MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90a634ffa9eb1fc2dd8aeaabf1aed592a4cf18a824f5b9160f052ac642eeb79a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90a634ffa9eb1fc2dd8aeaabf1aed592a4cf18a824f5b9160f052ac642eeb79a
SHA3-384 hash: 30b06e69c734d54b7503b66d7d7ff17044258e14184e157527081214fe25e5969b0239fc216cb774387f29dfebaef239
SHA1 hash: 871a968e875fb05a6ad0c3cf4aa5c5f27258e905
MD5 hash: 97f5440beb991b4724e623711cc07cfa
humanhash: illinois-autumn-orange-island
File name:HSBC CUSTOMER REMITTANCE COPY.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:308'736 bytes
First seen:2021-03-31 00:51:47 UTC
Last seen:2021-03-31 01:42:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:AcEf+MHI+AM7IWgkUIHKThd8RWSHztMbpZ1QoLy33gom:AcRWI5M7IWgkUIHKThd8RWKztMbpZ1Q4
Threatray 100 similar samples on MalwareBazaar
TLSH AE64852E7A43B667D01F613794307E791A39702258F263DAC3B9A830EBD82B1DD2C557
Reporter GovCERT_CH
Tags:RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
HSBC CUSTOMER REMITTANCE COPY.exe
Verdict:
Malicious activity
Analysis date:
2021-03-31 00:57:03 UTC
Tags:
rat remcos trojan
Link:
https://app.any.run/tasks/16ddfba0-aca7-41d8-8a12-3b49ec20dd11

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/128863/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader38.17696.12608.4798.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Creating a file
Moving a recently created file
Launching a process
Creating a process with a hidden window
Creating a process from a recently created file
Creating a file in the Windows subdirectories
Creating a window
Sending a UDP request
Running batch commands
Adding an access-denied ACE
Sending a custom TCP request
Setting a keyboard event handler
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Setting a single autorun event
Blocking the User Account Control
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/659402
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an autostart registry key pointing to binary in C:\Windows
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the startup folder
Drops PE files with benign system names
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell adding suspicious path to exclusion list
Sigma detected: Remcos
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to delay execution (extensive OutputDebugStringW loop)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 378629 Sample: HSBC CUSTOMER REMITTANCE COPY.exe Startdate: 31/03/2021 Architecture: WINDOWS Score: 100 64 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->64 66 Antivirus detection for dropped file 2->66 68 Antivirus / Scanner detection for submitted sample 2->68 70 11 other signatures 2->70 7 HSBC CUSTOMER REMITTANCE COPY.exe 20 13 2->7         started        12 svchost.exe 2->12         started        14 svchost.exe 2->14         started        16 9 other processes 2->16 process3 dnsIp4 56 dqdqededqedqe.tk 172.67.145.154, 49703, 49714, 49719 CLOUDFLARENETUS United States 7->56 44 C:\Windows\Resources\Themes\...\svchost.exe, PE32 7->44 dropped 46 C:\Users\user\AppData\...\ZgTrTaxZvf.exe, PE32 7->46 dropped 48 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 7->48 dropped 50 C:\Users\...\ZgTrTaxZvf.exe:Zone.Identifier, ASCII 7->50 dropped 74 Creates an autostart registry key pointing to binary in C:\Windows 7->74 76 Writes to foreign memory regions 7->76 78 Adds a directory exclusion to Windows Defender 7->78 90 2 other signatures 7->90 18 HSBC CUSTOMER REMITTANCE COPY.exe 7->18         started        22 ZgTrTaxZvf.exe 14 2 7->22         started        24 cmd.exe 7->24         started        30 8 other processes 7->30 80 Antivirus detection for dropped file 12->80 82 System process connects to network (likely due to code injection or exploit) 12->82 84 Multi AV Scanner detection for dropped file 12->84 86 Machine Learning detection for dropped file 12->86 58 192.168.2.1 unknown unknown 14->58 60 104.21.87.185, 49717, 80 CLOUDFLARENETUS United States 16->60 62 127.0.0.1 unknown unknown 16->62 88 Changes security center settings (notifications, updates, antivirus, firewall) 16->88 26 WerFault.exe 16->26         started        28 WerFault.exe 16->28         started        file5 signatures6 process7 dnsIp8 52 185.29.9.113, 49720, 7790 DATACLUB-SE European Union 18->52 72 Installs a global keyboard hook 18->72 54 dqdqededqedqe.tk 22->54 32 conhost.exe 24->32         started        34 timeout.exe 24->34         started        36 conhost.exe 30->36         started        38 conhost.exe 30->38         started        40 conhost.exe 30->40         started        42 4 other processes 30->42 signatures9 process10
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-03-30 17:46:00 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sctdj75j5mp4fxmk5kv7dlwvsksm6gfiet23sfqpauvmmqxow6na._file
Verdict:
suspicious
Similar samples:
0f0159c20cfaa92f53f75ba6d3c934629359ca805f595d1a5d2247ae2df88737
RemcosRAT
1aba8cc2630000d1ae8693e33c9258a2407abfc44e363f9d0a5edde35c791ac3
RemcosRAT
23f395feba9af97086e3c3dee7cde812ad67a31cc151d9285b2fc7b2f926bc4d
RemcosRAT
32c3ae8cd868f60dc052888ac37dda6e70a4e524a290b0e0aaf32967da7490db
RemcosRAT
4fe0cf5ea4078adae2170d820443a1a8d91d1eb6dbf886db70783998ffd65d0e
RemcosRAT
550d2da381ccc752d75f776bf9371683b39e1e45e0532daf779bbdc2a060fe17
RemcosRAT
595736e53ca10cf360d6859269d1ac8d2ee2758da03dc15a30d10c539ca4fd0a
RemcosRAT
8e15f76149baa634caba6bcb021a5793f9b86c6290247d62a3f9628e5e147c7f
RemcosRAT
989f330817cadbe60308cdd0977792aa3ee8fd2f55b2e92ed32d2416de16c32d
RemcosRAT
fe8e69539064f02829922daa446bed806a0fc74e0036d961f1fd53021444f529
RemcosRAT
+ 90 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos evasion rat trojan
Link:
https://tria.ge/reports/210331-r77v46v796/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Drops startup file
Loads dropped DLL
Windows security modification
Executes dropped EXE
Remcos
Windows security bypass
Malware Config
C2 Extraction:
185.29.9.113:7790
Unpacked files
SH256 hash:
90a634ffa9eb1fc2dd8aeaabf1aed592a4cf18a824f5b9160f052ac642eeb79a
MD5 hash:
97f5440beb991b4724e623711cc07cfa
SHA1 hash:
871a968e875fb05a6ad0c3cf4aa5c5f27258e905
Link:
https://www.unpac.me/results/92730373-1822-4de3-84d3-6e615fa66312/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/90a634ffa9eb1fc2dd8aeaabf1aed592a4cf18a824f5b9160f052ac642eeb79a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip 240962dca128e601bd3bbaabf128d7f79eaa1e52b3ce29a8dcfeaf1b9e8635f4

RemcosRAT

Executable exe 90a634ffa9eb1fc2dd8aeaabf1aed592a4cf18a824f5b9160f052ac642eeb79a

(this sample)

  
Dropped by
MD5 dee644872518bad0830557a38bb9857e
  
Dropped by
SHA256 240962dca128e601bd3bbaabf128d7f79eaa1e52b3ce29a8dcfeaf1b9e8635f4
  
Dropped by
RemcosRAT
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/128863/

Comments