MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 736bd7b09aa1e987edac64868cc8e5db0d86e709652e0588e2023d052f3def8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 736bd7b09aa1e987edac64868cc8e5db0d86e709652e0588e2023d052f3def8f
SHA3-384 hash: 441d3c02e5228257b771b07f0edbf9b8ef3bd09450ec5a1b54cff0ee24d2fb39c12f9d56a59ec74280f5b5c4f12b0c98
SHA1 hash: c29caad4842e3fdb633277bffa6c5535584eb07b
MD5 hash: fbba14fe3c671f3762578c0a9f5b22d9
humanhash: colorado-tango-oklahoma-oxygen
File name:Imestre Citar B1018530,pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:974'848 bytes
First seen:2020-10-10 07:01:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:NgO9/NdMdeFpuITJWP0xkEpej8YoCwyjzX6:NgusAFpuITLHYjbp
Threatray 1'276 similar samples on MalwareBazaar
TLSH 772528A9325072DFC867C972CA685C64EBA0BC7B831BD607901335AD9A3D997CF141F2
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: cloudhost-1457425.us-midwest-1.nxcli.net
Sending IP: 8.29.157.202
From: Battista <battista@imestre.cl>
Subject: RE: SOLICITUD URGENTE DE PRESUPUESTO -Citar B1018530
Attachment: Imestre Citar B1018530,pdf.iso (contains "Imestre Citar B1018530,pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
138
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69713/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/487435
Signature
Detected Remcos RAT
Disables Windows Defender (via service or powershell)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 296161 Sample: Imestre Citar B1018530,pdf.exe Startdate: 10/10/2020 Architecture: WINDOWS Score: 100 41 Multi AV Scanner detection for dropped file 2->41 43 Sigma detected: Scheduled temp file as task from temp location 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 8 other signatures 2->47 7 Imestre Citar B1018530,pdf.exe 1 7 2->7         started        process3 file4 33 C:\Users\user\AppData\Roaming\siDShJ.exe, PE32 7->33 dropped 35 C:\Users\user\...\siDShJ.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmp3DB9.tmp, XML 7->37 dropped 39 C:\...\Imestre Citar B1018530,pdf.exe.log, ASCII 7->39 dropped 49 Disables Windows Defender (via service or powershell) 7->49 51 Injects a PE file into a foreign processes 7->51 11 powershell.exe 25 7->11         started        13 powershell.exe 21 7->13         started        15 powershell.exe 7->15         started        17 12 other processes 7->17 signatures5 process6 process7 19 conhost.exe 11->19         started        21 conhost.exe 13->21         started        23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        27 conhost.exe 17->27         started        29 conhost.exe 17->29         started        31 9 other processes 17->31
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/736bd7b09aa1e987edac64868cc8e5db0d86e709652e0588e2023d052f3def8f/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2020-10-10 00:59:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=onv5pme2uhuyp3nmmsdizshf3mgynzyjmuxalchcai6qklz556hq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
26cfb1b24425c97fc4588631b23ca93def5d84efb2300d81bdbbb48443207292
RemcosRAT
485c1301f4bc84bc2d274f53222cf7ca5fbd8af8728d1aaa977a6574f577fb87
RemcosRAT
6c882aeb918e424cefe1068a6d3fbff5526c31e185716bf3a0d5ae0295772f09
RemcosRAT
7720da8dd623a00812870efdb75c2f2571417599ebfabcff48d2bd95cd029ea2
RemcosRAT
83eb442b175e4fe5a2fde6e8d72618eee280398f89a81da1f9c118d2c46032d4
RemcosRAT
a1c561c21720c4f1c3626276db6afc2c12b1aae9304c78518763eb78454f84b8
RemcosRAT
c86bcfe4e22cb50054b44e38fc4fb79624c4ed5bf9a26174754dbb5c1a6baff8
RemcosRAT
deeeb57609c406b43e7e77a38726a357ab063d110c06e4f1c56eb491c20659ce
RemcosRAT
e39c2e98071d4440d02e6d1aa86111536d6d01554489bd71f890455c05e424d3
RemcosRAT
eb1230ab4a5408a3d264bb51f1ff311fcf52aa97d52b801738cd5add365e77d2
RemcosRAT
+ 1'266 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
evasion trojan rat family:remcos
Link:
https://tria.ge/reports/201010-wpp86cw5h6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Windows security modification
Modifies Windows Defender Real-time Protection settings
Remcos
Malware Config
C2 Extraction:
incidencias6645.ddns.net:8638
Unpacked files
SH256 hash:
736bd7b09aa1e987edac64868cc8e5db0d86e709652e0588e2023d052f3def8f
MD5 hash:
fbba14fe3c671f3762578c0a9f5b22d9
SHA1 hash:
c29caad4842e3fdb633277bffa6c5535584eb07b
Link:
https://www.unpac.me/results/66a5889f-eca8-43ec-b984-20e22f72e402/
SH256 hash:
43067e1c1a46778a2abd479985a19f39920977062a74bd9d268bb14d1bab5b7a
MD5 hash:
7835eff148878bd441eaf565e60d94cf
SHA1 hash:
1a19e391e4ccd976b19b41d2aaf7f808b0a1c112
Link:
https://www.unpac.me/results/66a5889f-eca8-43ec-b984-20e22f72e402/
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/66a5889f-eca8-43ec-b984-20e22f72e402/
SH256 hash:
38404b2f029a7531c15ca9d39785860602a8095481039c935a2542503ed82cc8
MD5 hash:
c55985a33afb04017b468c33f132df73
SHA1 hash:
4503d624e6fcc143de4adf87fd60f31dc5a70d39
Link:
https://www.unpac.me/results/66a5889f-eca8-43ec-b984-20e22f72e402/
SH256 hash:
bcae4c5ca1ad436f05f6d52fbd3ffb22aeea32492b4dd378bd715869d81622fa
MD5 hash:
c81a2fbd4541f3ede628bcffa0c0d379
SHA1 hash:
ccbe2d29399246fea9c29cd62efda8277749fe58
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/66a5889f-eca8-43ec-b984-20e22f72e402/
Parent samples :
d18e31c42d64a21777bb04a3b0015d415050a6303ae3d864f129ecb50f0f87bb
736bd7b09aa1e987edac64868cc8e5db0d86e709652e0588e2023d052f3def8f
857ad0bf941ee434d96692477bec16c72571ce266091ba4bcc6952f409aff198
0f0f600613b5b1d1e9d80c6229d2ec639d4477d107fa080a5f58d3f61997bceb
18beca395ea8cfba85e8fb26a3adc366bf7c047088c2fe16b4ed587cecd6e57f
7a6f6659840dc30d797d816e1b2bbeb847c36c2e330fe45369b9037a113e8bc6
a0e87c60c05c9b9a184ad81e279fabb2e997ab1d79cba0248548d846ecab8510
94f225b0d4018228ee1c69317cd8f369f3c343378145e41cdf939d4dd30b988d
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NJRat
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/736bd7b09aa1e987edac64868cc8e5db0d86e709652e0588e2023d052f3def8f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

iso 0301402ebc5b5ea1e87654237b05996eb9595113231dc6f3273a1786a0b86f76

RemcosRAT

Executable exe 736bd7b09aa1e987edac64868cc8e5db0d86e709652e0588e2023d052f3def8f

(this sample)

  
Dropped by
MD5 e3ed2ec5350cc0bb2e26600b20b9ce60
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69713/
  
Dropped by
SHA256 0301402ebc5b5ea1e87654237b05996eb9595113231dc6f3273a1786a0b86f76

Comments