MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7025a565fe7b2b8a05477201f7dfdf8f2735dd056626aa0fbf6a949a4e61179f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7025a565fe7b2b8a05477201f7dfdf8f2735dd056626aa0fbf6a949a4e61179f
SHA3-384 hash: 48d8691a1d7e516a2e3fdf70e902a3d51a69744d091e4c9896c66f22a4121fc6482c0ead6e8da01a991fb25aa0fe5032
SHA1 hash: 44f0edfe365c901bda39c4631fb63ec504bce9b8
MD5 hash: 6bd9cbea3fe38ad78c46130e9f92759f
humanhash: pluto-floor-dakota-london
File name:Due_Statement_00000010000100100002000000000000.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:659'176 bytes
First seen:2022-01-03 07:55:16 UTC
Last seen:2022-01-03 09:49:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 12288:jbLNPQ7QUmy15IJtUohQ35pmyPDsrr6ZaOJ6lyr6PUeAUXFg+hbj6lNE:j2MUJ1GFjPrrnJPfAUXRh/kNE
Threatray 1'169 similar samples on MalwareBazaar
TLSH T1D3E4232F2E84CC1BD6C70DB08E37BA31ECF9A75CA251655B0FA57F9ADC122125A1F640
Reporter GovCERT_CH
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
242
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Due_Statement_00000010000100100002000000000000.exe
Verdict:
Malicious activity
Analysis date:
2022-01-03 07:58:06 UTC
Tags:
installer
Link:
https://app.any.run/tasks/a006ed4c-2271-4aa8-a2af-ac65c5b12f12

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/217128/
Detection(s):
SecuriteInfo.com.Trojan.Risis.1.Gen.14718.16206.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Сreating synchronization primitives
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Running batch commands
DNS request
Reading critical registry keys
Sending a custom TCP request
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
60%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61d2ac147837ada941a9940e/reports/3543a137-70c8-40d1-af6c-d3a9eb3e955d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d5eb7b0a-fb10-4b41-9bbf-4902e94f2815
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/914776
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 547254 Sample: Due_Statement_0000001000010... Startdate: 03/01/2022 Architecture: WINDOWS Score: 100 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Detected Remcos RAT 2->72 74 6 other signatures 2->74 11 Due_Statement_00000010000100100002000000000000.exe 18 2->11         started        15 internets.exe 16 2->15         started        17 internets.exe 16 2->17         started        process3 file4 56 C:\Users\user\AppData\Local\...\rzqbbta.dll, PE32 11->56 dropped 84 Contains functionality to steal Chrome passwords or cookies 11->84 86 Contains functionality to inject code into remote processes 11->86 88 Contains functionality to steal Firefox passwords or cookies 11->88 90 Delayed program exit found 11->90 19 Due_Statement_00000010000100100002000000000000.exe 4 5 11->19         started        58 C:\Users\user\AppData\Local\...\rzqbbta.dll, PE32 15->58 dropped 92 Injects a PE file into a foreign processes 15->92 22 internets.exe 15->22         started        60 C:\Users\user\AppData\Local\...\rzqbbta.dll, PE32 17->60 dropped 24 internets.exe 17->24         started        signatures5 process6 file7 50 C:\Users\user\AppData\Local\...\internets.exe, PE32 19->50 dropped 52 C:\Users\user\AppData\Local\...\install.vbs, data 19->52 dropped 54 C:\Users\...\internets.exe:Zone.Identifier, ASCII 19->54 dropped 26 wscript.exe 1 19->26         started        process8 process9 28 cmd.exe 1 26->28         started        process10 30 internets.exe 16 28->30         started        34 conhost.exe 28->34         started        file11 62 C:\Users\user\AppData\Local\...\rzqbbta.dll, PE32 30->62 dropped 94 Multi AV Scanner detection for dropped file 30->94 96 Detected unpacking (changes PE section rights) 30->96 98 Machine Learning detection for dropped file 30->98 100 4 other signatures 30->100 36 internets.exe 2 1 30->36         started        signatures12 process13 dnsIp14 64 vstore101.com 37.49.225.136, 2491, 49749, 49750 SQUITTER-NETWORKSNL Estonia 36->64 76 Injects a PE file into a foreign processes 36->76 40 internets.exe 36->40         started        43 internets.exe 2 36->43         started        46 internets.exe 1 36->46         started        48 wuapihost.exe 36->48         started        signatures15 process16 dnsIp17 78 Tries to steal Instant Messenger accounts or passwords 40->78 80 Tries to steal Mail credentials (via file / registry access) 40->80 66 192.168.2.1 unknown unknown 43->66 82 Tries to harvest and steal browser information (history, passwords, etc) 43->82 signatures18
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7025a565fe7b2b8a05477201f7dfdf8f2735dd056626aa0fbf6a949a4e61179f/
Threat name:
Win32.Trojan.Risis
Create hunting rule
Status:
Malicious
First seen:
2022-01-03 07:56:11 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
15 of 43 (34.88%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oas2kzp6pmvyubkhoia7px67r4ttlxifmytkud57nkkjuttbc6pq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1730338ca0fbfe0985bed5638fc8599a6dd38761ab8b89e3d8a076947a320028
RemcosRAT
3f9fd47a1850bb51e06ce78cabb32d839b4d4f68daf028aa0465d7cb85099b1a
RemcosRAT
41d511392fc1e9e37a96d7e0d1e2a947d3de3da299d1a0fab9f522b98e38b659
RemcosRAT
502f18997fa73c5af97c3f8f3cd7a8a12d7d648642bd238b4eb15c0457e879a1
RemcosRAT
5a8fe490fa1d8de6136c5e92e3c11e3d6301ff13bac5262b3106931411228237
RemcosRAT
61aafd1dd6f5fab9518ba14457879afa2356206230c155b906a6bb5d4a035627
RemcosRAT
75d58f5b4293ffc19d29586f96508fe473b3688503ab75a9fecf8b280af3b55a
RemcosRAT
7777398dbc3f599ad36ce53b25d7991898b10168e825285a4dcd21cdd042f93b
RemcosRAT
bf8618fa46805e7d2018e06c23d78919f424a5b5bc3608bbe618d2dfd92a3cd1
RemcosRAT
cd43f136f1d3221cd64fc792a37744dfa9656a9ea5889e52929275c05eb4e33b
RemcosRAT
+ 1'159 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:timeprom collection persistence rat spyware stealer
Link:
https://tria.ge/reports/220103-jspblahecj/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
vstore101.com:2491
Unpacked files
SH256 hash:
7025a565fe7b2b8a05477201f7dfdf8f2735dd056626aa0fbf6a949a4e61179f
MD5 hash:
6bd9cbea3fe38ad78c46130e9f92759f
SHA1 hash:
44f0edfe365c901bda39c4631fb63ec504bce9b8
Link:
https://www.unpac.me/results/2e204fbd-0d11-4c17-a555-8f40290adc94/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7025a565fe7b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.23
Link:
https://yomi.yoroi.company/submissions/7025a565fe7b2b8a05477201f7dfdf8f2735dd056626aa0fbf6a949a4e61179f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 7025a565fe7b2b8a05477201f7dfdf8f2735dd056626aa0fbf6a949a4e61179f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/217128/

Comments