MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 857ad0bf941ee434d96692477bec16c72571ce266091ba4bcc6952f409aff198. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 6 File information Comments

SHA256 hash:	857ad0bf941ee434d96692477bec16c72571ce266091ba4bcc6952f409aff198
SHA3-384 hash:	78ddf755fdb9b65d7c6c60853bb1e82b71d39c5a0a25585e19bd389d416b2bcd244e02b456c5ae84c170cac4d44de819
SHA1 hash:	e5a934dea63316685e77a7b1773807ee8e83584c
MD5 hash:	3bbe3235da11c57820aade4c7bbb3184
humanhash:	skylark-connecticut-romeo-social
File name:	PO FH8765446878-15-10-2020,pdf,pdf.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	900'608 bytes
First seen:	2020-10-16 17:46:57 UTC
Last seen:	2020-10-16 19:22:45 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'737 x AgentTesla, 19'595 x Formbook, 12'238 x SnakeKeylogger)
ssdeep	24576:roFt5cHpixeV23UP+DLu9TKJ0E6cpTGZ:rHHpiYV23UPESSh6a
TLSH	DF15199C765072DEC86BC972DA685C74EB607C7A431BC20790533AADAA3D997CF101F2
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/72225/

Detection(s):

SecuriteInfo.com.ArtemisTrojan.9643.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Launching a process

Creating a process with a hidden window

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/494057

Signature

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Detected Remcos RAT

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM_3

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/857ad0bf941ee434d96692477bec16c72571ce266091ba4bcc6952f409aff198/

Threat name:

ByteCode-MSIL.Backdoor.Remcos

Status:

Malicious

First seen:

2020-10-16 15:25:25 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qv5nbp4ud3sdjwlgsjdxx3awy4sxdtrgmci3us6mnfjpicnp6gma._file

Result

Malware family:

remcos

Score:

10/10

Tags:

rat family:remcos

Link:

https://tria.ge/reports/201016-3hga2avdcn/

Behaviour

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

Remcos

Malware Config

C2 Extraction:

incidencias6645.ddns.net:8638

Unpacked files

SH256 hash:

857ad0bf941ee434d96692477bec16c72571ce266091ba4bcc6952f409aff198

MD5 hash:

3bbe3235da11c57820aade4c7bbb3184

SHA1 hash:

e5a934dea63316685e77a7b1773807ee8e83584c

Link:

https://www.unpac.me/results/26124fba-104f-4814-b210-1b845340920a/

SH256 hash:

82f8bd44e89d4a7bce66244db910416be74b6de4adaeaf9601e5e3be996acb5f

MD5 hash:

31673fcc744bcbd12e2fc7afd15a61bf

SHA1 hash:

5eaf54a16ffb03b1df564e1bf9a1516da1a781f0

Link:

https://www.unpac.me/results/26124fba-104f-4814-b210-1b845340920a/

SH256 hash:

f3d0527738dc71fa225aba647b281ef23a1b998309d97def975f47d6d1756954

MD5 hash:

255e46c2777f28a33853de4800c19b06

SHA1 hash:

9d748ed7e584dda447da748add86c476154cabbe

Link:

https://www.unpac.me/results/26124fba-104f-4814-b210-1b845340920a/

SH256 hash:

bcae4c5ca1ad436f05f6d52fbd3ffb22aeea32492b4dd378bd715869d81622fa

MD5 hash:

c81a2fbd4541f3ede628bcffa0c0d379

SHA1 hash:

ccbe2d29399246fea9c29cd62efda8277749fe58

Detections:

win_remcos_g0

win_remcos_auto

Link:

https://www.unpac.me/results/26124fba-104f-4814-b210-1b845340920a/

Parent samples :

d18e31c42d64a21777bb04a3b0015d415050a6303ae3d864f129ecb50f0f87bb
736bd7b09aa1e987edac64868cc8e5db0d86e709652e0588e2023d052f3def8f
857ad0bf941ee434d96692477bec16c72571ce266091ba4bcc6952f409aff198
0f0f600613b5b1d1e9d80c6229d2ec639d4477d107fa080a5f58d3f61997bceb
18beca395ea8cfba85e8fb26a3adc366bf7c047088c2fe16b4ed587cecd6e57f
7a6f6659840dc30d797d816e1b2bbeb847c36c2e330fe45369b9037a113e8bc6
a0e87c60c05c9b9a184ad81e279fabb2e997ab1d79cba0248548d846ecab8510
94f225b0d4018228ee1c69317cd8f369f3c343378145e41cdf939d4dd30b988d

SH256 hash:

bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049

MD5 hash:

a92cc1f6e0a2742350dfda6726db14c0

SHA1 hash:

e5404e3ed46498deb8ad8966a774540c2b8e9c1e

Link:

https://www.unpac.me/results/26124fba-104f-4814-b210-1b845340920a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/857ad0bf941ee434d96692477bec16c72571ce266091ba4bcc6952f409aff198

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

exe 857ad0bf941ee434d96692477bec16c72571ce266091ba4bcc6952f409aff198

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/72225/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample