MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a289fb24de3542ae7f900243e70a57459631cf5d4fba19e7df4282f51b9f6434. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 12

Intelligence 12 IOCs YARA 9 File information Comments

SHA256 hash:	a289fb24de3542ae7f900243e70a57459631cf5d4fba19e7df4282f51b9f6434
SHA3-384 hash:	70e5b36fa8b3bde9cb539a3739050f1c46bb68e5867eacfff733fdb4da0510e1c7a5e5b177e7c6b2358634c897cc6812
SHA1 hash:	cb01668cab7194911fe88f9411d5481848a183c0
MD5 hash:	f006c65434d7d425b182d35ad4c0dff0
humanhash:	whiskey-fruit-emma-emma
File name:	MRC20201030XMY, pdf.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	355'840 bytes
First seen:	2021-01-31 07:41:41 UTC
Last seen:	2021-01-31 09:59:15 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	6144:aBKU0rb4EdQ7roeAChBK3mhbWwJJUR1ls7Q58Q/3TzLNr:aB40qUSCjsmRsRr51Dz5
Threatray	1'484 similar samples on MalwareBazaar
TLSH	9B74BD85FA598A60DC6D97712632D8700B333C7E6974E60D2DCE3CBB3A7B7624411A63
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

abuse_ch

Malspam distributing RemcosRAT:

HELO: beta.etsii.upm.es
Sending IP: 138.100.71.89
From: Valentina Zandoli <Admin-AR1@gratenau.com>
Subject: Re: Orden revisada MRC20201030XMY
Attachment: MRC20201030XMY, pdf.cab (contains "MRC20201030XMY, pdf.exe")

RemcosRAT C2:
graceland777.ddns.net

Intelligence

File Origin

# of uploads :

# of downloads :

163

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

MRC20201030XMY, pdf.exe

Verdict:

Malicious activity

Analysis date:

2021-01-31 07:44:30 UTC

Tags:

rat remcos

Link:

https://app.any.run/tasks/34aa8e4c-60d8-468e-b897-de40d930e038

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/114912/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Creating a file

Forced shutdown of a system process

Enabling autorun by creating a file

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/594705

Signature

.NET source code contains potential unpacker

Detected Remcos RAT

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected AntiVM_3

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/a289fb24de3542ae7f900243e70a57459631cf5d4fba19e7df4282f51b9f6434/

Threat name:

Win32.Trojan.Wacatac

Status:

Malicious

First seen:

2021-01-29 13:07:18 UTC

AV detection:

14 of 28 (50.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=uke7wjg6gvbk474qajb6ocsxiwlddt25j65btz67ikbpkg47mq2a._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

3b1b352f3c4d0fe235b45d9db418e1e4155ab31265ee368ed646ac38071a2eda

RemcosRAT

4791861118e0be776fd14153e2feca7d25f5a91a6c32a997385f5ae272e3d7c8

RemcosRAT

5b10f4a23880b51923a0df3e9e3c37f40eb0d3cc93de7b463da62f936a501385

RemcosRAT

61d9f4cbc76b7889d7d17d262b63c0fd2ee40642653063b1eb6ab84397f8c57b

RemcosRAT

6372ae847b488481c88de86079a1daf8871f1715cc7d7f1b868a9fade4463881

RemcosRAT

82027bdaf86e2d0da1c45ede5efd820a1cbaace1b1b8f7675b8115d82db75f26

RemcosRAT

d34e588c8bef9cef39708c52f7f372bcd4b5fc39e4eaf0b9193aa586a10d7cc2

RemcosRAT

dfd3c33bf7be405cea03a045f3df2d9ff35f04c7da918eb916b6f224a58eea1f

RemcosRAT

e26c95b32b64e3f7b5d72d52be2fd7cb52c7a2c1df25f5337a783a1735f806ad

RemcosRAT

+ 1'474 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos ransomware rat

Link:

https://tria.ge/reports/210131-8yxzne36xs/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Uses the VBS compiler for execution

Remcos

Malware Config

C2 Extraction:

graceland777.ddns.net:7773

Unpacked files

SH256 hash:

a289fb24de3542ae7f900243e70a57459631cf5d4fba19e7df4282f51b9f6434

MD5 hash:

f006c65434d7d425b182d35ad4c0dff0

SHA1 hash:

cb01668cab7194911fe88f9411d5481848a183c0

Link:

https://www.unpac.me/results/3b1fa1f8-409b-4571-b639-e4afc6d2507d/

SH256 hash:

574677fb4bae73fcce514163daee829208f4234c5190a45001df8c73c2079b63

MD5 hash:

93dea6f127e403ce88f69177012453cd

SHA1 hash:

6eab9e34cf5cc5b29ee08ed993926757f1e981f9

Link:

https://www.unpac.me/results/3b1fa1f8-409b-4571-b639-e4afc6d2507d/

SH256 hash:

a2a0bbbe8c9ee88441356010f63455c50dfcafe663db757bbc453c815c51d720

MD5 hash:

11e80c54bfeff7f0c120dae46df0a8be

SHA1 hash:

d597b9b0dcac06f0aa00a931bb90de8eba564651

Link:

https://www.unpac.me/results/3b1fa1f8-409b-4571-b639-e4afc6d2507d/

SH256 hash:

9f27ac79426a00906264371e92134f464cf84f0b43ed4a894a96b5fc0119056c

MD5 hash:

520ffdf455cf1d31769be34ab740fd4a

SHA1 hash:

9c1b871b3371205cae276ca0fbd6da673af8580d

Detections:

win_remcos_g0

win_remcos_auto

Link:

https://www.unpac.me/results/3b1fa1f8-409b-4571-b639-e4afc6d2507d/

Parent samples :

846d00828895f5f9d2089acfb7394c108c1dc538a0d738982e5636335745913f
a289fb24de3542ae7f900243e70a57459631cf5d4fba19e7df4282f51b9f6434

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Farheyt

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/a289fb24de3542ae7f900243e70a57459631cf5d4fba19e7df4282f51b9f6434

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator