MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 86eb335425ab87285d7fc03826498925262e64a466fac29d22c8ae1a806feaae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 86eb335425ab87285d7fc03826498925262e64a466fac29d22c8ae1a806feaae
SHA3-384 hash: b1310bdf3b7eadca5f834f261acc8ae74c02014ef81559cdde4d43c5f119feed991cba9ff3d0fee84d2b661472dd83c1
SHA1 hash: c30ffde08bc8abf1e4c117e5901f7895493ebbaf
MD5 hash: 42d277a9217eb92923e54b3d1adea3ac
humanhash: comet-bluebird-asparagus-william
File name:Paid Invoice _confirmation_9336639_03993736553.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'200'456 bytes
First seen:2021-02-28 10:39:25 UTC
Last seen:2021-02-28 12:53:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0b8f7391267a01645d3bebd95f55f99c (1 x RemcosRAT)
ssdeep 12288:1qHTpiGrg2UOvE73TWXv0K5vZC7rUb1xkxr3cPamMI6l5/bINjS25Ukcm/iJAC8Z:1qHT0GwOvEjTqLhc7xtWT6lVIN+gZbO+
Threatray 99 similar samples on MalwareBazaar
TLSH 39456A6151424B32F4523B36C93A1264DBE57E3CBD105B06E6A86BAB5F2F2402CD71BF
Reporter abuse_ch
Tags:exe RemcosRAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: rdns0.returnspark.website
Sending IP: 151.80.220.100
From: ute@marcelselectronics.com
Subject: RE: bank account to confirm
Attachment: Paid Invoice _confirmation_.img (contains "Paid Invoice _confirmation_9336639_03993736553.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
887
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Paid Invoice _confirmation_9336639_03993736553.exe
Verdict:
Malicious activity
Analysis date:
2021-02-28 10:41:03 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/402c20d1-e3cc-416d-9622-9d6e061f14fb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/120001/
Detection(s):
SecuriteInfo.com.Fareit-FZO42D277A9217E.14120.14775.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/621069
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 359529 Sample: Paid Invoice _confirmation_... Startdate: 28/02/2021 Architecture: WINDOWS Score: 100 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 5 other signatures 2->49 6 Paid Invoice _confirmation_9336639_03993736553.exe 1 18 2->6         started        11 Cfngjtec.exe 2->11         started        13 Cfngjtec.exe 2->13         started        process3 dnsIp4 27 cdn.discordapp.com 162.159.135.233, 443, 49723 CLOUDFLARENETUS United States 6->27 25 C:\Users\Public\Libraries\Cfngjtec.exe, PE32 6->25 dropped 51 Writes to foreign memory regions 6->51 53 Allocates memory in foreign processes 6->53 55 Creates a thread in another existing process (thread injection) 6->55 15 calc.exe 2 6->15         started        57 Multi AV Scanner detection for dropped file 11->57 59 Machine Learning detection for dropped file 11->59 61 Injects a PE file into a foreign processes 11->61 19 msiexec.exe 11->19         started        21 conhost.exe 11->21         started        23 msiexec.exe 13->23         started        file5 signatures6 process7 dnsIp8 29 216.38.7.225, 49727, 6809 ASN-GIGENETUS United States 15->29 31 System process connects to network (likely due to code injection or exploit) 15->31 33 Contains functionality to steal Chrome passwords or cookies 15->33 35 Contains functionality to capture and log keystrokes 15->35 37 Contains functionality to inject code into remote processes 15->37 39 Contains functionality to steal Firefox passwords or cookies 19->39 41 Delayed program exit found 19->41 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/86eb335425ab87285d7fc03826498925262e64a466fac29d22c8ae1a806feaae/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-02-28 10:40:10 UTC
AV detection:
13 of 48 (27.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q3vtgvbfvodsqxl7ya4cmsmjeutc4zfem35mfhjczcxbvadp5kxa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0499edd68518a172935fb984e9d97c72c50a00d5aff2cc7d5528cd38da42695c
RemcosRAT
42ef2a340b9b5ec88d5ab83584f07ecc76e7b3842640aecd328ad9d85ad745e8
RemcosRAT
46131c5f93779a7547011c983be113cbf561fee1f4cba59ce8dd8f0bfb4a48f7
RemcosRAT
4a74ac9210751c192d84ad49d567de4cc5f7d005f62767b59a6a7901051a5304
RemcosRAT
610aec487270d875f4c6a5fb4f128d636f817a36e40dc4db55c52505258d785f
RemcosRAT
736c1c3ed4301b2f069ba84d5bcdf3919e88d5412fa13080d2eed53fe98c0ac4
RemcosRAT
941d7828d89da175afca52906a1e519707a09685f30332937917505fa8999f87
RemcosRAT
f1e9d6eb71a715e5f47a5c6fa5d03e9c3b871a0e88c91c709ff67ab9311caf4e
RemcosRAT
f8d06c20dc2af83af29551f384bbde4e5380911d8db0f9e56ca549bb5995d413
RemcosRAT
fb42713cea74ad7a0d4579b86d6c213b25b1f8594019787da3f2152e436fd8fd
RemcosRAT
+ 89 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat
Link:
https://tria.ge/reports/210228-n4sr2ceaxa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
216.38.7.225:6809
Unpacked files
SH256 hash:
5bcde4d165f66f58ce0446462a038b7ae84e2fd2275885f61f68287547aac66d
MD5 hash:
34cb499bbd566c24dcf888e9bab46083
SHA1 hash:
3bb97e3103868691e57e7cf3be88a7ff30f46ea1
Link:
https://www.unpac.me/results/bd15f36f-348c-4847-9e78-68a8f3d188f1/
SH256 hash:
86eb335425ab87285d7fc03826498925262e64a466fac29d22c8ae1a806feaae
MD5 hash:
42d277a9217eb92923e54b3d1adea3ac
SHA1 hash:
c30ffde08bc8abf1e4c117e5901f7895493ebbaf
Link:
https://www.unpac.me/results/bd15f36f-348c-4847-9e78-68a8f3d188f1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/86eb335425ab87285d7fc03826498925262e64a466fac29d22c8ae1a806feaae

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

img 18c7f10639db2797a180864077e41544842fa5afc6209e81940e5cd4abacd280

RemcosRAT

Executable exe 86eb335425ab87285d7fc03826498925262e64a466fac29d22c8ae1a806feaae

(this sample)

  
Dropped by
MD5 83f06a9b8e0e490eeeddc04bb72c75f7
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/120001/
  
Dropped by
SHA256 18c7f10639db2797a180864077e41544842fa5afc6209e81940e5cd4abacd280

Comments