MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a6f6659840dc30d797d816e1b2bbeb847c36c2e330fe45369b9037a113e8bc6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 9

Intelligence 9 IOCs YARA 6 File information Comments

SHA256 hash:	7a6f6659840dc30d797d816e1b2bbeb847c36c2e330fe45369b9037a113e8bc6
SHA3-384 hash:	79cc05c960c7ab2369e342e6420c05fdb6d6fe94b4f6bfb7a9b27ba04ee4937673d9303021ae80a64f59734db8f509c1
SHA1 hash:	f25f5bdbb831fa99d636235bfc7bb398a8744dfb
MD5 hash:	000729ee21ab4655b1a7ea7c772ca042
humanhash:	july-texas-fourteen-snake
File name:	20NS10-A-R 20-9-7,pdf.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	520'192 bytes
First seen:	2020-10-21 10:44:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	12288:RzM09IhrDROZeXkYdXyZRbLKVrLcFi+j7vkl4yo9NDFSZY:5M09WrIeXIZ1YcFiW7vklK3
Threatray	920 similar samples on MalwareBazaar
TLSH	4DB4DF98AA449A51EC2E47782072D9300373FD68A972F74DBECA3CBB3EB77518505247
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

abuse_ch

Malspam distributing RemcosRAT:

HELO: llsk284-a17.servidoresdns.net
Sending IP: 82.223.190.42
From: "Konstantinidis Michalis"<jgenaro@pernoscorona.net>
Subject: PO 14704 - MEL - 20' TC Reefer / Sailing Schedule
Attachment: 20NS10-A-R 20-9-7,pdf.zip (contains "20NS10-A-R 20-9-7,pdf.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Parallax

Link:

https://www.capesandbox.com/analysis/74091/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Launching a process

Creating a process with a hidden window

Result

Threat name:

Remcos

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/505702

Signature

.NET source code contains potential unpacker

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Detected Remcos RAT

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM_3

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7a6f6659840dc30d797d816e1b2bbeb847c36c2e330fe45369b9037a113e8bc6/

Threat name:

ByteCode-MSIL.Backdoor.Remcos

Status:

Malicious

First seen:

2020-10-21 10:37:37 UTC

AV detection:

26 of 28 (92.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=pjxwmwmebxbq26l5qfxbwk56xbd4g3bogmh6iu3jxebxuej6rpda._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

3e306d7047d78c4f7381e51c0fa80b840e5fa76b14393195faea2791166671b5

RemcosRAT

3f1d00cc832bad31567399df69c06c23dbdc989e18178efc599ca6574d190e34

RemcosRAT

485c1301f4bc84bc2d274f53222cf7ca5fbd8af8728d1aaa977a6574f577fb87

RemcosRAT

65228df6e85371a2b4b1e5340f11e36cdc94f8b39bda216c0ed143eaac36912b

RemcosRAT

699d6b825f4e477e4d9890f7c5d69ef6d157836a680e1427ebbedc6084a5ce9b

RemcosRAT

6d8bc551e62f2ce010d9f9ef86ac15d9c86138729ff7d26beb3ef8b6b1fc6aed

RemcosRAT

736bd7b09aa1e987edac64868cc8e5db0d86e709652e0588e2023d052f3def8f

RemcosRAT

b530ffc8af72cb51943f2fb8f38bc778c4544f57b61de593960dd4a97327ca64

RemcosRAT

ca60958a09d1cd5817504857d90b846a9ce6f6ee1bed7686318b3741108b709c

RemcosRAT

+ 910 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

rat family:remcos

Link:

https://tria.ge/reports/201021-dlsctjrqk2/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Remcos

Malware Config

C2 Extraction:

incidencias6645.ddns.net:8638

Unpacked files

SH256 hash:

ede33536d0e9222707a1f7f58a249a52bf40bc98dbceae5d3fca2f958ea70494

MD5 hash:

212c644e6e810bd2e721f4bef25eef9a

SHA1 hash:

81711c31ec21d10fa059f3d85a458e49d4b96299

Link:

https://www.unpac.me/results/35f404d4-9975-4898-856c-c019e47279fa/

SH256 hash:

b7d8312479b7ec6b79c1eacd8a530cd405fdcae128fd5abc70381c01eee799e1

MD5 hash:

9d4c34dfef29498513ca874b8c9d4e1d

SHA1 hash:

c3e96a564cde4833f7fc71e10bc507b825b081e0

Link:

https://www.unpac.me/results/35f404d4-9975-4898-856c-c019e47279fa/

SH256 hash:

bcae4c5ca1ad436f05f6d52fbd3ffb22aeea32492b4dd378bd715869d81622fa

MD5 hash:

c81a2fbd4541f3ede628bcffa0c0d379

SHA1 hash:

ccbe2d29399246fea9c29cd62efda8277749fe58

Detections:

win_remcos_g0

win_remcos_auto

Link:

https://www.unpac.me/results/35f404d4-9975-4898-856c-c019e47279fa/

Parent samples :

d18e31c42d64a21777bb04a3b0015d415050a6303ae3d864f129ecb50f0f87bb
736bd7b09aa1e987edac64868cc8e5db0d86e709652e0588e2023d052f3def8f
857ad0bf941ee434d96692477bec16c72571ce266091ba4bcc6952f409aff198
0f0f600613b5b1d1e9d80c6229d2ec639d4477d107fa080a5f58d3f61997bceb
18beca395ea8cfba85e8fb26a3adc366bf7c047088c2fe16b4ed587cecd6e57f
7a6f6659840dc30d797d816e1b2bbeb847c36c2e330fe45369b9037a113e8bc6
a0e87c60c05c9b9a184ad81e279fabb2e997ab1d79cba0248548d846ecab8510
94f225b0d4018228ee1c69317cd8f369f3c343378145e41cdf939d4dd30b988d

SH256 hash:

bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049

MD5 hash:

a92cc1f6e0a2742350dfda6726db14c0

SHA1 hash:

e5404e3ed46498deb8ad8966a774540c2b8e9c1e

Link:

https://www.unpac.me/results/35f404d4-9975-4898-856c-c019e47279fa/

SH256 hash:

7a6f6659840dc30d797d816e1b2bbeb847c36c2e330fe45369b9037a113e8bc6

MD5 hash:

000729ee21ab4655b1a7ea7c772ca042

SHA1 hash:

f25f5bdbb831fa99d636235bfc7bb398a8744dfb

Link:

https://www.unpac.me/results/35f404d4-9975-4898-856c-c019e47279fa/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator