MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 738ea925d9f26dc03c18efd41de5e310285a36eef0147e7767a25dcf3fb1b24d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	738ea925d9f26dc03c18efd41de5e310285a36eef0147e7767a25dcf3fb1b24d
SHA3-384 hash:	cfb6a790f738b2ef810e663414ec2a13e9f38d70b933fa5e100489b58e076b262c8d7ed23b2b41cd2201347826f57dc1
SHA1 hash:	8b4e9c604c5597c660133da71e23cc1cd81bbe44
MD5 hash:	6c4bb3b95606b439e5e2fb3414c63b70
humanhash:	winter-berlin-five-chicken
File name:	scanned order 1.scr
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	675'840 bytes
First seen:	2020-08-11 11:48:57 UTC
Last seen:	2020-08-11 13:19:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	df85ac537d57e3a7e2b1ddaa5fca9ad3 (3 x AgentTesla, 2 x Formbook, 2 x HawkEye)
ssdeep	12288:bV5mZ52HqKRoIYXSi8yrxEMPqdee+OLg8QeUhAgYD:B8ZqbfksrD6h6
Threatray	1'206 similar samples on MalwareBazaar
TLSH	DCE49E6EE1D048B7C11326795D6B5B3867277E201B74244A2AE57DCC5B372C33C2B98B
Reporter	abuse_ch
Tags:	RAT RemcosRAT scr

abuse_ch

Malspam distributing RemcosRAT:

HELO: vepo.donoralpha.com
Sending IP: 111.118.214.86
From: sales <sales@rhmsafety.com>
Subject: RFQ 20202792 RHM Safety Co
Attachment: scanned order 1.cab (contains "scanned order 1.scr")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/43312/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Connection attempt

Sending a UDP request

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Setting a global event handler for the keyboard

Unauthorized injection to a system process

Enabling autorun by creating a file

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/418667

Signature

Allocates memory in foreign processes

Contains functionality to capture and log keystrokes

Contains functionality to detect sleep reduction / modifications

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Creates files in alternative data streams (ADS)

Detected Remcos RAT

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Drops VBS files to the startup folder

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Queues an APC in another process (thread injection)

Sigma detected: Drops script at startup location

Sigma detected: Remcos

Writes to foreign memory regions

Yara detected Keylogger Generic

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/738ea925d9f26dc03c18efd41de5e310285a36eef0147e7767a25dcf3fb1b24d/

Threat name:

Win32.Backdoor.Androm

Status:

Malicious

First seen:

2020-08-11 11:50:11 UTC

AV detection:

21 of 48 (43.75%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=oohksjoz6jw4apay57kb3zpdcaufunxo6akh453hujo46p5rwjgq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

18aae95253ffa453609ef3e1150cf9c2b167a1b1c59ae1270e279f8d5e070c27

RemcosRAT

3b13ea61e91a0312f8c187096e435168cee2d2277c46373d01899497345bd0e9

RemcosRAT

667d35d2cff2979ca84df0afe1eca6c164e1d919b989e16b97166c7a30c77a87

RemcosRAT

93c327b46d6354a91a9b20311a2f1e1873e132765816ec26443eb1971ccd2946

RemcosRAT

b8a03fd14b3a3695af8b6c781eb946214a98986279678c6b2a477f22ba1ac3cf

RemcosRAT

c0a656a2f73c254ed2f1e73630083849890b7c1e36161e89fe29d2fd014f9fff

RemcosRAT

de45e137eeda4de58d4840e499559e36ee01256b6180e87249ec035525db6b9c

RemcosRAT

eee72be9b19c5e0fa5fd1b5404798a7ccd5b73830249562f9465583004980a18

RemcosRAT

f9441d3651d67748ec1a2fd325ea1aa9d914208c7fae0853e5b769e52e66ccb8

RemcosRAT

+ 1'196 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

rat family:remcos

Link:

https://tria.ge/reports/200811-2gr2zva2ms/

Behaviour

NTFS ADS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Drops startup file

Loads dropped DLL

Executes dropped EXE

Remcos

Malware Config

C2 Extraction:

172.111.200.225:8069

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/738ea925d9f26dc03c18efd41de5e310285a36eef0147e7767a25dcf3fb1b24d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator