existing process (thread injection) 6->44 15 eventvwr.exe 6->15         started        46 Injects a PE file into a foreign processes 9->46 18 iexpress.exe 9->18         started        30 cdn.discordapp.com 162.159.129.233, 443, 49712 CLOUDFLARENETUS United States 11->30 26 C:\Users\Public\Libraries\Mrtentec.exe, PE32 11->26 dropped 20 mspaint.exe 2 3 11->20         started        file5 signatures6 process7 dnsIp8 48 Contains functionality to steal Chrome passwords or cookies 15->48 50 Contains functionality to capture and log keystrokes 15->50 52 Contains functionality to inject code into remote processes 15->52 54 Contains functionality to steal Firefox passwords or cookies 18->54 56 Delayed program exit found 18->56 28 marstonstyl247.ddns.net 185.86.106.202, 3234, 49722 OBE-EUROPEObenetworkEuropeSE Sweden 20->28 24 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 20->24 dropped file9 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6ebfb5f6ff23404832ee6380a09aee89b19186eccc66fea2512b2708ee00c329/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-02-26 18:05:11 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=n273l5x7enaeqmxomoakbgxorgyzdbxmzrtp5isrfmtqr3qaymuq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0d03646fdaee92061ac0ffa4ba7c737d0ef101858b30bd7432148f7e9faf279a
RemcosRAT
20fe5347a7254b7f5d75c7fce2542b88abdb8d1939afe621544c61d35e45bdee
RemcosRAT
22ac80592400a2e2ed64392413d1bc5ecbbb09f10a811d3243c7212252f75a2c
RemcosRAT
2a344d464465069aa8739a45ecba1b6de4ef4ba4cc2b8128af5a54112c507058
RemcosRAT
350d9e0fce3c72fb6c63235194c1e9c986d38c13866e756f85c31faa95f4ef2b
RemcosRAT
71f60a985d2cc9fc47c6845a88eea4da19303a96a2ff69daae70276f70dcdae0
RemcosRAT
7372fe2e6401cdbca755f752e7e8407a8a5fbaf81ca5e692705a9819977dc447
RemcosRAT
a972b68b050a973ba7815570e6b6d85c20629defc5c4c5bfd3f44abae041feb5
RemcosRAT
b6e24ae319f72f87dbf9d5e6fc2394737b938f7eb391a39c5043114458f31733
RemcosRAT
f436b8e7b214f3f56d0c62326e37653f87184760b406ab4f6eae79a5c34297b1
RemcosRAT
+ 86 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat
Link:
https://tria.ge/reports/210226-jaq9nhahvn/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
Blocklisted process makes network request
Remcos
Malware Config
C2 Extraction:
marstonstyl247.ddns.net:3234
Unpacked files
SH256 hash:
5bcde4d165f66f58ce0446462a038b7ae84e2fd2275885f61f68287547aac66d
MD5 hash:
34cb499bbd566c24dcf888e9bab46083
SHA1 hash:
3bb97e3103868691e57e7cf3be88a7ff30f46ea1
Link:
https://www.unpac.me/results/2c7e774c-9e54-469a-8fb7-5f818a4811af/
SH256 hash:
6ebfb5f6ff23404832ee6380a09aee89b19186eccc66fea2512b2708ee00c329
MD5 hash:
1b48ca057364c1fa83ff65c677b4964d
SHA1 hash:
1a8f24543e62e9af3474324f38923bb5e76ea385
Link:
https://www.unpac.me/results/2c7e774c-9e54-469a-8fb7-5f818a4811af/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

rar bc7ad70d77f3d3aa1d9c9bae4ade6a6b95eeadebfd7739b4331232b1fd3881f2

RemcosRAT

Executable exe 6ebfb5f6ff23404832ee6380a09aee89b19186eccc66fea2512b2708ee00c329

(this sample)

  
Dropped by
MD5 750e2bf1b47a090d8bf3d0df417fd860
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/119457/
  
Dropped by
SHA256 bc7ad70d77f3d3aa1d9c9bae4ade6a6b95eeadebfd7739b4331232b1fd3881f2

Comments