MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a066bc99ab0c50dcab13674a1857996d12686443c35b02ae9920eb854942ea16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a066bc99ab0c50dcab13674a1857996d12686443c35b02ae9920eb854942ea16
SHA3-384 hash: 95a205fd5e13103ba3b036b2a3f2414cbaab1ba31edcf3c9f32d0a3a99d7200b3cb926d6c8be121c3aabb77b067ea1bb
SHA1 hash: e9d03cde6c4b47463042fb5a62f65158fcd904b6
MD5 hash: fddc7a8c7b9ad37e74b5e8a6f5a5c057
humanhash: six-cup-jersey-cardinal
File name:Nuevo pedido _WJO-001,pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:849'920 bytes
First seen:2021-10-05 05:30:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8276363bcf2f383c8cd04fac30801161 (10 x RemcosRAT, 2 x NetWire, 1 x Formbook)
ssdeep 12288:0w6jlNSq3W9F1Sa+tiDWIyNSYAycjL7YiEFXXXB:Naeq3gF1Sf+WIydAyAdSXXXB
Threatray 2'729 similar samples on MalwareBazaar
TLSH T1500519642250532CF1633775E81B025477D1A83C1E145BB7F2A82B4B1BAFB869EE847F
File icon (PE):PE icon
dhash icon 1432694969516806 (10 x RemcosRAT, 2 x NetWire, 1 x Formbook)
Reporter abuse_ch
Tags:ESP exe geo RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Nuevo pedido _WJO-001,pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-10-05 05:34:49 UTC
Tags:
installer trojan rat remcos
Link:
https://app.any.run/tasks/bd7db802-1c7a-4355-bf40-d61a6c5e39ca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/194839/
Detection(s):
Win.Trojan.Remcos-9897068-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger packed
Link:
https://www.filescan.io/uploads/615c0631b95458900cdc5f11/reports/210d095e-3474-47a0-aa40-fd5c9bdddeff/overview
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0d00f88d-b598-4e12-b428-03dd54f8114b
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/864427
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 496854 Sample: Nuevo pedido _WJO-001,pdf.exe Startdate: 05/10/2021 Architecture: WINDOWS Score: 100 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Detected Remcos RAT 2->63 65 3 other signatures 2->65 8 Nuevo pedido _WJO-001,pdf.exe 1 22 2->8         started        13 Vaihxjo.exe 15 2->13         started        15 Vaihxjo.exe 15 2->15         started        process3 dnsIp4 45 sn-files.fe.1drv.com 8->45 47 onedrive.live.com 8->47 49 mopvyq.sn.files.1drv.com 8->49 41 C:\Users\Public\Libraries\...\Vaihxjo.exe, PE32 8->41 dropped 77 Writes to foreign memory regions 8->77 79 Allocates memory in foreign processes 8->79 81 Creates a thread in another existing process (thread injection) 8->81 17 DpiScaling.exe 2 8->17         started        21 cmd.exe 1 8->21         started        23 cmd.exe 1 8->23         started        51 sn-files.fe.1drv.com 13->51 55 2 other IPs or domains 13->55 83 Injects a PE file into a foreign processes 13->83 25 secinit.exe 13->25         started        53 sn-files.fe.1drv.com 15->53 57 2 other IPs or domains 15->57 27 mobsync.exe 15->27         started        file5 signatures6 process7 dnsIp8 43 nnnnoy.ddns.net 194.5.97.16, 49778, 49870, 49882 DANILENKODE Netherlands 17->43 67 Contains functionalty to change the wallpaper 17->67 69 Contains functionality to steal Chrome passwords or cookies 17->69 71 Contains functionality to capture and log keystrokes 17->71 75 2 other signatures 17->75 29 reg.exe 1 21->29         started        31 conhost.exe 21->31         started        33 cmd.exe 1 23->33         started        35 conhost.exe 23->35         started        73 Contains functionality to steal Firefox passwords or cookies 25->73 signatures9 process10 process11 37 conhost.exe 29->37         started        39 conhost.exe 33->39         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a066bc99ab0c50dcab13674a1857996d12686443c35b02ae9920eb854942ea16/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-10-05 05:30:20 UTC
AV detection:
19 of 45 (42.22%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ubtlzgnlbrinzkytm5fbqv4znujgqzcdynnqfluzedvykskc5ila._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
03a2c05c408ace3acc2aafa073fe3c1168366c43878e8839f9164827794f1a8f
RemcosRAT
046ff9f608525faf76e353263ddad485e547ff4797b183ddd850f0f2c8209f91
RemcosRAT
595a6f87c8d7f4d41ff378424f03f27187b5abb95f8e8ca2507a00f01bacd11b
RemcosRAT
65228df6e85371a2b4b1e5340f11e36cdc94f8b39bda216c0ed143eaac36912b
RemcosRAT
6cdb03bc316fbf184d610d24d85ca86ec2269413ae8ae8ac87f296afb08dacea
RemcosRAT
a4ab58cc18771c7141e96d45714b7aeb046ff7173ec5266f08da7b28d411744e
RemcosRAT
ab9041fe7e0a4a439521d6eb01cc16d74c00a0427c86b067120ac453ba7329d9
RemcosRAT
b9a4e85c7d4645fd515eb3f8b883ee8e5990ff4381a90b5a8f42bff007fbb386
RemcosRAT
d7c62c1526c39e136b5c7a703c92ec5f8a67c987a7414e0cbb145172671a2293
RemcosRAT
dfa55212542ed697d1dba24d643315d5b3b3cbd659b68a11f9174a68fdaf4cf6
RemcosRAT
+ 2'719 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:jimbo persistence rat
Link:
https://tria.ge/reports/211005-f7qleshedn/
Behaviour
Modifies registry key
Suspicious use of WriteProcessMemory
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
nnnnoy.ddns.net:5367
Unpacked files
SH256 hash:
f808a11e5b1cb4332bb4d65cdbcf1e0ca7323b15bcf73cb7462ad3eb30f05703
MD5 hash:
6cfdeebc3c72279486ddd229eb14b009
SHA1 hash:
e3a2a0a2a0fabd55415c9007f52c79fe9e19e0a7
Link:
https://www.unpac.me/results/833fa86d-0ca9-48b5-aefd-14b34b0f2162/
SH256 hash:
db3ed604c1e4bff531698e8157936a0af8d005a18190451ed3314e891cb02ba6
MD5 hash:
3b132127991110e16eff556c34026b86
SHA1 hash:
ad108a1444d9aee5ffbc229f87cfa02ebd7c3e8f
Link:
https://www.unpac.me/results/833fa86d-0ca9-48b5-aefd-14b34b0f2162/
SH256 hash:
a066bc99ab0c50dcab13674a1857996d12686443c35b02ae9920eb854942ea16
MD5 hash:
fddc7a8c7b9ad37e74b5e8a6f5a5c057
SHA1 hash:
e9d03cde6c4b47463042fb5a62f65158fcd904b6
Link:
https://www.unpac.me/results/833fa86d-0ca9-48b5-aefd-14b34b0f2162/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a066bc99ab0c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a066bc99ab0c50dcab13674a1857996d12686443c35b02ae9920eb854942ea16

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/194839/

Comments