MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 711e6d2b6ee80bd1ac945eee8aa67dfb485249f95bd0eb0357d33e302336a2fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 711e6d2b6ee80bd1ac945eee8aa67dfb485249f95bd0eb0357d33e302336a2fb
SHA3-384 hash: 7af08bad99a24d3da6e71b15585b0695ab1d9c0744cb6f25f8be6c459549f5c784ca0912a3abe3f7871f1640f630d3b9
SHA1 hash: 7af4fca537da28fae8a0bc347a313001ad66e038
MD5 hash: 4282a4ce32aeb21533a843df720a003d
humanhash: lake-carpet-sixteen-single
File name:Doc_58YJ54-521DERG701-55YH701.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:638'816 bytes
First seen:2021-04-06 08:18:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 810b60d80fc0f9a70fe609b43363aa3f (2 x RemcosRAT, 1 x AveMariaRAT)
ssdeep 12288:5mZutCqMrtdeLlyKvPpfKnbOEV7S8wt+Z/U/OyVqG:5+ugtdeL5JoTVuDtC/UDVqG
Threatray 155 similar samples on MalwareBazaar
TLSH B6D47D26B6E28873E5EE2A3C5D6772A49C26FE802DF5704927F51C4C4F393907829397
Reporter abuse_ch
Tags:DHL exe RemcosRAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: datamatixmail.com
Sending IP: 184.75.208.26
From: DHL Express <orders@ccavenue.com>
Subject: Re: Original Shipping documents
Attachment: Doc_58YJ54-521DERG701-55YH701.rar (contains "Doc_58YJ54-521DERG701-55YH701.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Doc_58YJ54-521DERG701-55YH701.exe
Verdict:
Malicious activity
Analysis date:
2021-04-06 08:54:46 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/ebc395b6-0a2d-4211-8344-411bdf99c409

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132623/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Unauthorized injection to a recently created process
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Connection attempt to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/667346
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/711e6d2b6ee80bd1ac945eee8aa67dfb485249f95bd0eb0357d33e302336a2fb/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-04-06 08:19:09 UTC
AV detection:
17 of 48 (35.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oepg2k3o5af5dleul3xivjt57nefespzlpiowa2x2m7daizwul5q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
26c230cde9fb7544f7e3762f1abac39f6c8f0d2db0689178b223e0e68d2a6a0a
RemcosRAT
57a1ee826afb333572965abe745c06597d0111f75494c586619d6b23d9ceda10
RemcosRAT
5d20ab723dbc30184582ccec3877af8fbb8fc78f90d09fd680bf784325951ca3
RemcosRAT
6b19b6261188bd102c2139595fa66347ee5717906e85d9fa90fd20e4209a91b0
RemcosRAT
6b4cda8e0f766056eadbd9c59df82298fa4acbf7a6e526d36c4168e4f511bd8b
RemcosRAT
8feaaa6013c26ec324a6829ba084ea4c56d7dd1116e4cb11a262d32a7c5b4d40
RemcosRAT
9736f5417c474a27c98a2323894d7948a0841fb74615e1909c0fabddc1e8bc2d
RemcosRAT
e4e47b27c701e89ac6a550ab1f8ecb6058c79d9f9bca9a56ec71e3baf01dc545
RemcosRAT
f8d06c20dc2af83af29551f384bbde4e5380911d8db0f9e56ca549bb5995d413
RemcosRAT
fee06f1a31cdd93b91bf8d0a5991023b2bf6d0ed2957c3bc0f40f05609eb689b
RemcosRAT
+ 145 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat
Link:
https://tria.ge/reports/210406-lqmbkzhdbn/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
www.swqrn.com:16108
Unpacked files
SH256 hash:
31ffb1d8050b158b4c432cbb831f9da9b918443b7ed3ecca7e3d7a18a531e3f9
MD5 hash:
406f0b9cc6dacbdd1b715c557b941343
SHA1 hash:
77387463c87215e20a8592430665820cbb146660
Link:
https://www.unpac.me/results/3f2b9af5-3d9d-4750-a02b-d4dce654b9eb/
SH256 hash:
711e6d2b6ee80bd1ac945eee8aa67dfb485249f95bd0eb0357d33e302336a2fb
MD5 hash:
4282a4ce32aeb21533a843df720a003d
SHA1 hash:
7af4fca537da28fae8a0bc347a313001ad66e038
Link:
https://www.unpac.me/results/3f2b9af5-3d9d-4750-a02b-d4dce654b9eb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/711e6d2b6ee80bd1ac945eee8aa67dfb485249f95bd0eb0357d33e302336a2fb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_DLAgent07
Create hunting rule
Author:ditekSHen
Description:Detects delf downloader agent

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

rar 315b5b3c3d8d458895f62969cc974d5bd07873e58126e2575044bdf0a308ea29

RemcosRAT

Executable exe 711e6d2b6ee80bd1ac945eee8aa67dfb485249f95bd0eb0357d33e302336a2fb

(this sample)

  
Dropped by
MD5 c284409d69e3312ab215ed121e1413f5
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/132623/
  
Dropped by
SHA256 315b5b3c3d8d458895f62969cc974d5bd07873e58126e2575044bdf0a308ea29

Comments