MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8247f1c9100f98350ccc39ee0512d24a86c29881763eb262197347908a1315c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8247f1c9100f98350ccc39ee0512d24a86c29881763eb262197347908a1315c4
SHA3-384 hash: e649493fdfddfbd9e5b338fbba553ba1a94cab299fcf41ddf2ea49e5ab246ab29311b113f333de7fb46356262f51d6ad
SHA1 hash: 41aea5efe4829f6547e8f56c32cd2bbf927fa188
MD5 hash: 2e03dd17fc7fb8ad40f742918c9fa92d
humanhash: freddie-neptune-sierra-william
File name:Quotation 15 10 2020.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:504'832 bytes
First seen:2020-10-16 13:41:29 UTC
Last seen:2020-10-16 15:15:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:XG/pgL0hPwBYSNw76fo2YyZytRPLdmRrsFDf:XGiLiPw8GfoZOy8RCD
Threatray 906 similar samples on MalwareBazaar
TLSH 0AB4CF25236C6FA1E0BDD37B31A0152053FAB186E335D72D7DA852CE3E65B848663B43
Reporter abuse_ch
Tags:exe nVpn RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: yandex.com
Sending IP: 37.49.225.133
From: stoneadamss@yandex.com
Subject: QUOTATION
Attachment: Quotation 15 10 2020.gz (contains "Quotation 15 10 2020.exe")

RemcosRAT C2:
194.5.97.103:1011

Intelligence

File Origin
# of uploads :
2
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/72061/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.424.8976.7688.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a file
Sending a custom TCP request
Forced shutdown of a system process
Setting a global event handler for the keyboard
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/493715
Signature
.NET source code contains potential unpacker
Detected Remcos RAT
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 299317 Sample: Quotation 15 10 2020.exe Startdate: 16/10/2020 Architecture: WINDOWS Score: 100 28 Multi AV Scanner detection for dropped file 2->28 30 Sigma detected: Scheduled temp file as task from temp location 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 9 other signatures 2->34 7 Quotation 15 10 2020.exe 7 2->7         started        process3 file4 20 C:\Users\user\AppData\...\ldTelQYzzzZjcQ.exe, PE32 7->20 dropped 22 C:\...\ldTelQYzzzZjcQ.exe:Zone.Identifier, ASCII 7->22 dropped 24 C:\Users\user\AppData\Local\...\tmp512B.tmp, XML 7->24 dropped 26 C:\Users\...\Quotation 15 10 2020.exe.log, ASCII 7->26 dropped 10 schtasks.exe 1 7->10         started        12 vbc.exe 7->12         started        14 vbc.exe 7->14         started        16 3 other processes 7->16 process5 process6 18 conhost.exe 10->18         started       
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8247f1c9100f98350ccc39ee0512d24a86c29881763eb262197347908a1315c4/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-16 07:32:26 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qjd7dsiqb6mdkdgmhhxakewsjkdmfgeboy7leyqzondzbcqtcxca._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
20fe1d90bb66801400e3f746afb2408c1f17a772282f82bf707376559395e9fa
RemcosRAT
3ae83a13a6fe98f6d3b293d69aa7e58e4752e4b1353978e1a390314f725ea44e
RemcosRAT
4edd4c06c8b7cca23fce60e854323b80835e64c805daef22994f2d3d743dd83b
RemcosRAT
5967386e3a83cb9e0066223388892aade38751662b856048184c262239411aae
RemcosRAT
69e28c099c18f7fd000440db3155e9818916f70535e10b392ae7c1fb54ba48be
RemcosRAT
796283950089c8792456eb6b2f89a148de3def99691115ae7aadf8dc930d4d4a
RemcosRAT
82b2605b25b8443229154cf16788525e9dab3bdeff6b305792a11c0d5cd8e99f
RemcosRAT
abd47175466abe2058151e12919ca9501497dbb286909bf7896d20d59fe73ef6
RemcosRAT
bbcaf0746383dc1928fe53805da2d9bb28123e7495d48759202a46217e6b456d
RemcosRAT
d38a8652771ca87506e06b24d7b6b21fd051042714faa477c7d7189c9bd94633
RemcosRAT
+ 896 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
rat family:remcos spyware
Link:
https://tria.ge/reports/201016-4z65aedrhs/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Remcos
Malware Config
C2 Extraction:
194.5.97.103:1011
Unpacked files
SH256 hash:
af35c70f59d4ed1b3eb1eac69b25e3d58a9328e9b9a5db562807860daa0e8a19
MD5 hash:
bdedde6b605b3358d010ccad7e5cf36b
SHA1 hash:
1f9742ef09e8f1c89f401199dc2429ba4360436b
Link:
https://www.unpac.me/results/8a5b7a03-5364-41c5-af19-c41a16f6c9b4/
SH256 hash:
1cb09ab5027dce50bfc94b1df04402c58dd709bd66dc342fe240f1db58adc974
MD5 hash:
b560afc827ec9bd24b6b247a95ac6114
SHA1 hash:
6cf42d2a266a8c7b40037f9f765e7e1075e760e0
Link:
https://www.unpac.me/results/8a5b7a03-5364-41c5-af19-c41a16f6c9b4/
SH256 hash:
8247f1c9100f98350ccc39ee0512d24a86c29881763eb262197347908a1315c4
MD5 hash:
2e03dd17fc7fb8ad40f742918c9fa92d
SHA1 hash:
41aea5efe4829f6547e8f56c32cd2bbf927fa188
Link:
https://www.unpac.me/results/8a5b7a03-5364-41c5-af19-c41a16f6c9b4/
SH256 hash:
d4915bb93346f74dfb41378492e0ec9b48046f5f01cd14bc76deda8073edfd4c
MD5 hash:
984ba1788b0721a1a7f6a0fad9c96d3e
SHA1 hash:
eb609b9984bc47eceb131336f16b63b84988827f
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/8a5b7a03-5364-41c5-af19-c41a16f6c9b4/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/8a5b7a03-5364-41c5-af19-c41a16f6c9b4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/8247f1c9100f98350ccc39ee0512d24a86c29881763eb262197347908a1315c4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

gz e779be3863ee26fffaaf3d1f4541e1bf2836e92503647276adfdab893340c2a5

RemcosRAT

Executable exe 8247f1c9100f98350ccc39ee0512d24a86c29881763eb262197347908a1315c4

(this sample)

  
Dropped by
MD5 d936670a810b2a8878179bc6a9aa72cf
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72061/
  
Dropped by
SHA256 e779be3863ee26fffaaf3d1f4541e1bf2836e92503647276adfdab893340c2a5

Comments