MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7720da8dd623a00812870efdb75c2f2571417599ebfabcff48d2bd95cd029ea2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7720da8dd623a00812870efdb75c2f2571417599ebfabcff48d2bd95cd029ea2
SHA3-384 hash: 2a8f139279c45c877e8c2bb06099351b7541be8194927313382a126d289b37cd00b959891688401ffaed588547c37f1a
SHA1 hash: ebfe02f4a4294c3c3bcc3f2dbd5b864b0cd6f66f
MD5 hash: 0f0e78aea36308fc45fbdb53b06f76bf
humanhash: high-may-missouri-failed
File name:0f0e78aea36308fc45fbdb53b06f76bf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'067'176 bytes
First seen:2020-07-21 09:58:54 UTC
Last seen:2020-07-21 11:24:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5e381c455fbb563ca5f2237e8dff94bd (4 x RemcosRAT, 2 x Formbook, 1 x NetWire)
ssdeep 24576:f0vtfbdNzTnlj/jllmyXVybwEIVKGfHNBJV2jjFP0M7:f0v9f/VxEIVRfHfJV2nFP0M
Threatray 948 similar samples on MalwareBazaar
TLSH 3735AF23F2A08D32D1331538DC535ABC9A6EBF153625984D6AE6DF0C8F3918179393A7
Reporter abuse_ch
Tags:exe nVpn RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2s:
myfrontmanny.ddns.net:3949 (185.165.153.90)
myfrontmanny.duckdns.org:3949 (185.165.153.90)
myfrontmanny.ddnsfree.com:3949 (185.165.153.90)

Pointing to nVpn:

% Information related to '185.165.153.0 - 185.165.153.255'

% Abuse contact for '185.165.153.0 - 185.165.153.255' is 'abuse@privacyfirst.sh'

inetnum: 185.165.153.0 - 185.165.153.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-AT2
country: AT
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-10-18T12:14:26Z
last-modified: 2020-07-14T13:31:45Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/30036/
Detection(s):
SecuriteInfo.com.generic.ml.26004.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending an HTTP GET request
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/392986
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 248859 Sample: 6Bp5ZarB1P.exe Startdate: 21/07/2020 Architecture: WINDOWS Score: 100 40 Multi AV Scanner detection for domain / URL 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 10 other signatures 2->46 7 6Bp5ZarB1P.exe 1 3 2->7         started        12 mshta.exe 19 2->12         started        14 mshta.exe 19 2->14         started        process3 dnsIp4 38 speedfinance-cloud.gleeze.com 185.241.194.58, 49723, 49727, 49729 NETALISFR Russian Federation 7->38 28 C:\Users\user\AppData\Local\...\rmihfck.exe, PE32 7->28 dropped 58 Writes to foreign memory regions 7->58 60 Allocates memory in foreign processes 7->60 62 Injects a PE file into a foreign processes 7->62 16 ieinstal.exe 2 3 7->16         started        19 rmihfck.exe 12->19         started        22 rmihfck.exe 14->22         started        file5 signatures6 process7 dnsIp8 30 myfrontmanny.duckdns.org 194.5.97.28, 3949, 49725 DANILENKODE Netherlands 16->30 32 myfrontmanny.ddns.net 16->32 34 speedfinance-cloud.gleeze.com 19->34 48 Writes to foreign memory regions 19->48 50 Allocates memory in foreign processes 19->50 52 Injects a PE file into a foreign processes 19->52 24 ieinstal.exe 19->24         started        36 speedfinance-cloud.gleeze.com 22->36 54 Multi AV Scanner detection for dropped file 22->54 56 Machine Learning detection for dropped file 22->56 26 ieinstal.exe 22->26         started        signatures9 process10
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7720da8dd623a00812870efdb75c2f2571417599ebfabcff48d2bd95cd029ea2/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-07-21 10:00:08 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=o4qnvdoweoqaqeuhb363oxbpevyuc5mz5p5lz72i2k6zltict2ra._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1c517ddebb6f5893d52918c51a70e56f68b50dd65e0460a673cce3625a0f8a2b
RemcosRAT
929aed244ea7ad68ca44b6274a388dcc772b9d4bc6f4e2cb4370555ecc292c80
RemcosRAT
96359e31d13a327a3d1de808c5420193be3691628da4f409d8d5ed14be35b038
RemcosRAT
a1c561c21720c4f1c3626276db6afc2c12b1aae9304c78518763eb78454f84b8
RemcosRAT
b1e43124a401714ce72691a059cfaf3182e0e63986ab8e165d8333bf11540568
RemcosRAT
bf9e953c433f1108878018fba685844d8cd89171a40b9387386e4dc89c1ca981
RemcosRAT
c2109f44d6d608cb821ea28489e75dbf7c7c18731918f8171bab7445db6e8599
RemcosRAT
c86bcfe4e22cb50054b44e38fc4fb79624c4ed5bf9a26174754dbb5c1a6baff8
RemcosRAT
d5b1dfa52d7b7e4a025f3c2c9084005e6e41eb48b81711ae58ab1b641ef99e64
RemcosRAT
f158368c489837c721cb01f7bf86f18536f9948f35f2ced67827d638b8253f16
RemcosRAT
+ 938 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/200721-3ejxgh8kcn/
Behaviour
Script User-Agent
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Script User-Agent
Suspicious use of SetThreadContext
Adds Run key to start application
Adds Run key to start application
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7720da8dd623a00812870efdb75c2f2571417599ebfabcff48d2bd95cd029ea2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 7720da8dd623a00812870efdb75c2f2571417599ebfabcff48d2bd95cd029ea2

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/30036/
  
URLhaus
https://urlhaus.abuse.ch/url/415178/
  
Delivery method
Distributed via web download

Comments