MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74b843d9cabf046a044581d20033d93eecf9d8ea590ce9557569e40d990e6241. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 74b843d9cabf046a044581d20033d93eecf9d8ea590ce9557569e40d990e6241
SHA3-384 hash: b429cf1b390997190f73327cc32d7da9f89a2bbaa65409e9347a72cdfd95d8c908907198fa5d7c0618ce6d8b9498a645
SHA1 hash: aae885d7c1bee68a2a2bc9ca0c0ccbc2ef62a9c2
MD5 hash: 4ea0bba151e27b565c32e04c5f2de2b4
humanhash: fourteen-single-solar-failed
File name:C.B.M PURCHASE ORDER_161020,pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:646'808 bytes
First seen:2020-10-16 17:57:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash af00c2cd3e1abe86ddbb239e27958d26 (6 x ModiLoader, 3 x RemcosRAT, 1 x Formbook)
ssdeep 12288:BEu6Ai+3QzSx++O8AySJxv/EJIy3m8A71UzFvCM2T4F1smtv1mHRm4DhKte1NDG9:F6pexT1YJS8xZzet0mzNr91
Threatray 1'080 similar samples on MalwareBazaar
TLSH 0ED48E62F2D1D837C373253D8C1B96B498257D9D2F2568763AE83D8C6F397823429293
Reporter abuse_ch
Tags:exe RemcosRAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: plesk1.enpatagonia.net
Sending IP: 209.126.124.211
From: C.B.M. S.r.l. <sales1@cbm-srl.com>
Subject: C.B.M. PO_101620
Attachment: C.B.M PURCHASE ORDER_161020,pdf.iso (contains "C.B.M PURCHASE ORDER_161020,pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/72239/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Connection attempt to an infection source
Unauthorized injection to a system process
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/494099
Signature
Allocates memory in foreign processes
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Fodhelper UAC Bypass
Sigma detected: Remcos
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 299503 Sample: C.B.M PURCHASE ORDER_161020... Startdate: 16/10/2020 Architecture: WINDOWS Score: 100 42 storyofpadi.ddns.net 2->42 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 Detected Remcos RAT 2->52 54 9 other signatures 2->54 9 C.B.M PURCHASE ORDER_161020,pdf.exe 1 15 2->9         started        14 Bqswdrv.exe 13 2->14         started        16 Bqswdrv.exe 13 2->16         started        signatures3 process4 dnsIp5 46 cdn.discordapp.com 162.159.134.233, 443, 49732, 49751 CLOUDFLARENETUS United States 9->46 40 C:\Users\user\AppData\Local\...\Bqswdrv.exe, PE32 9->40 dropped 56 Writes to foreign memory regions 9->56 58 Allocates memory in foreign processes 9->58 60 Creates a thread in another existing process (thread injection) 9->60 18 notepad.exe 4 9->18         started        21 ieinstal.exe 2 9->21         started        62 Multi AV Scanner detection for dropped file 14->62 64 Injects a PE file into a foreign processes 14->64 24 ieinstal.exe 14->24         started        26 ieinstal.exe 16->26         started        file6 signatures7 process8 dnsIp9 38 C:\Users\Public38atso.bat, ASCII 18->38 dropped 28 cmd.exe 1 18->28         started        30 cmd.exe 1 18->30         started        44 storyofpadi.ddns.net 79.134.225.69, 2130, 49744, 49746 FINK-TELECOM-SERVICESCH Switzerland 21->44 file10 process11 process12 32 conhost.exe 28->32         started        34 reg.exe 1 1 28->34         started        36 conhost.exe 30->36         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/74b843d9cabf046a044581d20033d93eecf9d8ea590ce9557569e40d990e6241/
Threat name:
Win32.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2020-10-16 08:55:30 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=os4ehwokx4cgubcfqhjaam6zh3wptwhklegosvlvnhsa3giomjaq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
46ff7f6619eda7e3b2c5b36a2d3f21b154749d31ae2695c4d23c992361ce1f58
RemcosRAT
5b1f1843bbb992e3d5c635aa69d8409de4ae4d3f04cf19994d8e953e99cf451a
RemcosRAT
835109646cd221028859f7d4c7de74be962091d60840952ca85053e396fdc593
RemcosRAT
9b60c965a1425ff01954ce6a917cb4486d5af5cb36f538233139042ea324a64e
RemcosRAT
bccbf79de04b74827c578202ea728005a26780ac80ac64914374dbc5df2c6916
RemcosRAT
bd86ba6f082dfd404bc2f3544f5b39ce04084742b334ab00a80f0c12c94daa46
RemcosRAT
dd4198b0a2a1c500bed498963e966d3476b778e1b917434847abb81c987fba55
RemcosRAT
e7def582e6c764fb35cad598da8b83da969897d37241402df8c8bac2b870432f
RemcosRAT
e8001e686b3c1972277296e3ed20992b8fd67e7c7f8dc16a827e09d3f22b02e0
RemcosRAT
e9bc7c1d038965bb247e69816fbcad2444766abd7082eade34eea3c641025f94
RemcosRAT
+ 1'070 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
persistence trojan family:modiloader rat family:remcos
Link:
https://tria.ge/reports/201016-e86aweelnj/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader First Stage
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Unpacked files
SH256 hash:
74b843d9cabf046a044581d20033d93eecf9d8ea590ce9557569e40d990e6241
MD5 hash:
4ea0bba151e27b565c32e04c5f2de2b4
SHA1 hash:
aae885d7c1bee68a2a2bc9ca0c0ccbc2ef62a9c2
Link:
https://www.unpac.me/results/80082aa3-3dad-4eb4-9ca1-677ca21dac9f/
SH256 hash:
8769868a2fba9185fb94de3d34933a6682536e37ee3fc200ef4212db30cd706e
MD5 hash:
5e00987f5e49b122f7fa9775adbe0044
SHA1 hash:
abdc002b8eab961430720040a74a0fd010ce9374
Link:
https://www.unpac.me/results/80082aa3-3dad-4eb4-9ca1-677ca21dac9f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/74b843d9cabf046a044581d20033d93eecf9d8ea590ce9557569e40d990e6241

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

iso f1a2235db22753815a1875640345f75b81b26549f728333960b94ed9c09abe64

RemcosRAT

Executable exe 74b843d9cabf046a044581d20033d93eecf9d8ea590ce9557569e40d990e6241

(this sample)

  
Dropped by
MD5 8161b9bb63474c0df56de796a14954a7
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72239/
  
Dropped by
SHA256 f1a2235db22753815a1875640345f75b81b26549f728333960b94ed9c09abe64

Comments