MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96bf189c954cf26d2aa54d3e9da9e06d2fbefe5922b48b12b5302fbe0b64e2cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 96bf189c954cf26d2aa54d3e9da9e06d2fbefe5922b48b12b5302fbe0b64e2cb
SHA3-384 hash: 986a9b35686e612b5830934b5163ac7468e2870cd2997e1aa42ce75c1c2a46e3b101a6d15d70a2c31b3f3330c958dc5a
SHA1 hash: 224d978ee82ca513f30eeab4bc64c8568adf961e
MD5 hash: 8f3033d2dabb4194835450498aeb396b
humanhash: venus-finch-echo-gee
File name:Payment Confirmation slip.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:746'496 bytes
First seen:2021-03-01 07:27:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:G3VsF3GK+6Deie8Mdc5+hYlAzMPu+bGrk:K4GKNDeie8Mdc5+hIAzMPk
Threatray 133 similar samples on MalwareBazaar
TLSH 64F401477F0B304AE5680B7688A8136163F68F105563DA2BAAE47D6CEDF27CF0D5094B
Reporter abuse_ch
Tags:exe RemcosRAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: cloud74790.mywhc.ca
Sending IP: 67.43.226.75
From: Trade<tradeslabourcorp@indaseoteam.com>
Reply-To: tradeslabourcorp@indaseoteam.com
Subject: Payment from Hotbox Storage Limited Aus Stock only
Attachment: Payment Confirmation slip.zip (contains "Payment Confirmation slip.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment Confirmation slip.exe
Verdict:
Malicious activity
Analysis date:
2021-03-01 08:11:04 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/0c5713a8-7335-4f91-abd6-577ce22f556e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/120131/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/621879
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 359929 Sample: Payment Confirmation slip.exe Startdate: 01/03/2021 Architecture: WINDOWS Score: 100 35 rainbowsmile.freeddns.org 2->35 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for dropped file 2->45 47 13 other signatures 2->47 8 Payment Confirmation slip.exe 7 2->8         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\OWqsKKzNWmlPAt.exe, PE32 8->29 dropped 31 C:\Users\user\AppData\Local\...\tmp2D18.tmp, XML 8->31 dropped 33 C:\...\Payment Confirmation slip.exe.log, ASCII 8->33 dropped 49 Writes to foreign memory regions 8->49 51 Allocates memory in foreign processes 8->51 53 Injects a PE file into a foreign processes 8->53 12 vbc.exe 8->12         started        15 vbc.exe 3 3 8->15         started        19 schtasks.exe 1 8->19         started        21 vbc.exe 8->21         started        signatures6 process7 dnsIp8 55 Contains functionality to steal Chrome passwords or cookies 12->55 57 Contains functionality to capture and log keystrokes 12->57 59 Contains functionality to inject code into remote processes 12->59 61 2 other signatures 12->61 37 rainbowsmile.freeddns.org 185.140.53.37, 49714, 49715, 49718 DAVID_CRAIGGG Sweden 15->37 39 192.168.2.1 unknown unknown 15->39 27 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 15->27 dropped 23 svchost.exe 15->23         started        25 conhost.exe 19->25         started        file9 signatures10 process11
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/96bf189c954cf26d2aa54d3e9da9e06d2fbefe5922b48b12b5302fbe0b64e2cb/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-03-01 07:28:18 UTC
AV detection:
12 of 48 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s27rrhevjtzg2kvfju7j3kpanux357szek2iwevvgax34c3e4lfq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1a1dced1428208836f04f4ec0654f13786b2fb5244891eaffc48da37c87af8ec
RemcosRAT
1e5a328f760c35f905390fb4bcf0eefa75936c79a43e22ca7557da0e315c72ed
RemcosRAT
2f85c41ee13d69e68454d97153252e8ba9a3a0e85573427eac0600d41fa6824d
RemcosRAT
5527aee4e45fad012be08beb8622e0471286523fa3abb1719d1f71deedf323eb
RemcosRAT
558791ef8ee4a269644ecce15552270a2e8f287603308069084793370ba9451d
RemcosRAT
6cef436fd5577158e43bd7cc85ea84cdac90044d8e9f93c254ee7ed119fa7aed
RemcosRAT
9f2fc689de26cd7461adc91dad9e369d3250df1819466f565ff0623e3c874755
RemcosRAT
b1e15b9a8dad8e09e6a44215449f0b4f9fb269f6e00a3106a520780e43c2efd8
RemcosRAT
d96b554a08cd2f503d6a1ffe5303b34f8bd6f91b369bd95e9d16642b4fece2cb
RemcosRAT
faf6463f13ccaac3980d0d71fdb44e4f56d4a519612e215e021af67140d7e855
RemcosRAT
+ 123 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos evasion rat
Link:
https://tria.ge/reports/210301-8szh5ma5s6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Uses the VBS compiler for execution
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Remcos
Malware Config
C2 Extraction:
rainbowsmile.freeddns.org:7707
Unpacked files
SH256 hash:
e624003658c4f8b349f567c82229fd15d1e63d3d20fe6f7b4388403038cd2a44
MD5 hash:
b6ce7c1d81b9271eab825ea63de154c3
SHA1 hash:
0e7b89555314f8908c1098b652c9bf50e5ecc27b
Link:
https://www.unpac.me/results/5b69612b-7486-4e32-ade9-35970e2d3526/
SH256 hash:
96bf189c954cf26d2aa54d3e9da9e06d2fbefe5922b48b12b5302fbe0b64e2cb
MD5 hash:
8f3033d2dabb4194835450498aeb396b
SHA1 hash:
224d978ee82ca513f30eeab4bc64c8568adf961e
Link:
https://www.unpac.me/results/5b69612b-7486-4e32-ade9-35970e2d3526/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/96bf189c954cf26d2aa54d3e9da9e06d2fbefe5922b48b12b5302fbe0b64e2cb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip 93f2bdef93592826bf9bb77b284ca0159b7656e52cd58c5cd770fff8f3bc1a06

RemcosRAT

Executable exe 96bf189c954cf26d2aa54d3e9da9e06d2fbefe5922b48b12b5302fbe0b64e2cb

(this sample)

  
Dropped by
MD5 0f1d8c9e84c08bdce69f15df8bcc7c7f
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/120131/
  
Dropped by
SHA256 93f2bdef93592826bf9bb77b284ca0159b7656e52cd58c5cd770fff8f3bc1a06

Comments