MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 83f54b46a10ce36ac80d885c29cbf1c88c65250163961193916123c282d36784. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 8 File information Comments

SHA256 hash:	83f54b46a10ce36ac80d885c29cbf1c88c65250163961193916123c282d36784
SHA3-384 hash:	18eb37c02b499dc435f4f612fb7f180c51dd0eb38a75ce836ee27268af833ca50a5bed81aaa8d908632e5caabac6e337
SHA1 hash:	5a14e9688164fa50af96a12491ead2d24f515d5b
MD5 hash:	eec97d1aec827f4e024357f8f6c52d34
humanhash:	hotel-skylark-robert-oklahoma
File name:	DHL STATEMENT OF ACCOUNT.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	175'616 bytes
First seen:	2020-12-08 08:10:12 UTC
Last seen:	2020-12-08 09:31:15 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a262877a36fc7e0f830054e0f70f76cb (7 x Matiex, 4 x AgentTesla, 4 x Loki)
ssdeep	3072:kTpIizQx49EVr3pAbcRqOChTVWpRBFiBmoyU1+QpABW5anWlo5jVz:+IJOc0up8DpggI5j
Threatray	1'236 similar samples on MalwareBazaar
TLSH	CD04020B75A18436F06729391878E6B65D2FB8802630805B7B5D676E0F707E18E793FB
Reporter	abuse_ch
Tags:	DHL exe nVpn RAT RemcosRAT

abuse_ch

Malspam distributing RemcosRAT:

HELO: mailout.traderpro.co.uk
Sending IP: 198.74.61.64
From: billing.help@dhl.com
Subject: DHL STATEMENT OF ACCOUNT- 3300781366
Attachment: DHL STATEMENT OF ACCOUNT.rar (contains "DHL STATEMENT OF ACCOUNT.exe")

RemcosRAT C2:
185.244.26.194:11990

Hosted on nVpn:

% Information related to '185.244.26.0 - 185.244.26.255'

% Abuse contact for '185.244.26.0 - 185.244.26.255' is 'abuse@privacyfirst.sh'

inetnum: 185.244.26.0 - 185.244.26.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU3
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2020-11-22T02:00:16Z
last-modified: 2020-11-22T23:55:31Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

153

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/107209/

Detection(s):

SecuriteInfo.com.ArtemisEEC97D1AEC82.12466.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Unauthorized injection to a recently created process

Sending a custom TCP request

Reading critical registry keys

Creating a file in the %temp% directory

Deleting a recently created file

Stealing user critical data

Result

Gathering data

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/557735

Signature

Antivirus / Scanner detection for submitted sample

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Detected Remcos RAT

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/83f54b46a10ce36ac80d885c29cbf1c88c65250163961193916123c282d36784/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-12-08 03:30:18 UTC

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qp2uwrvbbtrwvsanrbocts7rzcggkjibmolbde4rmer4fawtm6ca._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

1dc145b173ba2184fdf10d99048af85b721f017c5fa523777bd8661c64bf3405

RemcosRAT

3504835fa4e6114c5792842bdc72ebd170c2197cae7d92f8f7454b817aadedc1

RemcosRAT

4f718a40662228b1b5efca4664eb07f6d1918b62bc8b29598410d1dc5bb76c70

RemcosRAT

628714308e23fcb40095b63c6822b08f8a9b90de2ac290ff1e8e01b6ccde1568

RemcosRAT

b704ceb41947acea7cb7c2d1a5b3de33b25120728fec16b4d8b35fbaa05e5afb

RemcosRAT

bc8513a74ddfc1a9a78fbdbf39d90a61d59819dfb116846daf730693622c3c69

RemcosRAT

d2169ac5c124981adad2629a6f763a39b0031e22d082ee4e07130630a3ee308b

RemcosRAT

f2a8ae610f1847b1344ffaa1c252543a9e4f5208b0644be9d8f5d7d6770c9ae2

RemcosRAT

fa5850a0ba8809631d4e3f5a3f8cafa133b3d6ae37088eeb934ec13d1bc9f368

RemcosRAT

+ 1'226 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos rat

Link:

https://tria.ge/reports/201208-q1nt4ynkd6/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Remcos

Malware Config

C2 Extraction:

185.244.26.194:11990

Unpacked files

SH256 hash:

83f54b46a10ce36ac80d885c29cbf1c88c65250163961193916123c282d36784

MD5 hash:

eec97d1aec827f4e024357f8f6c52d34

SHA1 hash:

5a14e9688164fa50af96a12491ead2d24f515d5b

Link:

https://www.unpac.me/results/0d8fb5af-0e09-420c-9b2f-a30880b9fcf3/

SH256 hash:

8572eb0b185c5975a872b80c3ac51a945bff85c5767f67feb66204840c1d858c

MD5 hash:

0b111ae6107dafb7b1b7f3467798835a

SHA1 hash:

2ff5a37f77f8b1abe4cb935b36f8bdfb6ff38160

Detections:

win_remcos_g0

win_remcos_auto

Link:

https://www.unpac.me/results/0d8fb5af-0e09-420c-9b2f-a30880b9fcf3/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/83f54b46a10ce36ac80d885c29cbf1c88c65250163961193916123c282d36784

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator