MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a972b68b050a973ba7815570e6b6d85c20629defc5c4c5bfd3f44abae041feb5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a972b68b050a973ba7815570e6b6d85c20629defc5c4c5bfd3f44abae041feb5
SHA3-384 hash: 51145a98576899cb8e30be401f7cea209b1cd9d142446a60f98062d63203e5f74721a80c30c2e3da15349a867c18cc12
SHA1 hash: 649abd82a7f09f667c9816d5e74f622ae215ffa3
MD5 hash: 1e95524ce703d52a90509af7d3853841
humanhash: finch-sweet-football-eleven
File name:REQUEST FOR QUOTATION.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:917'136 bytes
First seen:2021-02-16 18:51:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 64b747126920f2db0c64929f48d320a0 (10 x RemcosRAT)
ssdeep 12288:DOzzcxrBWwx/vdym2RHAxMGD5usGjgkCoDaMycZ+HB9:DUzQJ1Z2xzGDAsG0ktDocGB9
Threatray 541 similar samples on MalwareBazaar
TLSH 4915D4F2E95A4E31F01B143DE58AFB781826BCF1391D84694ED87F06AAA336C35114B7
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: mail0.apicalways.xyz
Sending IP: 139.59.255.39
From: Accountant < sales@apicalways.com>
Subject: REQUEST FOR QUOTATION TO SUPPLY ATTACHED PRODUCTS
Attachment: REQUEST FOR QUOTATION.xz (contains "REQUEST FOR QUOTATION.exe")

RemcosRAT C2:
blacice24.ddns.net:5454

Intelligence

File Origin
# of uploads :
1
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/117400/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Fareit-FZO09A1DED20B2A.11837.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Sending a UDP request
DNS request
Creating a file
Deleting a recently created file
Unauthorized injection to a recently created process
Reading critical registry keys
Creating a file in the %temp% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/609347
Signature
Detected unpacking (changes PE section rights)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a972b68b050a973ba7815570e6b6d85c20629defc5c4c5bfd3f44abae041feb5/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-02-16 18:52:08 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vfzlncyfbkltxj4bkvyonnwylqqgfhppyxcmlp6t6rflvycb722q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
350d9e0fce3c72fb6c63235194c1e9c986d38c13866e756f85c31faa95f4ef2b
RemcosRAT
5600ff14a9cefe751c0f39157a79d3f7924706900c664bc18c58673afeb5419e
RemcosRAT
6f36247a75a5c0d88dab6c2430443d4dd70e9aadc57caa81ed952ea1c49c182a
RemcosRAT
763d415415add2ffc6d482373e211c8c8b647ee46ade5e8dacce10f79d515e2b
RemcosRAT
933d0f6581cbeffb81bdd14c08cab5336829bb6ecc95eea0488ac70d36e70b5c
RemcosRAT
cbf5b54d5d1c70086efefea16f38b80a329cb96bb5a59e709b0ab2304acb157c
RemcosRAT
d96b554a08cd2f503d6a1ffe5303b34f8bd6f91b369bd95e9d16642b4fece2cb
RemcosRAT
f436b8e7b214f3f56d0c62326e37653f87184760b406ab4f6eae79a5c34297b1
RemcosRAT
f5b21be44a7076a4414adf52f6bae43d0dfbcd460bc35921e5ea81549ea16f4a
RemcosRAT
facf1bd37fa739f82bc10a7a6e7436b4871af89e3c8389270673e2dbb76200e4
RemcosRAT
+ 531 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat spyware
Link:
https://tria.ge/reports/210216-tb8s2fsc6a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Unpacked files
SH256 hash:
6c5faf9784abeff03bdbe2522b9da9862ac8eb9d333f608f8ef28719565968df
MD5 hash:
dff8986eae6a2b85730955c35b506f1a
SHA1 hash:
0b20d24bdd350524c25f5d513d1b3f8e4315c989
Link:
https://www.unpac.me/results/75865f83-d1f2-4d90-94f3-5f4d929056d5/
SH256 hash:
a972b68b050a973ba7815570e6b6d85c20629defc5c4c5bfd3f44abae041feb5
MD5 hash:
1e95524ce703d52a90509af7d3853841
SHA1 hash:
649abd82a7f09f667c9816d5e74f622ae215ffa3
Link:
https://www.unpac.me/results/75865f83-d1f2-4d90-94f3-5f4d929056d5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a972b68b050a973ba7815570e6b6d85c20629defc5c4c5bfd3f44abae041feb5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip 400c3baf67e51f420c62d86957a35595a65ed0c719c51bb16528720fe4a1641e

RemcosRAT

Executable exe a972b68b050a973ba7815570e6b6d85c20629defc5c4c5bfd3f44abae041feb5

(this sample)

  
Dropped by
MD5 e4359bccd092056f9a593a2dc1a471ce
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/117400/
  
Dropped by
SHA256 400c3baf67e51f420c62d86957a35595a65ed0c719c51bb16528720fe4a1641e

Comments