MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7ada9eefa9c775d0215af6bc497e305f8067290f5e9642e582c6d4c3ec65756. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a7ada9eefa9c775d0215af6bc497e305f8067290f5e9642e582c6d4c3ec65756
SHA3-384 hash: 8bfd514fd431f2c5b3dbd48bfdc86362cc151574e9d080785fb57b5182d8ef6d140ed7727c0767a4e00a43df6e4a0114
SHA1 hash: 9929ccd810f335d2d2b84e7ba519940bb9f58fe8
MD5 hash: ed01719e79f8008d4ede16e7edff753a
humanhash: alabama-iowa-florida-paris
File name:PO-scandocumentsfile00108392.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:871'936 bytes
First seen:2021-01-15 07:16:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:icg+NIAfdIZy0hF5ImlaElE9Yt9gusNqdE/rN:icdNBfghF5Imlllzt9g5cmZ
Threatray 1'385 similar samples on MalwareBazaar
TLSH 76059D3C277BBE8CD0751AB60EE1592707623D0625F8D61E0CD97ECA0576B402DA9EB3
Reporter abuse_ch
Tags:exe MailChannels RemcosRAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: camel.ash.relay.mailchannels.net
Sending IP: 23.83.222.29
From: Himani Nawani <seeds@jardinfoods.ca>
Subject: RE: New Purchase Order
Attachment: PO-scandocumentsfile00108392.z (contains "PO-scandocumentsfile00108392.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO-scandocumentsfile00108392.exe
Verdict:
Malicious activity
Analysis date:
2021-01-15 07:45:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/06ee36fc-2bdd-4bdc-a903-2ef302d76765

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/112193/
Detection(s):
SecuriteInfo.com.Trojan.Siggen11.57608.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Sending a UDP request
Creating a file
Forced shutdown of a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/582212
Signature
.NET source code contains potential unpacker
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Detected Remcos RAT
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM_3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a7ada9eefa9c775d0215af6bc497e305f8067290f5e9642e582c6d4c3ec65756/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-01-15 07:17:35 UTC
AV detection:
11 of 46 (23.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u6w2t3x2tr3v2aqvv5v4jf7dax4am4uq6xuwilsyfrwuypwgk5la._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
4791861118e0be776fd14153e2feca7d25f5a91a6c32a997385f5ae272e3d7c8
RemcosRAT
4a94b062dbb9df940520146d100df5b019795d0f508d7ba89d24eb18725e1608
RemcosRAT
5ab68910c53ccaea0aa6c9e51fa8ad92433cba369163f99f636973b32abda555
RemcosRAT
5b10f4a23880b51923a0df3e9e3c37f40eb0d3cc93de7b463da62f936a501385
RemcosRAT
b4156e553eb5b0bad1d240dd170820106d6ca6bc0d1984a9d09030864349d964
RemcosRAT
c07fd0e28659f9346a6330682e6c598df98402f2b853b6e00fef908ce432ee42
RemcosRAT
da7f542b91835ba3090350c2936641058c361e332eda9222f0674dfcbefd4ce9
RemcosRAT
eea168e9c8f089b1c8aa25fe54e17f987ea0a85b24009197d77c08295f4cf2a4
RemcosRAT
f43a96ccf1d23d7dda1abbc2bea16ecbb2fb43b2f05e4015ff69c02e2c144ab2
RemcosRAT
f7e29cbf47c9804eb341836873ea6837be7a46639978f44d9ba2670d47e68d56
RemcosRAT
+ 1'375 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat
Link:
https://tria.ge/reports/210115-lwteqraxrs/
Behaviour
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Uses the VBS compiler for execution
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
www.maneediem.com:2404
Unpacked files
SH256 hash:
db10f1771576595a70b6b11fe7598c32cfc68a60967238cb1ba1eb84f4d2d2d4
MD5 hash:
0a25ec711facf4dc2a84c7e2aba10050
SHA1 hash:
cad72ec3f452988df6e08d690a0de793fee53ead
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/ebddd09c-059c-4b76-b9b6-bb30f1ee0d93/
SH256 hash:
bf62b24d50d72019ee26d93f1ac2815c9e15828b35dfdd5e281ae3f3e1d02780
MD5 hash:
c0e09780322f2a8b78f1dd9ae24fcec2
SHA1 hash:
da5362a7d11b46c9ee3abe8cca58c2e7cbca716e
Link:
https://www.unpac.me/results/ebddd09c-059c-4b76-b9b6-bb30f1ee0d93/
SH256 hash:
7654ad9e67599d376ad77c7b23273fd334f0ea8c07394dd17d72fcc90a0b0b6f
MD5 hash:
f40a2d4ae8e4d031f0e7ff0caf28ebbf
SHA1 hash:
99e874b66617bcd9566db86de732c3fb55f5a6b0
Link:
https://www.unpac.me/results/ebddd09c-059c-4b76-b9b6-bb30f1ee0d93/
SH256 hash:
a7ada9eefa9c775d0215af6bc497e305f8067290f5e9642e582c6d4c3ec65756
MD5 hash:
ed01719e79f8008d4ede16e7edff753a
SHA1 hash:
9929ccd810f335d2d2b84e7ba519940bb9f58fe8
Link:
https://www.unpac.me/results/ebddd09c-059c-4b76-b9b6-bb30f1ee0d93/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a7ada9eefa9c775d0215af6bc497e305f8067290f5e9642e582c6d4c3ec65756

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip 6cf8e3691b316cb2b4a4d3b81b83d51a660d3b1fc80d05aaa703ea47efe2aa82

RemcosRAT

Executable exe a7ada9eefa9c775d0215af6bc497e305f8067290f5e9642e582c6d4c3ec65756

(this sample)

  
Dropped by
MD5 976d42873c0dbccf6043e1f641cefe91
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 6cf8e3691b316cb2b4a4d3b81b83d51a660d3b1fc80d05aaa703ea47efe2aa82
Cape
Cape
https://www.capesandbox.com/analysis/112193/

Comments