MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 798fc4066cf0b5e0c6711d32ca8d43afc7d4b99f333c184b7fd0b7d3b7eb7559. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 9 File information Comments

SHA256 hash:	798fc4066cf0b5e0c6711d32ca8d43afc7d4b99f333c184b7fd0b7d3b7eb7559
SHA3-384 hash:	7c70f6327516789811ab9a32285701d1ff8f47282559455510d1692817ef696ace312808a7d561e1a38a832be40f8654
SHA1 hash:	3a0a0cdb6ce3daaf03a7cbd20c7f9de6fed66a30
MD5 hash:	6e3bd00eb2cb80b874ec65ab83f7004d
humanhash:	yellow-diet-jersey-robin
File name:	DHL_119040 documento de recibo,pdf.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	800'032 bytes
First seen:	2021-02-08 18:49:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0f3b9aa4dc1bf9f845ef0335e50b9bfb (3 x RemcosRAT, 2 x Loki, 1 x AgentTesla)
ssdeep	6144:tFPWRHiwr74CdbpWOe00Ve7qDp83g7a203SC5ExNGWlEV23cfuF0NXOklLwpzsNL:nORH5bWOSpGya2XsVyAdEtszBArlwb7
Threatray	1'539 similar samples on MalwareBazaar
TLSH	75057BE1A3818C76E0311ABCC88752E40923BCC1B91D594F9BA4FE4F5A75388BDDD16B
Reporter	abuse_ch
Tags:	DHL exe RAT RemcosRAT

abuse_ch

Malspam distributing RemcosRAT:

HELO: www.mondedutabouret.fr
Sending IP: 51.68.39.156
From: DHL Express Cargo <delivery@dhl.com>
Subject: RE: ENTREGA DE CARGA DHL
Attachment: DHL_119040 documento de recibo,pdf.iso (contains "DHL_119040 documento de recibo,pdf.exe")

RemcosRAT C2:
ongod4life.ddns.net

Intelligence

File Origin

# of uploads :

# of downloads :

161

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

DHL_119040 documento de recibo,pdf.exe

Verdict:

Malicious activity

Analysis date:

2021-02-08 18:51:13 UTC

Tags:

rat remcos

Link:

https://app.any.run/tasks/d2ffd2a3-44b7-4177-9267-59ae20bcb9af

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/116090/

Detection(s):

PUA.Win.Trojan.Generic-6629274-0

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

DNS request

Sending a custom TCP request

Creating a file

Deleting a recently created file

Launching a process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process

Connection attempt to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Remcos

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/602189

Signature

Allocates memory in foreign processes

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Creates a thread in another existing process (thread injection)

Detected Remcos RAT

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Sigma detected: Remcos

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/798fc4066cf0b5e0c6711d32ca8d43afc7d4b99f333c184b7fd0b7d3b7eb7559/

Threat name:

Win32.Trojan.Delf

Status:

Malicious

First seen:

2021-02-08 18:50:10 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=pgh4ibtm6c26brtrduzmvdkdv7d5jom7gm6bqs372c35hn7lovmq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

3c335659038cb7bda99cc8839385bbfebeaa9deb3f6a3702b5076460c4353a55

RemcosRAT

5178316a133ee4ce629f5b31ddc2fdb8fd6ff8a581174c0a21f41d44ebfcd88d

RemcosRAT

785790e2814af826f66cf31460fdcf7ce48513c6f451fca29fa52f101dd65b00

RemcosRAT

97c1693cc21829a1b2139d13bc9b21a47555b18d6dc8943c4804890f1ab3b25c

RemcosRAT

9c03ceb1f14c39a8f156175a3a409a7a07e6134197609bcd2f087c4ea7b42670

RemcosRAT

abee232f81ca94abbdb0d1c0d236b0ee49b421b32e0a6b8812e278a248b6b46a

RemcosRAT

b8d1d962744d0c6ab3abe293c4671b3ba6524f623f9d6f02361bc60eec7b4cb4

RemcosRAT

bf0e82358921791e16998b942e600a500a967f6e5c5b034a675af7e49663a34f

RemcosRAT

f4f0c2b0fcc641a850b0aaf356f5119f7d6568be3d4b5251a6c6dec1b3e7920f

RemcosRAT

+ 1'529 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos persistence rat

Link:

https://tria.ge/reports/210208-fs89rh73be/

Behaviour

Suspicious use of WriteProcessMemory

Adds Run key to start application

Enumerates connected drives

Remcos

Malware Config

C2 Extraction:

ongod4life.ddns.net:4344

Unpacked files

SH256 hash:

38919c96274afe44c440fa298fc363e1217dfa355da38dd4de2ef213808870c2

MD5 hash:

c3d226b590a22cb9f1aa308748ff47dd

SHA1 hash:

64504ed945df46476fc3ac19dd42972966206e52

Link:

https://www.unpac.me/results/5fc092bb-c7c5-433f-bb1c-9ec3b4ba8a21/

SH256 hash:

798fc4066cf0b5e0c6711d32ca8d43afc7d4b99f333c184b7fd0b7d3b7eb7559

MD5 hash:

6e3bd00eb2cb80b874ec65ab83f7004d

SHA1 hash:

3a0a0cdb6ce3daaf03a7cbd20c7f9de6fed66a30

Link:

https://www.unpac.me/results/5fc092bb-c7c5-433f-bb1c-9ec3b4ba8a21/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/798fc4066cf0b5e0c6711d32ca8d43afc7d4b99f333c184b7fd0b7d3b7eb7559

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator