MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 86da76aaa93035696752329676cc619cb00d99fbf38857a56b087fa27f80c028. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 6 File information Comments

SHA256 hash:	86da76aaa93035696752329676cc619cb00d99fbf38857a56b087fa27f80c028
SHA3-384 hash:	edc007467a228d3c51391803b30b440fd7b7378efb3093dee201ffff59ba1f1bd65ae084cc833b7a2100a79dc325798e
SHA1 hash:	9ae463940601c9adbcee46a275a57308cf77612c
MD5 hash:	59b6819fd6875b148f559193228aeacf
humanhash:	finch-summer-green-oven
File name:	PO Order No 338390208B,pdf.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	705'536 bytes
First seen:	2021-08-23 14:31:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	8ba7b45407a54e1cc2cb82bc2d24f0c9 (2 x RemcosRAT, 1 x NetWire)
ssdeep	12288:OWHQioUx/2JW1hxrQe+IguVZRFzODnQr0+NpYuJTquMvC:OI52JWhZvP43+NpBs
Threatray	457 similar samples on MalwareBazaar
TLSH	T14DE49E2AF7F6B237C87726744907976C58167C63191CA0E79ED20C4C8A3B3A5BC2857B
dhash icon	cad7b5b2eaaaaab6 (1 x NetWire, 1 x Formbook, 1 x RemcosRAT)
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

123

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PO Order No 338390208B,pdf.exe

Verdict:

Suspicious activity

Analysis date:

2021-08-23 15:14:58 UTC

Tags:

installer

Link:

https://app.any.run/tasks/5674728d-7877-41ce-8db9-9dcae774a69f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/181523/

Detection(s):

PUA.Win.Packer.BorlandDelphi-15

SecuriteInfo.com.ArtemisEFA94719F0D1.25274.10043.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

DNS request

Connection attempt

Sending a custom TCP request

Creating a file

Deleting a recently created file

Launching a process

Connection attempt to an infection source

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Query of malicious DNS domain

Unauthorized injection to a system process

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/08d7c8cc-5ae7-4043-aec5-6b9dbeba258a

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/837607

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Delayed program exit found

Detected Remcos RAT

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/86da76aaa93035696752329676cc619cb00d99fbf38857a56b087fa27f80c028/

Threat name:

Win32.Backdoor.NetWiredRc

Status:

Malicious

First seen:

2021-08-23 14:32:12 UTC

AV detection:

16 of 28 (57.14%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=q3nhnkvjga2wsz2sgklhntdbtsya3gp36oefpjllbb72e74ayaua._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

46131c5f93779a7547011c983be113cbf561fee1f4cba59ce8dd8f0bfb4a48f7

RemcosRAT

4a74ac9210751c192d84ad49d567de4cc5f7d005f62767b59a6a7901051a5304

RemcosRAT

610aec487270d875f4c6a5fb4f128d636f817a36e40dc4db55c52505258d785f

RemcosRAT

86eb335425ab87285d7fc03826498925262e64a466fac29d22c8ae1a806feaae

RemcosRAT

941d7828d89da175afca52906a1e519707a09685f30332937917505fa8999f87

RemcosRAT

b782581b1ca3da09fdf3ecbb173ee3ca1f313f5f325f407df976601cad8ce839

RemcosRAT

f1e9d6eb71a715e5f47a5c6fa5d03e9c3b871a0e88c91c709ff67ab9311caf4e

RemcosRAT

f8d06c20dc2af83af29551f384bbde4e5380911d8db0f9e56ca549bb5995d413

RemcosRAT

ff8dd2511c1721a535a31eb7e8c4f813ba114a2ec963f4b85f8808fa99d47422

RemcosRAT

+ 447 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:jboy persistence rat

Link:

https://tria.ge/reports/210823-ef7wphgjhe/

Behaviour

Suspicious use of WriteProcessMemory

Adds Run key to start application

Remcos

Malware Config

C2 Extraction:

newlogs.ddns.net:6565

Unpacked files

SH256 hash:

795b2b5d6668147d7924ac96f90741ddc2a2b5003f455fb842b613a286fbf8fc

MD5 hash:

53011b69a7231aea23d66805a681144b

SHA1 hash:

e3d0d157e763c865e79ccc5bedc2fd5fd90413f7

Link:

https://www.unpac.me/results/a8410da4-6075-467a-ac8c-c5705919cb81/

SH256 hash:

86da76aaa93035696752329676cc619cb00d99fbf38857a56b087fa27f80c028

MD5 hash:

59b6819fd6875b148f559193228aeacf

SHA1 hash:

9ae463940601c9adbcee46a275a57308cf77612c

Link:

https://www.unpac.me/results/a8410da4-6075-467a-ac8c-c5705919cb81/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/86da76aaa930/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/86da76aaa93035696752329676cc619cb00d99fbf38857a56b087fa27f80c028

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

exe 86da76aaa93035696752329676cc619cb00d99fbf38857a56b087fa27f80c028

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/181523/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample