MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7aa3e6c93ac645c2b56f93eb9fe7de45a7fb9958d491190eb6d06198a65e6ca7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7aa3e6c93ac645c2b56f93eb9fe7de45a7fb9958d491190eb6d06198a65e6ca7
SHA3-384 hash: 9e4f072c001ca797a3952ef1779cc079b8e594a160022829e51efb0d0f9d5765066a747e0d324387ce1b06fdb3d5ce9a
SHA1 hash: a439db1e068f029cc6b4e4aa177a325e4354a852
MD5 hash: 9fded068bc9d316a09571d53e934b3f2
humanhash: mississippi-failed-south-paris
File name:Neue Bestellung WJO-001,pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:849'920 bytes
First seen:2021-10-04 07:00:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8276363bcf2f383c8cd04fac30801161 (10 x RemcosRAT, 2 x NetWire, 1 x Formbook)
ssdeep 12288:0w6jlNSq3W9F1Sa+tiDWIyNiYAycjL7YiEFXXXB:Naeq3gF1Sf+WIytAyAdSXXXB
Threatray 1'179 similar samples on MalwareBazaar
TLSH T10305182262405769F1173333EC13499A57E6283C2E10AB36E6E15F5B472F784AED887F
File icon (PE):PE icon
dhash icon 1432694969516806 (10 x RemcosRAT, 2 x NetWire, 1 x Formbook)
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
194.147.140.21:4336

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.147.140.21:4336 https://threatfox.abuse.ch/ioc/230079/

Intelligence

File Origin
# of uploads :
1
# of downloads :
165
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Neue Bestellung WJO-001,pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-10-04 07:03:06 UTC
Tags:
installer trojan rat remcos
Link:
https://app.any.run/tasks/c9b69d53-4722-442b-a3e2-92359c207e25

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/194444/
Detection(s):
Win.Trojan.Remcos-9897068-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger packed
Link:
https://www.filescan.io/uploads/615c2fd2b95458900cdc642e/reports/d35218c9-e01e-4899-af7a-8e6677e4978d/overview
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3ae5a8fc-0032-4315-bac2-b4ef71107459
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/863681
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 496109 Sample: Neue Bestellung WJO-001,pdf.exe Startdate: 04/10/2021 Architecture: WINDOWS Score: 100 59 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->59 61 Multi AV Scanner detection for domain / URL 2->61 63 Found malware configuration 2->63 65 5 other signatures 2->65 8 Neue Bestellung WJO-001,pdf.exe 1 23 2->8         started        13 Veycxhq.exe 14 2->13         started        15 Veycxhq.exe 17 2->15         started        process3 dnsIp4 45 sn-files.fe.1drv.com 8->45 47 onedrive.live.com 8->47 49 mopcea.sn.files.1drv.com 8->49 41 C:\Users\Public\Libraries\...\Veycxhq.exe, PE32 8->41 dropped 75 Writes to foreign memory regions 8->75 77 Creates a thread in another existing process (thread injection) 8->77 79 Injects a PE file into a foreign processes 8->79 17 DpiScaling.exe 2 8->17         started        21 cmd.exe 1 8->21         started        23 cmd.exe 1 8->23         started        51 sn-files.fe.1drv.com 13->51 55 2 other IPs or domains 13->55 81 Multi AV Scanner detection for dropped file 13->81 25 secinit.exe 13->25         started        53 sn-files.fe.1drv.com 15->53 57 2 other IPs or domains 15->57 27 logagent.exe 15->27         started        file5 signatures6 process7 dnsIp8 43 ongod4life.ddns.net 194.147.140.21, 4336, 49755 PTPEU unknown 17->43 67 Contains functionality to steal Chrome passwords or cookies 17->67 69 Contains functionality to inject code into remote processes 17->69 71 Contains functionality to steal Firefox passwords or cookies 17->71 29 reg.exe 1 21->29         started        31 conhost.exe 21->31         started        33 cmd.exe 1 23->33         started        35 conhost.exe 23->35         started        73 Delayed program exit found 25->73 signatures9 process10 process11 37 conhost.exe 29->37         started        39 conhost.exe 33->39         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7aa3e6c93ac645c2b56f93eb9fe7de45a7fb9958d491190eb6d06198a65e6ca7/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pkr6nsj2yzc4fnlpspvz7z66iwt7xgky2sirsdvw2bqzrjs6nstq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
026668d9855f0c4aac1cb86f163e6e28569a5a4d53d0bde93ac9880a90a8225c
RemcosRAT
13e6341cacb27fdd36b2ce19395dbb02947f0c917b6fd10447f1d6381d51b7d4
RemcosRAT
2eb44403d1de2a792569f63907f746809e3d4e35fccf689c2e637f77df79254c
RemcosRAT
7eb677c1c5c60d34da90cab2b4ea019c500b5c3db6964cc14849dbe2f9f5fa30
RemcosRAT
91e8ea3e431c0ad9faf6dfe01eb29e4834940054379deb8b657d9cbe23e91682
RemcosRAT
a737c6bf1fe3e63d6d187d114d887c6c1e722579fc9caab72ce4451564e165f6
RemcosRAT
b56242ce9875402fca36f6d831072462bcf7b0996c2a98d048455459485ade1d
RemcosRAT
b67741cbd39464c7526c9cda83175c342aaba91fb990dd96d60083d028f00228
RemcosRAT
e6930000e13aa3deafe16f78fcfca8e6276e18ba6a252b8045dfaf570f044328
RemcosRAT
+ 1'169 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:zion persistence rat
Link:
https://tria.ge/reports/211004-hs7x9sfhe9/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
ongod4life.ddns.net:4336
Unpacked files
SH256 hash:
f808a11e5b1cb4332bb4d65cdbcf1e0ca7323b15bcf73cb7462ad3eb30f05703
MD5 hash:
6cfdeebc3c72279486ddd229eb14b009
SHA1 hash:
e3a2a0a2a0fabd55415c9007f52c79fe9e19e0a7
Link:
https://www.unpac.me/results/78ae5f00-19da-4032-ab6a-d95dc9287374/
SH256 hash:
8144a740794173e69bac7e10d6533b8134ee74070e7d26c8bdb52d119bfa5089
MD5 hash:
9668cb1bb46ec006fdf56530c08e20ba
SHA1 hash:
541a3b3e773cf97de6d1a4340375d4db9f224643
Link:
https://www.unpac.me/results/78ae5f00-19da-4032-ab6a-d95dc9287374/
SH256 hash:
7aa3e6c93ac645c2b56f93eb9fe7de45a7fb9958d491190eb6d06198a65e6ca7
MD5 hash:
9fded068bc9d316a09571d53e934b3f2
SHA1 hash:
a439db1e068f029cc6b4e4aa177a325e4354a852
Link:
https://www.unpac.me/results/78ae5f00-19da-4032-ab6a-d95dc9287374/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7aa3e6c93ac6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7aa3e6c93ac645c2b56f93eb9fe7de45a7fb9958d491190eb6d06198a65e6ca7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EnvVarScheduledTasks
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC (ab)using Environment Variables in Scheduled Tasks

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/194444/

Comments