MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 83b94c2312c673c3edf7eb5743019777252ec8dc71d16f885f41f83abb1ef2d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 5 File information Comments

SHA256 hash:	83b94c2312c673c3edf7eb5743019777252ec8dc71d16f885f41f83abb1ef2d5
SHA3-384 hash:	7b4c5dbde895d362abfd19405a3c88010694e00fded4f18f9f78fad4d44b9bfda9f3eb803e971f2a5315f5135bbe58c5
SHA1 hash:	0cacd0fddb6b344302b9aee810189a529c18f782
MD5 hash:	cb636ea154aafb4ae55a4aa0f176898e
humanhash:	delaware-alpha-hamper-hot
File name:	RFQ_AP65425652_032421 urgentes,pdf.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	680'448 bytes
First seen:	2021-08-31 18:31:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b80f4f0a086ef8167169248061f9b4a4 (4 x RemcosRAT, 1 x AveMariaRAT)
ssdeep	12288:732D6sAniEeWwhvT0Xq7FZlUci5DZ/iFXCj:7mYhwhvTf7k5Z//
Threatray	525 similar samples on MalwareBazaar
TLSH	T111E46CB276C1B675C2734A7D5D2F222168386F473AA968053FE86F480F34243796F25E
dhash icon	4cca4c67d3261aca (6 x RemcosRAT, 4 x Formbook, 2 x AveMariaRAT)
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

230

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

RFQ_AP65425652_032421 urgentes,pdf.exe

Verdict:

Malicious activity

Analysis date:

2021-08-31 18:34:51 UTC

Tags:

rat remcos

Link:

https://app.any.run/tasks/40f0c28a-b94e-44c2-91b1-0b35cefe7b1b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/184290/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Creating a file

Deleting a recently created file

Launching a process

Connection attempt to an infection source

Sending a UDP request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Query of malicious DNS domain

Unauthorized injection to a system process

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e72a79ee-a6e8-495f-8bc2-5b67e269a7b8

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/83b94c2312c673c3edf7eb5743019777252ec8dc71d16f885f41f83abb1ef2d5/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2021-08-31 18:32:07 UTC

AV detection:

9 of 45 (20.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qo4uyiysyzz4h3px5nlugamxo4ss5sg4ohiw7cc7ih4dvoy66lkq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

7a97f05df11f826ba1d973f260a565584d9db207a8130cf2769d0156078cc944

RemcosRAT

9b230ecb2de41faed1f6977799a2e7e03f4411fefbcf2e8b2e92a989f6bdd685

RemcosRAT

9f0c13034df95e3af02c98c025e517e4648c5a229217533f936cf811f61995e9

RemcosRAT

a3dbda9e244c0a7a63e9d669c838c9c290fd8bca5b1d35fa7add5a1950f578bd

RemcosRAT

a9584f63d38c2dec8fa79a9f0e1d9d2c30d8afdd84bea99e2139ff65898f0df8

RemcosRAT

c051b0ccdcb1d71dd1178412de70ad5f240a4f97ada53a54add41e1aadbe7694

RemcosRAT

d89a39469a38c622ff6d1c36603491bedfc5d5dcc92cf629aa50057eda35f563

RemcosRAT

+ 515 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:gr8est persistence rat

Link:

https://tria.ge/reports/210831-wrc8z4rqbx/

Behaviour

Suspicious use of WriteProcessMemory

Adds Run key to start application

Remcos

Malware Config

C2 Extraction:

manneedmoney.ddns.net:6642

Unpacked files

SH256 hash:

4e1202f3e7e04b0b3ca1df164bf5381f24063c142317e774d4e5d88b2b3ac744

MD5 hash:

aa23dee2c34813d67fe9c67ec784782a

SHA1 hash:

10b2e7af7cb9d6f852e6d607875a8c9613538930

Link:

https://www.unpac.me/results/8e82ac69-d938-42e4-a506-2f60a8d5a3a0/

SH256 hash:

83b94c2312c673c3edf7eb5743019777252ec8dc71d16f885f41f83abb1ef2d5

MD5 hash:

cb636ea154aafb4ae55a4aa0f176898e

SHA1 hash:

0cacd0fddb6b344302b9aee810189a529c18f782

Link:

https://www.unpac.me/results/8e82ac69-d938-42e4-a506-2f60a8d5a3a0/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/83b94c2312c6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.84

Link:

https://yomi.yoroi.company/submissions/83b94c2312c673c3edf7eb5743019777252ec8dc71d16f885f41f83abb1ef2d5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/184290/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample