MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 86b3d8a135597bcf56f2f6669b514bfd36aeaf1f890233b03a15f18a1c9705e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 86b3d8a135597bcf56f2f6669b514bfd36aeaf1f890233b03a15f18a1c9705e8
SHA3-384 hash: f6f0f1488d34919903b6b92158e3d56c4c7d80cc3bfcabfcd4a04805bcafa672b5bc3246c4a6dddef943ef48f580e5ae
SHA1 hash: 1093c0cf76e05d4a71344b1c44b99e055de1cfd6
MD5 hash: 9e8948dac0c57b09a5dbd06b58e61a65
humanhash: mountain-fix-cardinal-delta
File name:QUOTATION 20 10 2020.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:471'040 bytes
First seen:2020-10-21 09:55:42 UTC
Last seen:2020-10-21 16:22:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:R9MppMobgROZ6V9xsKVAPATBRKWFiNFkCo9:EpMobB8SlcRVQ6Co9
Threatray 92 similar samples on MalwareBazaar
TLSH 9EA4E1326B5CAF15E0BD633F54A1104017FAE807E723D52EBCF624CDA5AAFA50562B13
Reporter abuse_ch
Tags:exe RemcosRAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: yandex.com
Sending IP: 37.49.225.133
From: stoneadamss@yandex.com
Subject: QUOTATION
Attachment: QUOTATION 20 10 2020.gz (contains "QUOTATION 20 10 2020.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/73967/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a file
Connection attempt
Setting a global event handler for the keyboard
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/505642
Signature
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Detected Remcos RAT
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/86b3d8a135597bcf56f2f6669b514bfd36aeaf1f890233b03a15f18a1c9705e8/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2020-10-21 02:13:01 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q2z5rijvlf546vxs6ztjwukl7u3k5ly7rebdhmb2cxyyuhexaxua._file
Verdict:
unknown
Similar samples:
08358d0a1584bef3d83e4a3c99d186e8078d398f3d7816df714315eb3c08d527
RemcosRAT
20c0aebe7cad9faafeff8655a50fb31ef9e91208f17035f3b90b91ab8fce0e86
RemcosRAT
3ba3652f91657ae971efd9b9f9b6e6ebee6dbe4e23c2837825d21c7bd7997aac
RemcosRAT
69b99d16f072c6ab2687da255681f3f1c3a97746bfe516b206644a5056a99425
RemcosRAT
8348c6c60034429d7bca499c5cfb52d04f0705cda36665cbff5db267958811ef
RemcosRAT
ba495069a1b601a12f32f6e346dfe60958f73caa0048fb702e357fee17d58d54
RemcosRAT
bd3bf49f455f519888272ddfe3e9a0603958e64e3bed5a80078bddf65276def2
RemcosRAT
eb140984e61c9b9860794656d3f978896944a0f7258c5abe25391b8c71f56853
RemcosRAT
ec379ea581609100b8ddfcf28eea0dc40ce72fb9e9f3dd310e0dfbeaf06bef0f
RemcosRAT
fea590dbb8987a6358d6708c5728826c5dc44c943ff4145ab1bc6d110c03e13c
RemcosRAT
+ 82 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
rat family:remcos
Link:
https://tria.ge/reports/201021-vmyhd416ja/
Behaviour
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Remcos
Malware Config
C2 Extraction:
185.150.24.48:1011
Unpacked files
SH256 hash:
ad3d281cf8a4a103242d5530362c51b2626f9a8ebd2b634bccef582ab3d39d91
MD5 hash:
3a4e791401910437df77c6c4cfbc5b7a
SHA1 hash:
585c32482439d467d38b937ca80ee3e8f45e4d0a
Link:
https://www.unpac.me/results/950510eb-cb25-4bf7-b5b8-9ffc84bc3978/
SH256 hash:
77b1e12212ebf28ac54f6e7715518fb3ba0b24a08b1f76835f753d32db6ed063
MD5 hash:
69c4a9abc2457898bf3f16706dba576a
SHA1 hash:
66b1e23ef0470292e05a18efe4f40e520e024320
Link:
https://www.unpac.me/results/950510eb-cb25-4bf7-b5b8-9ffc84bc3978/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/950510eb-cb25-4bf7-b5b8-9ffc84bc3978/
SH256 hash:
86b3d8a135597bcf56f2f6669b514bfd36aeaf1f890233b03a15f18a1c9705e8
MD5 hash:
9e8948dac0c57b09a5dbd06b58e61a65
SHA1 hash:
1093c0cf76e05d4a71344b1c44b99e055de1cfd6
Link:
https://www.unpac.me/results/950510eb-cb25-4bf7-b5b8-9ffc84bc3978/
SH256 hash:
f433b930d4d69e5cd07134ed4c9450cb2914fdef84a237741b2d483c4431809d
MD5 hash:
ca4ccae44086851cd34c799e65ba4fe4
SHA1 hash:
1e159714f62289af3f908f118a14bdd8bc348818
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/950510eb-cb25-4bf7-b5b8-9ffc84bc3978/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

gz df565b5f7b74a9dd4e69a10c6631f8062618fbb7de20492f0b99ddd3d0fd5559

RemcosRAT

Executable exe 86b3d8a135597bcf56f2f6669b514bfd36aeaf1f890233b03a15f18a1c9705e8

(this sample)

  
Dropped by
MD5 8bdf8546e93af91c75bc2d3c6c8caeb9
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/73967/
  
Dropped by
SHA256 df565b5f7b74a9dd4e69a10c6631f8062618fbb7de20492f0b99ddd3d0fd5559

Comments