MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 766600b98af5dcb9f9d4b9aecfe47aa4021d33afa19a77587391ed508f9c058d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 766600b98af5dcb9f9d4b9aecfe47aa4021d33afa19a77587391ed508f9c058d
SHA3-384 hash: ce0164d8d1be859bfdb9e0b1091783a36821226eed1c7dd9412b0a8eabc20aec0e7b983686a76a9a475056054e623e47
SHA1 hash: de80d3e5a4d302b0c3ec9281cb4a297b46fbb1a0
MD5 hash: 57bb02f2a7a96d0d0debf1a71661242c
humanhash: princess-south-nebraska-shade
File name:57bb02f2a7a96d0d0debf1a71661242c.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:695'296 bytes
First seen:2020-09-02 05:53:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 92de21909a80eeabad12639034e58029 (8 x MassLogger, 3 x Formbook, 2 x Loki)
ssdeep 12288:rDi43RqqJKN07vvaRfdjSGM/lBp62o53T7Q+Xu6jTSJxkJGC:r2UTYy7vQaDiTXuvHC
TLSH 74E49F22E2D04837C173163D8D1B77B8AC3AFE512A2899462BF4DD4C5F797913A39293
Reporter abuse_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/54171/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Launching cmd.exe command interpreter
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
DNS request
Setting a keyboard event handler
Sending a custom TCP request
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking the User Account Control
Unauthorized injection to a recently created process by context flags manipulation
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/457137
Signature
Allocates memory in foreign processes
BOT functionalities found, sample is likely a BOT
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates an autostart registry key pointing to binary in C:\Windows
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected Keylogger Generic
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 280953 Sample: u51x5QFXXu.exe Startdate: 02/09/2020 Architecture: WINDOWS Score: 100 89 Malicious sample detected (through community Yara rule) 2->89 91 Multi AV Scanner detection for dropped file 2->91 93 Detected unpacking (changes PE section rights) 2->93 95 15 other signatures 2->95 12 u51x5QFXXu.exe 2->12         started        15 Windows logon sounds.exe 2->15         started        17 Windows logon sounds.exe 2->17         started        process3 signatures4 109 Detected unpacking (changes PE section rights) 12->109 111 Detected unpacking (overwrites its own PE header) 12->111 113 BOT functionalities found, sample is likely a BOT 12->113 119 6 other signatures 12->119 19 u51x5QFXXu.exe 1 5 12->19         started        115 Maps a DLL or memory area into another process 15->115 24 Windows logon sounds.exe 3 15->24         started        117 Drops executables to the windows directory (C:\Windows) and starts them 17->117 process5 dnsIp6 73 192.168.2.1 unknown unknown 19->73 69 C:\Windows\...\Windows logon sounds.exe, PE32 19->69 dropped 71 Windows logon sounds.exe:Zone.Identifier, ASCII 19->71 dropped 97 Creates an autostart registry key pointing to binary in C:\Windows 19->97 26 cmd.exe 1 19->26         started        29 cmd.exe 1 19->29         started        75 enmark80.duckdns.org 194.5.97.55, 4045, 49719 DANILENKODE Netherlands 24->75 99 Installs a global keyboard hook 24->99 31 cmd.exe 1 24->31         started        file7 signatures8 process9 signatures10 105 Uses ping.exe to sleep 26->105 33 Windows logon sounds.exe 26->33         started        36 PING.EXE 1 26->36         started        39 conhost.exe 26->39         started        107 Uses cmd line tools excessively to alter registry or file data 29->107 41 conhost.exe 29->41         started        43 reg.exe 1 29->43         started        45 conhost.exe 31->45         started        47 reg.exe 1 31->47         started        process11 dnsIp12 79 Maps a DLL or memory area into another process 33->79 49 Windows logon sounds.exe 2 1 33->49         started        77 127.0.0.1 unknown unknown 36->77 52 Windows logon sounds.exe 36->52         started        signatures13 process14 signatures15 81 Detected Remcos RAT 49->81 83 Writes to foreign memory regions 49->83 85 Allocates memory in foreign processes 49->85 87 Injects a PE file into a foreign processes 49->87 54 iexplore.exe 49->54         started        57 cmd.exe 1 49->57         started        59 SgrmBroker.exe 49->59         started        process16 signatures17 101 Maps a DLL or memory area into another process 54->101 61 iexplore.exe 54->61         started        103 Uses cmd line tools excessively to alter registry or file data 57->103 63 conhost.exe 57->63         started        65 reg.exe 1 57->65         started        process18 process19 67 WerFault.exe 23 9 61->67         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/766600b98af5dcb9f9d4b9aecfe47aa4021d33afa19a77587391ed508f9c058d/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-09-02 05:54:13 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
rat family:remcos persistence evasion trojan
Link:
https://tria.ge/reports/200902-pd6rz915c2/
Behaviour
Modifies registry key
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Remcos
UAC bypass
Malware Config
C2 Extraction:
enmark80.duckdns.org:4045
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/766600b98af5dcb9f9d4b9aecfe47aa4021d33afa19a77587391ed508f9c058d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_remcos_g0
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann<at>fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 766600b98af5dcb9f9d4b9aecfe47aa4021d33afa19a77587391ed508f9c058d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/364515/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/54171/

Comments