MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e
SHA3-384 hash: 2656af8db07bf6cc7c5b682ee2e9d968e8c0324111cf44f843d883ad6c99e63fa57159704c9f3882d65dc77f9c16d2e7
SHA1 hash: cbbd717f6fc0efebb051ca6329b90d8473dc5366
MD5 hash: 3932f812b26f3bff1d20070c58468f2e
humanhash: stream-hamper-bakerloo-snake
File name:HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:421'888 bytes
First seen:2021-02-18 14:35:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 49278d1d642197d284d20a863e464344 (3 x RemcosRAT)
ssdeep 6144:5s8MYkOoyOoKkpoxJbJkpKOv0Xmq6Mm8C1AKI0W5w0MxXYc7VBJkSqWoGZd61OuT:YQZOz1/CKbrmT1bCc79kS+O3njF
Threatray 137 similar samples on MalwareBazaar
TLSH 82941285F2F8DA26E29645B29D60AAAD526BBE705D2CCD4373907F8E6733F424641303
Reporter abuse_ch
Tags:exe nVpn RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: sugiyamacreate.com
Sending IP: 140.227.20.146
From: Wasif Ahmed <yuko.s@sugiyamacreate.com>
Subject: FW: RE: Samrudh Pharma - Tarapur JASCO HPLC - OUTSTANDING PAYMENT 2/18/2021 11:37:55 a.m.
Attachment: HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.zip (contains "HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe")

RemcosRAT C2:
capriteam.ddns.net:1010

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/117783/
Detection(s):
SecuriteInfo.com.Variant.Graftor.752414.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/611623
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Deletes itself after installation
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Potential malicious icon found
Sample uses process hollowing technique
Sigma detected: Remcos
Uses dynamic DNS services
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 354826 Sample: HTQ19-P0401-Q0539 NE-Q22940... Startdate: 18/02/2021 Architecture: WINDOWS Score: 100 45 Potential malicious icon found 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 13 other signatures 2->51 10 HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe 13 2->10         started        13 remcos.exe 4 2->13         started        15 remcos.exe 4 2->15         started        process3 signatures4 53 Maps a DLL or memory area into another process 10->53 55 Sample uses process hollowing technique 10->55 17 HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe 4 5 10->17         started        20 backgroundTaskHost.exe 1 14 10->20         started        22 remcos.exe 13->22         started        24 remcos.exe 15->24         started        process5 file6 39 C:\Users\user\AppData\Roaming\...\remcos.exe, PE32 17->39 dropped 41 C:\Users\user\...\remcos.exe:Zone.Identifier, ASCII 17->41 dropped 26 wscript.exe 1 17->26         started        process7 signatures8 57 Deletes itself after installation 26->57 29 cmd.exe 1 26->29         started        process9 process10 31 remcos.exe 4 29->31         started        34 conhost.exe 29->34         started        signatures11 59 Detected unpacking (changes PE section rights) 31->59 61 Detected unpacking (overwrites its own PE header) 31->61 63 Machine Learning detection for dropped file 31->63 65 5 other signatures 31->65 36 remcos.exe 2 1 31->36         started        process12 dnsIp13 43 capriteam.ddns.net 79.134.225.62, 1010, 49737 FINK-TELECOM-SERVICESCH Switzerland 36->43
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-02-18 14:36:09 UTC
AV detection:
16 of 47 (34.04%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=n4hvvqvarrdumgdkphz27zekmffr5umaz2bqaweaknkl7kgld2ha._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
09715a97873a089c9dc80219175d50508628f4f794639c2e725bad85d68804c2
RemcosRAT
149bc7bb666f2eabcf946822bd316709ddeeef787f059687415f98c71ad47783
RemcosRAT
3cbf0aeafec688023948cad7bf7475270ba9cb1acb0078cf1a9d6288f2751a20
RemcosRAT
5528ee96b8cefda8ec99999701a1673fb0dff17a8e603f2c8ccd3abac08f7489
RemcosRAT
5ec36ac5ba843f29bb0dc75d7d527ab9cee34a681bad704a89fd5ed12cdea337
RemcosRAT
67bf85e54212cc6dd8e3f3bdfe292d7440ae7f7ad5f131f9c8b5ea51a86c1e96
RemcosRAT
a8fe6d7fa624e8e96f71d3ff6375a012b44b51f06179feb7cef8c33fd6d38570
RemcosRAT
b0787f51caf44390126cfb1e827d548139021e30bca2cf2e299917ea5788a8bf
RemcosRAT
d98fd8189273e4f4fcbb8b1d5b32459b5d7adcd6eaff9efef0c32ace0fdfab0e
RemcosRAT
f09416ef7aaab2c43c62ef77bb69c005ec4a57d4051586f5e7d8571e74fee41c
RemcosRAT
+ 127 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat
Link:
https://tria.ge/reports/210218-pvdeqjwn8j/
Behaviour
Modifies registry class
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Loads dropped DLL
Executes dropped EXE
Remcos
Unpacked files
SH256 hash:
b543a8e1e808a7a7f49fb605d99b405a6132039241fa3d010ff05a3c5c66dada
MD5 hash:
cded6c869cd70582adb401fc8c83ecaa
SHA1 hash:
7312e20d18b47e3ad172b0007fce6c6737fec8f2
Detections:
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/71a93e74-f59c-473b-8cbf-073b741cbadb/
SH256 hash:
6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e
MD5 hash:
3932f812b26f3bff1d20070c58468f2e
SHA1 hash:
cbbd717f6fc0efebb051ca6329b90d8473dc5366
Link:
https://www.unpac.me/results/71a93e74-f59c-473b-8cbf-073b741cbadb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.42
Link:
https://yomi.yoroi.company/submissions/6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip e939b191df2c460705fb601c020be92e228cc6bba84336a3a3b878c39f235cc6

RemcosRAT

Executable exe 6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e

(this sample)

  
Dropped by
MD5 97518d8ccc8e8279e10ff5028f3dc3de
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/117783/
  
Dropped by
SHA256 e939b191df2c460705fb601c020be92e228cc6bba84336a3a3b878c39f235cc6

Comments