MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 970e593b7c2c52df8da7bba34b54056690264c4dd3c56b8a5e7d221e3bac2ca9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 970e593b7c2c52df8da7bba34b54056690264c4dd3c56b8a5e7d221e3bac2ca9
SHA3-384 hash: cd2acab3afa8db04ef1292e327d78db6ffd234b7d4bb0e00313e02371d6922e8e6e1f881fa2d26c1812d52e6a819863d
SHA1 hash: 36f2d6ebd3c3433ace934fef3fd11d6d97f5e1d4
MD5 hash: 0443fdf56fe700300fe0bc6257d91f83
humanhash: chicken-foxtrot-equal-august
File name:Payment of bank details,zip.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'161'016 bytes
First seen:2020-10-27 10:17:11 UTC
Last seen:2020-10-27 12:16:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 24a4caa171cf0a3c7ac6185c64ca5d29 (13 x ModiLoader, 3 x RemcosRAT)
ssdeep 12288:4JROS/D7RYUfXkIlC+23Oy55Wf/lJrQGi/uV9S7AlPBbrEZlgfkmHvXbCyVsQHw5:4P3taIH23P5IJnqU3rLCX95
Threatray 1'245 similar samples on MalwareBazaar
TLSH A5358DE2A69504E6F132EA788F7746E345FDBC3138384CA536A82D097AFF1412D5ED42
Reporter abuse_ch
Tags:exe RemcosRAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail.nipponcarsrl.com.ar
Sending IP: 200.114.86.103
From: NOVAIR <contact@novair.fr>
Subject: bank details
Attachment: Payment of bank details,zip.zip (contains "Payment of bank details,zip.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/79796/
Detection(s):
PUA.Win.Packer.PrivateEXEProtector4-6192998-2
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Launching a process
Creating a file
Running batch commands
Creating a process with a hidden window
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Connection attempt to an infection source
Unauthorized injection to a system process
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/513308
Signature
Contains functionality to detect sleep reduction / modifications
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/970e593b7c2c52df8da7bba34b54056690264c4dd3c56b8a5e7d221e3bac2ca9/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-27 06:44:11 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s4hfso34frjn7dnhxoruwvafm2icmtcn2pcwxcs6purb4o5mfsuq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0abf0f61f1a7805aedb6e7b825de9ab83042f00d7ed6f0af817e45fe5c67c7bd
RemcosRAT
31963673bc347fe4a6c795c90a0bcbddbf701158feab1b831bce2b082aeacf7f
RemcosRAT
46ff7f6619eda7e3b2c5b36a2d3f21b154749d31ae2695c4d23c992361ce1f58
RemcosRAT
5b1f1843bbb992e3d5c635aa69d8409de4ae4d3f04cf19994d8e953e99cf451a
RemcosRAT
5b6f4a000f03183f2bbbebf07130189f5f5b9617dba37f9b90980ec228ba8180
RemcosRAT
99a8e371d2d05838012be53f7e86a675acdc9be4770eb4372779a85a574c2f1a
RemcosRAT
9b60c965a1425ff01954ce6a917cb4486d5af5cb36f538233139042ea324a64e
RemcosRAT
b8c6d9ced99143d34fd8829125c6ff46bc0c55569f401ec4d1354f3d0825c4c4
RemcosRAT
c358b44f578fd2dedbb1899038415395ae2052c113aaa149481cde295e022bda
RemcosRAT
ce30dea0b1d4fa181753600eb63c1d2f1a7de1bd848dcdbe196f6a35afef0ea9
RemcosRAT
+ 1'235 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
persistence trojan family:modiloader rat family:remcos
Link:
https://tria.ge/reports/201027-ctvhxbh7xx/
Behaviour
Modifies registry key
Script User-Agent
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader First Stage
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip f54b6d19885bb3f5bc61770364aeba83a49dc2f2da43dddc6f088c695294c8ad

RemcosRAT

Executable exe 970e593b7c2c52df8da7bba34b54056690264c4dd3c56b8a5e7d221e3bac2ca9

(this sample)

  
Dropped by
MD5 bc2759818d4924deaeafdfb6481a1b43
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 f54b6d19885bb3f5bc61770364aeba83a49dc2f2da43dddc6f088c695294c8ad
Cape
Cape
https://www.capesandbox.com/analysis/79796/

Comments