MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7eb677c1c5c60d34da90cab2b4ea019c500b5c3db6964cc14849dbe2f9f5fa30. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 9

Intelligence 9 IOCs YARA 6 File information Comments

SHA256 hash:	7eb677c1c5c60d34da90cab2b4ea019c500b5c3db6964cc14849dbe2f9f5fa30
SHA3-384 hash:	26e955eef2dd8ea762ecd6689abbc3013131c087acec5b63236ef844043efb4a7f308e0d0acafbf31b8d74741f43105d
SHA1 hash:	f3a9abcfa08f16d34f09800a5df4ba5f794fcbd9
MD5 hash:	75f7dc6f6b46ef8f379000e8b6905529
humanhash:	fillet-washington-nebraska-zebra
File name:	Nuevo pedido _WJO-001,pdf.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	760'320 bytes
First seen:	2021-08-25 18:01:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5a802a354982a97544e495df27ee8291 (3 x RemcosRAT)
ssdeep	12288:vFtHRwMpWIIyKj9X1WxQ3jC0CJVYT+R0ws8Y7X2ujF5JjFWVJq2O:vFtxwR9uwvQYYdsW+TJ581O
Threatray	484 similar samples on MalwareBazaar
TLSH	T1C5F47C23B7E25E39C5B3253D6C07B771CC3E7D1569326E8657A02E486E3478038662BB
dhash icon	f8e88ea482a8a888 (8 x RemcosRAT, 1 x AveMariaRAT, 1 x Formbook)
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

208

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Nuevo pedido _WJO-001,pdf.exe

Verdict:

Malicious activity

Analysis date:

2021-08-25 18:02:10 UTC

Tags:

installer rat remcos

Link:

https://app.any.run/tasks/17a53f8e-6b2c-429c-985e-3b3dce907194

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/182379/

Detection(s):

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Sending a UDP request

DNS request

Connection attempt

Sending a custom TCP request

Creating a file

Deleting a recently created file

Launching a process

Running batch commands

Creating a process with a hidden window

Launching cmd.exe command interpreter

Connection attempt to an infection source

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Query of malicious DNS domain

Unauthorized injection to a system process

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3f51a7fa-fbc9-4f59-b681-a6c9a735e5bf

Result

Threat name:

Unknown

Detection:

suspicious

Classification:

n/a

Score:

22 / 100

Link:

https://www.joesandbox.com/analysis/839270

Signature

Machine Learning detection for sample

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7eb677c1c5c60d34da90cab2b4ea019c500b5c3db6964cc14849dbe2f9f5fa30/

Threat name:

Win32.Trojan.Diple

Status:

Malicious

First seen:

2021-08-25 18:02:06 UTC

AV detection:

14 of 28 (50.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=p23hpqofyygtjwuqzkzlj2qbtriawxb5w2lezqkijhn6f6pv7iya._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

62960caf3d007638be89631e502733f30c42a9ba0269e8c00457c9dec10e9136

RemcosRAT

864081d9870b1b81cb2c750b630a828b191f7c664790c54115a8033351f50ea1

RemcosRAT

af8ee88bf85615f2c305ce230560485be949dbb7355640e0498bf93f154df714

RemcosRAT

b9384216a5aea20cd398e51c6549bb84d6b252f3fde114010e3cc0c60b1e2b13

RemcosRAT

e6930000e13aa3deafe16f78fcfca8e6276e18ba6a252b8045dfaf570f044328

RemcosRAT

+ 474 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:aa persistence rat

Link:

https://tria.ge/reports/210825-cc5ynzs3z6/

Behaviour

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Adds Run key to start application

Remcos

Malware Config

C2 Extraction:

typejimbo.ddns.net:2444

Unpacked files

SH256 hash:

4e1202f3e7e04b0b3ca1df164bf5381f24063c142317e774d4e5d88b2b3ac744

MD5 hash:

aa23dee2c34813d67fe9c67ec784782a

SHA1 hash:

10b2e7af7cb9d6f852e6d607875a8c9613538930

Link:

https://www.unpac.me/results/ac2892e6-f677-403e-a0b5-858502fa9c5a/

SH256 hash:

7eb677c1c5c60d34da90cab2b4ea019c500b5c3db6964cc14849dbe2f9f5fa30

MD5 hash:

75f7dc6f6b46ef8f379000e8b6905529

SHA1 hash:

f3a9abcfa08f16d34f09800a5df4ba5f794fcbd9

Link:

https://www.unpac.me/results/ac2892e6-f677-403e-a0b5-858502fa9c5a/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/7eb677c1c5c6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.22

Link:

https://yomi.yoroi.company/submissions/7eb677c1c5c60d34da90cab2b4ea019c500b5c3db6964cc14849dbe2f9f5fa30

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EnvVarScheduledTasks Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC (ab)using Environment Variables in Scheduled Tasks

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/182379/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample