MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8fa72e87addead9671e573d7cb843ca784a10cfbf6acf5b6bc4830df66fe0bf0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 9 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8fa72e87addead9671e573d7cb843ca784a10cfbf6acf5b6bc4830df66fe0bf0
SHA3-384 hash: c2f02b49e9ab66a2b0ad1d1619a227148305d38d0093a54ae3e5f71d1255f797441537da59414feb4e20422d5565803c
SHA1 hash: 2bd28f09d3ea7c08bae3a90dd32c28335488eb43
MD5 hash: cf98d2d4d4555323842c8371db09347e
humanhash: sixteen-two-snake-leopard
File name:cf98d2d4d4555323842c8371db09347e
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'133'568 bytes
First seen:2021-09-21 20:08:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bc8cc1eea5c25ce2056d7da92bd98134 (9 x RemcosRAT, 3 x NetWire, 1 x AveMariaRAT)
ssdeep 12288:lIspEfnP8N/seflQTshT8aqeTW39KqyeoAdrL7SUbDz5Zp:320N/seflZhTmiW3AirPzz5Z
Threatray 626 similar samples on MalwareBazaar
TLSH T1D9356BE77399CCE5ED213A3DFC46325223567BF538421C0D9DB07B8A2679241B86A84F
File icon (PE):PE icon
dhash icon 8ccc0c37e3969a68 (8 x RemcosRAT, 2 x NetWire, 1 x BitRAT)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
276
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BoFA Remittance Advice.xls
Verdict:
Malicious activity
Analysis date:
2021-09-21 18:43:39 UTC
Tags:
macros macros-on-open maldoc-17 opendir loader rat remcos
Link:
https://app.any.run/tasks/2719b177-81a2-4476-bd81-d35f4ed63025

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/189993/
Detection(s):
SecuriteInfo.com.ArtemisB8815A518089.2641.23959.UNOFFICIAL
Create hunting rule

Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a673beb5-3ad1-4472-ae3b-e3c23404df62
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/855196
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 487629 Sample: yVhvGnsUpL Startdate: 21/09/2021 Architecture: WINDOWS Score: 100 44 twistednerd.dvrlists.com 2->44 74 Found malware configuration 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 Multi AV Scanner detection for submitted file 2->78 80 3 other signatures 2->80 9 Srakjle.exe 15 2->9         started        13 yVhvGnsUpL.exe 1 22 2->13         started        16 Srakjle.exe 15 2->16         started        signatures3 process4 dnsIp5 50 sn-files.fe.1drv.com 9->50 60 2 other IPs or domains 9->60 82 Multi AV Scanner detection for dropped file 9->82 84 Writes to foreign memory regions 9->84 86 Creates a thread in another existing process (thread injection) 9->86 18 mobsync.exe 9->18         started        52 sn-files.fe.1drv.com 13->52 54 qcisaa.sn.files.1drv.com 13->54 56 onedrive.live.com 13->56 42 C:\Users\Public\Libraries\...\Srakjle.exe, PE32 13->42 dropped 88 Injects a PE file into a foreign processes 13->88 21 DpiScaling.exe 2 13->21         started        24 cmd.exe 1 13->24         started        26 cmd.exe 1 13->26         started        58 sn-files.fe.1drv.com 16->58 62 2 other IPs or domains 16->62 28 mobsync.exe 16->28         started        file6 signatures7 process8 dnsIp9 64 Contains functionalty to change the wallpaper 18->64 66 Contains functionality to steal Chrome passwords or cookies 18->66 68 Contains functionality to steal Firefox passwords or cookies 18->68 46 twistednerd.dvrlists.com 31.3.152.100, 49745, 49746, 49747 ALTUSNL Sweden 21->46 48 192.168.2.1 unknown unknown 21->48 70 Contains functionality to inject code into remote processes 21->70 72 Delayed program exit found 21->72 30 reg.exe 1 24->30         started        32 conhost.exe 24->32         started        34 cmd.exe 1 26->34         started        36 conhost.exe 26->36         started        signatures10 process11 process12 38 conhost.exe 30->38         started        40 conhost.exe 34->40         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8fa72e87addead9671e573d7cb843ca784a10cfbf6acf5b6bc4830df66fe0bf0/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-09-21 19:43:20 UTC
AV detection:
17 of 45 (37.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=r6ts5b5n32wzm4pfopl4xbb4u6ckcdh362wplnv4jayn6zx6bpya._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
04f483018f53c35976cfd9c4b5191279761a351b3e135a70ae9c5c2b53be154b
RemcosRAT
15851690d3cb99d95e82bb47d3f31db71688c69dd50b0a8367e97aa3b501b637
RemcosRAT
61005cab010bde9798cb5c7ee05497c08ba71d638644f05a1b5e58c8eac67ca1
RemcosRAT
62960caf3d007638be89631e502733f30c42a9ba0269e8c00457c9dec10e9136
RemcosRAT
897e01eafce2598ea8af8d75f531b87118872fb82f101aa788fc987fdac0ff62
RemcosRAT
8cb9b0ac073c398ffc0147a1a84ffa9c2db217df67c5a89f34f4a5fb12be7cc3
RemcosRAT
a3d751c0554f2d36ae56987adeca6f9b8f7953fab4a5214ad913a9021fe168fc
RemcosRAT
b0f43b627353f91afa5e4a9c5eea655f5375e497933a6e37c3c0f8a5a29a2889
RemcosRAT
b484a4cb667f840e50d5fe91ed76752a5db90759ed1cac25ec965ce5751da9e2
RemcosRAT
b9384216a5aea20cd398e51c6549bb84d6b252f3fde114010e3cc0c60b1e2b13
RemcosRAT
+ 616 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:sept persistence rat
Link:
https://tria.ge/reports/210921-yw4ysaaed6/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
twistednerd.dvrlists.com:8618
Unpacked files
SH256 hash:
8af0b1d0dd47bb390af4256646d4b07c56d811fc8d59ddd0caaae17e4fb8963c
MD5 hash:
bf6f925b0d88b4605d61d5a251e8ca6d
SHA1 hash:
c016fd257edfa231f52e43022fc6d403c5064485
Link:
https://www.unpac.me/results/806cdd1d-7b25-43b8-b156-d7c52fa93100/
SH256 hash:
8fa72e87addead9671e573d7cb843ca784a10cfbf6acf5b6bc4830df66fe0bf0
MD5 hash:
cf98d2d4d4555323842c8371db09347e
SHA1 hash:
2bd28f09d3ea7c08bae3a90dd32c28335488eb43
Link:
https://www.unpac.me/results/806cdd1d-7b25-43b8-b156-d7c52fa93100/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/8fa72e87addead9671e573d7cb843ca784a10cfbf6acf5b6bc4830df66fe0bf0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EnvVarScheduledTasks
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC (ab)using Environment Variables in Scheduled Tasks
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 8fa72e87addead9671e573d7cb843ca784a10cfbf6acf5b6bc4830df66fe0bf0

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1638701/
  
URLhaus
https://urlhaus.abuse.ch/url/1638704/
Cape
Cape
https://www.capesandbox.com/analysis/189993/

Comments


Avatar
zbet commented on 2021-09-21 20:08:20 UTC

url : hxxp://192.210.214.221/remit.exe