MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a86f1fa947ada93a5a8ecf5824ce2034152e50ba8b53fe6904fd10c62e88adf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a86f1fa947ada93a5a8ecf5824ce2034152e50ba8b53fe6904fd10c62e88adf
SHA3-384 hash: 4d83f9bd1a241644baff15c9fea11531876c9265f8ea3fd1ed523df4a8a2ca2d905731facc5886e156bf0c74e61036fa
SHA1 hash: ec693bef9defc06a63aa7c70d3563aca15d3141b
MD5 hash: de211a8850e87b2ca5d92c4ff7611100
humanhash: friend-eight-echo-texas
File name:IMAGE_DOCUMENTS_SCAN02904948.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:258'432 bytes
First seen:2020-10-09 06:34:19 UTC
Last seen:2020-10-09 08:02:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:4IWKiMtJXTqJ1GEIiA2Xs3XXkt7D5B7BKBrBrBrBbq:7TLTqJ1fAWWXqPV
Threatray 826 similar samples on MalwareBazaar
TLSH A2449D30E3C6DD79EE39CA364A0B5A53A3F0B3272271E67D88D245D799213A4134AF60
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: temmermarble.com
Sending IP: 185.29.10.101
From: MURAT ERGÜN <m.ergun@temmermarble.com>
Subject: Quotation for MARBLE SLABS
Attachment: IMAGE_DOCUMENTS_SCAN02904948.Z (contains "IMAGE_DOCUMENTS_SCAN02904948.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69458/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/486384
Signature
Antivirus / Scanner detection for submitted sample
Binary contains a suspicious time stamp
Contains functionality to capture and log keystrokes
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Country aware sample found (crashes after keyboard check)
Detected Remcos RAT
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a86f1fa947ada93a5a8ecf5824ce2034152e50ba8b53fe6904fd10c62e88adf/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-10-08 11:54:17 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pkdpd6uuplnjhjni5t2yethcanavfzilvc2t7zuqj7iqyyxirlpq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
13eaaf168207a5014c105532b6a23805fc6db28f73908914a4583979173cc254
RemcosRAT
2f07a5d8c1e6ac465e5d306b0fb8335aa41f3204b9bf9793337a849a93921a9a
RemcosRAT
314d26bc5fe146f5040c40b8c5b889e6e90cb0b22ec694564c1182d49c3bf950
RemcosRAT
397545efcbf53bebabdb003bbe9f8b619b7ffdd5383c21ecd9e99c6de3e3cd83
RemcosRAT
3bdfaf82d5d56f2546be44b3355f8d72cc0508984586e0fba3d704a5adabf7d1
RemcosRAT
64ba0f4265f9ed3f3f9315ee0256b360827074d5f898a7eb07ed98dd5f7fec7e
RemcosRAT
970ffc480d61b37737f34ddf738e257a99162cce8338f7c59fdd4ab995ae9dfc
RemcosRAT
b3ae13e392ebe3eec95949395786577344472af7588ed1db4577c597a417e8a4
RemcosRAT
c8c1e04edd5c422d065e27a3a73931d373de200419cd9ba649fdfadee686e5f2
RemcosRAT
d69aa1932b2e702e5065ee19da9fc9cf2b05e7dbaa617141b14eaa501a14955e
RemcosRAT
+ 816 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
rat family:remcos
Link:
https://tria.ge/reports/201009-hv9lwfhtca/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Remcos
Malware Config
C2 Extraction:
www.kesaihk.com:2556
Unpacked files
SH256 hash:
5bac9fa6acbbe14a4635a0f820e7cd24053385073c961f5729c16b208d7f07c7
MD5 hash:
9c6b22984862281d1402c5da2d87ff5a
SHA1 hash:
5296a8515f5da11d4891a503f11504ed6dae6b15
Link:
https://www.unpac.me/results/2c5192ff-73b5-4722-9949-51719a780084/
SH256 hash:
7a86f1fa947ada93a5a8ecf5824ce2034152e50ba8b53fe6904fd10c62e88adf
MD5 hash:
de211a8850e87b2ca5d92c4ff7611100
SHA1 hash:
ec693bef9defc06a63aa7c70d3563aca15d3141b
Link:
https://www.unpac.me/results/2c5192ff-73b5-4722-9949-51719a780084/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Backdoor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a86f1fa947ada93a5a8ecf5824ce2034152e50ba8b53fe6904fd10c62e88adf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip dd27aca89a29054b26fd0e55757bfad27820e29866d94f1229a635f9b0c9fdb2

RemcosRAT

Executable exe 7a86f1fa947ada93a5a8ecf5824ce2034152e50ba8b53fe6904fd10c62e88adf

(this sample)

  
Dropped by
MD5 b028233f8f93434c12dd31f63de3e65c
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69458/
  
Dropped by
SHA256 dd27aca89a29054b26fd0e55757bfad27820e29866d94f1229a635f9b0c9fdb2

Comments