MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7368fa4790b1b3863155f8af30305a3195c0c6bd146673d263e3760aeec31d7f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7368fa4790b1b3863155f8af30305a3195c0c6bd146673d263e3760aeec31d7f
SHA3-384 hash: 81c6a2a6199c931850fd2a0944474d30b86bf50cc3bce7716ed00b607f601524ea8a8a0e3fee8fcdd969accd762b1a81
SHA1 hash: 67b3b128d1e16f05f3da37b42d3f34d082c11524
MD5 hash: 87361b15bf5525b044e945ca3358b931
humanhash: potato-hamper-yellow-princess
File name:RE ICA 40 Sdn Bhd- Purchase Order#6769704.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:904'984 bytes
First seen:2021-02-22 07:30:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 123e9c36cc1595f744449f97bcf23cbf (6 x RemcosRAT, 1 x Loki, 1 x Formbook)
ssdeep 24576:KYUkRHVFnyXv1qhqa7ANT8QNE1C5h7bmhNM:KY9b0Uhq6hy
Threatray 83 similar samples on MalwareBazaar
TLSH F5155EB2AB5A4B22F01B113DDC4BE6F60611FC45372B59B71ED8F7474AA2780B9A4073
Reporter abuse_ch
Tags:exe RemcosRAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: vmmail02.ridsa.com.ar
Sending IP: 190.103.224.9
From: YC LEW <ktng@icadynamic.com>
Subject: RE: ICA 40 Sdn Bhd- Purchase Order#6769704
Attachment: RE ICA 40 Sdn Bhd- Purchase Order6769704.iso (contains "RE ICA 40 Sdn Bhd- Purchase Order#6769704.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DLAgent07
Create hunting rule
Link:
https://www.capesandbox.com/analysis/118244/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Launching a process
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/613797
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7368fa4790b1b3863155f8af30305a3195c0c6bd146673d263e3760aeec31d7f/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-02-22 07:19:18 UTC
AV detection:
15 of 46 (32.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=onupur4qwgzymmkv7cxtamc2ggk4brv5crthhutd4n3av3wddv7q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0d03646fdaee92061ac0ffa4ba7c737d0ef101858b30bd7432148f7e9faf279a
RemcosRAT
20fe5347a7254b7f5d75c7fce2542b88abdb8d1939afe621544c61d35e45bdee
RemcosRAT
22ac80592400a2e2ed64392413d1bc5ecbbb09f10a811d3243c7212252f75a2c
RemcosRAT
2a344d464465069aa8739a45ecba1b6de4ef4ba4cc2b8128af5a54112c507058
RemcosRAT
350d9e0fce3c72fb6c63235194c1e9c986d38c13866e756f85c31faa95f4ef2b
RemcosRAT
71f60a985d2cc9fc47c6845a88eea4da19303a96a2ff69daae70276f70dcdae0
RemcosRAT
7372fe2e6401cdbca755f752e7e8407a8a5fbaf81ca5e692705a9819977dc447
RemcosRAT
969c356e48ffb2e13979513881838131bf9f61f5bfbe14e4314fece49d9e01ad
RemcosRAT
b6e24ae319f72f87dbf9d5e6fc2394737b938f7eb391a39c5043114458f31733
RemcosRAT
f436b8e7b214f3f56d0c62326e37653f87184760b406ab4f6eae79a5c34297b1
RemcosRAT
+ 73 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat
Link:
https://tria.ge/reports/210222-5zyqwcpt72/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
marstonstyl247.ddns.net:3234
Unpacked files
SH256 hash:
0e7586027be2b00d10dcc585232de1b4fe8f23be8298dad1f3bc86475946b5c9
MD5 hash:
ee5230700e4a146fed27eab5f8d9caa6
SHA1 hash:
809225fca3c38e5cd30eb35b9b667393becfb516
Link:
https://www.unpac.me/results/3facd8e9-02db-4f90-9c3f-70dd5d2e4178/
SH256 hash:
7368fa4790b1b3863155f8af30305a3195c0c6bd146673d263e3760aeec31d7f
MD5 hash:
87361b15bf5525b044e945ca3358b931
SHA1 hash:
67b3b128d1e16f05f3da37b42d3f34d082c11524
Link:
https://www.unpac.me/results/3facd8e9-02db-4f90-9c3f-70dd5d2e4178/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

iso 5aa49c69138bf68631747480544a19a5d4ec2a8e6d506f7e43dea5b19d8b920a

RemcosRAT

Executable exe 7368fa4790b1b3863155f8af30305a3195c0c6bd146673d263e3760aeec31d7f

(this sample)

  
Dropped by
MD5 d3b9492eee618bc924ed76ef0a2c3376
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 5aa49c69138bf68631747480544a19a5d4ec2a8e6d506f7e43dea5b19d8b920a
Cape
Cape
https://www.capesandbox.com/analysis/118244/

Comments