MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80672dc10b55aaea12c39cb39fdc3cbe4a10d54b4ca9e6134ad455f60aafa0e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 80672dc10b55aaea12c39cb39fdc3cbe4a10d54b4ca9e6134ad455f60aafa0e4
SHA3-384 hash: 5b2bd6b285d40783d15f7200cc1a3506ca146ca69c1502423394440114e367481f07a62f675b4b9f2af65587093f9321
SHA1 hash: af84f44b8a889d40175347504d556f20049041e2
MD5 hash: b63e312250875bbe921afe4f158c2626
humanhash: beryllium-enemy-steak-tennis
File name:PO_AMC45687899,pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:168'864 bytes
First seen:2020-10-12 14:57:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 3072:L6hkNRvfhrZmbxmk3I0/IKn2IxvC7xGEoa:LMshf9wbxmk3I0/IKn2IxvC7xj
Threatray 13 similar samples on MalwareBazaar
TLSH BEF3FA12B281FC91EC76027548E6D42421F3BE735961C15C2CE569CCEFA2B5626ABCCF
Reporter abuse_ch
Tags:exe RemcosRAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: corporate.orangemali.net
Sending IP: 197.155.141.129
From: Makgoka Stanley <info@amacon.co.za>
Subject: RE:New purchase order for you with reference: BINIF0865
Attachment: PO_AMC45687899,pdf.iso (contains "PO_AMC45687899,pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/70152/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader34.64982.30220.15932.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/488643
Signature
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Binary contains a suspicious time stamp
Contains functionality to capture and log keystrokes
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Country aware sample found (crashes after keyboard check)
Detected Remcos RAT
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Uses dynamic DNS services
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/80672dc10b55aaea12c39cb39fdc3cbe4a10d54b4ca9e6134ad455f60aafa0e4/
Threat name:
ByteCode-MSIL.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 09:38:26 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qbts3qilkwvouewdtszz7xb4xzfbbvkljsu6me2k2rk7mcvpudsa._file
Verdict:
unknown
Similar samples:
0e128c983b60048ebbd6cd52281431f2658fdf9ed7e79f9976a3ad882c822da7
RemcosRAT
1e2ced0bf97c8caa6021784418f2edba1d0e618034fa15d83a0e8896e0936993
RemcosRAT
3273a366f61e4512703b8f4ab1b3ba60f613ef1f679eb589d1ad0e96cd35a25d
RemcosRAT
4692d4716a224f54c928808d2d7ee7e9eaeb8531f1cd29b91886fa511a12f07a
RemcosRAT
6dbd3f42bf990db55372e1e01a3ddb4dbbdf3051fa01492bca882dbc023bb71a
RemcosRAT
7690c6721de838a1f54b8bf058b68149dac4117f9ff6d1da17d1ebcc00361ee7
RemcosRAT
7c6f9944f020d5349a5657bdee7fb477efd9243135a05b4db9b6a2c19f6fdc27
RemcosRAT
c20854beeb11adc316f75f01b88cbb0ee65111accea0a199e14d2a03308a006e
RemcosRAT
c456e8fa5cd496f1293870881ce5052a1e288ada68d414de521d64a782792792
RemcosRAT
c9e9905267fe18dc32cc509c13f81fd346d3038d2f3ce469c203b9c7fa58c9f4
RemcosRAT
+ 3 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
rat family:remcos
Link:
https://tria.ge/reports/201012-b69gefwf9j/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Remcos
Malware Config
C2 Extraction:
incidencias6645.ddns.net:8638
Unpacked files
SH256 hash:
80672dc10b55aaea12c39cb39fdc3cbe4a10d54b4ca9e6134ad455f60aafa0e4
MD5 hash:
b63e312250875bbe921afe4f158c2626
SHA1 hash:
af84f44b8a889d40175347504d556f20049041e2
Link:
https://www.unpac.me/results/5749da70-3db7-400c-a732-8ddf6fc4957f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/80672dc10b55aaea12c39cb39fdc3cbe4a10d54b4ca9e6134ad455f60aafa0e4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

iso 719f92d0874d450f478baa0a426fab418fe911617b6f3ffa2127b8de5e68cddb

RemcosRAT

Executable exe 80672dc10b55aaea12c39cb39fdc3cbe4a10d54b4ca9e6134ad455f60aafa0e4

(this sample)

  
Dropped by
MD5 4162c1021de988fe0f42ab831e3a096e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70152/
  
Dropped by
SHA256 719f92d0874d450f478baa0a426fab418fe911617b6f3ffa2127b8de5e68cddb

Comments