MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa5c39997004aa4812c18e151a5bfd5d2fda4a380c8d1f34111cafcee955dcff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	aa5c39997004aa4812c18e151a5bfd5d2fda4a380c8d1f34111cafcee955dcff
SHA3-384 hash:	adbcec219905c1d897c23701b32216566bb5d4a339809941e670b4782304eac746997dcb5bbce0705967ed299d79ed5b
SHA1 hash:	7a51e6e933f4ddf15e6c5e6da41d2ec46e764c03
MD5 hash:	3c024d9569b3dee99aefea280984bedc
humanhash:	saturn-oven-crazy-whiskey
File name:	CONFIRMACIÓN DE PEDIDO CVE3757,pdf.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	669'184 bytes
First seen:	2021-09-30 17:23:50 UTC
Last seen:	2021-09-30 18:21:56 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	37eb007caca04517136e6f2437bd7b42 (6 x RemcosRAT, 4 x Formbook)
ssdeep	12288:6xAWXql73WhMWZP6I2Wjh2h785jWU1bjjx:6xfXqlKCW92chM85SU1bj
Threatray	887 similar samples on MalwareBazaar
TLSH	T1E2E47DBAD2AA087ED631143FDC6BF2159438FED51C77648673EC2E84EF58640713A226
File icon (PE):
dhash icon	e1b0b6c2736a7878 (6 x RemcosRAT, 4 x Formbook)
Reporter	abuse_ch
Tags:	ESP exe geo RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

191

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

CONFIRMACIÓN DE PEDIDO CVE3757,pdf.exe

Verdict:

Malicious activity

Analysis date:

2021-09-30 20:50:23 UTC

Tags:

rat remcos

Link:

https://app.any.run/tasks/b9326f25-e6ac-4e3a-90e2-96757cf0bdb1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/193752/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Save.a.26590.16247.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9bf0104d-d73a-4ab3-9f78-d35e8aa7d817

Result

Threat name:

Remcos DBatLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/862140

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Detected Remcos RAT

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected DBatLoader

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/aa5c39997004aa4812c18e151a5bfd5d2fda4a380c8d1f34111cafcee955dcff/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2021-09-30 17:24:11 UTC

AV detection:

12 of 45 (26.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vjodtglqasveqewbrykruw75lux5usrybsgr6nardsx452kv3t7q._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

688f62abf01d9eba0c4557f284290a119ee887c1d7f2d5da48014447404cacb9

RemcosRAT

6a3aa7d5ab777a2824d7d312dfd49e0b03e30959a9219e7f782860d2d8b9a12c

RemcosRAT

7e6b40371751970ec5b3b17f02a89ac6ff1b7f9ec20210144fd75f992c3af21e

RemcosRAT

a4e0f53f95a9c758592dfd652c6c7bdc3535d45b7f4ab2c2bb6a7e2f3b215526

RemcosRAT

b70ee93e9f63d90785264d45dae48012a1d00b92f63c21ccae0f5d2003c00554

RemcosRAT

bd57352d9ece91a5b500a1172723466691cfa51081ceb792d42f46176231d6da

RemcosRAT

d4bd7d642e2ddcab2e7e6990d7e41b50826bb0354531b42926ba989cb3109880

RemcosRAT

db2b53d49bd5464be6cb3d4492094e8c0b7c3a7cc87b6a2a3f57d30fb3454d1c

RemcosRAT

e1686c75b6d0982c533063557289dd24d66ba74a9dd37cd5d328c3451035a01f

RemcosRAT

+ 877 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:gr8est persistence rat

Link:

https://tria.ge/reports/210930-vyqmdsaca7/

Behaviour

Modifies registry key

Suspicious use of WriteProcessMemory

Adds Run key to start application

Remcos

Malware Config

C2 Extraction:

manneedmoney.ddns.net:6642

Unpacked files

SH256 hash:

f808a11e5b1cb4332bb4d65cdbcf1e0ca7323b15bcf73cb7462ad3eb30f05703

MD5 hash:

6cfdeebc3c72279486ddd229eb14b009

SHA1 hash:

e3a2a0a2a0fabd55415c9007f52c79fe9e19e0a7

Link:

https://www.unpac.me/results/b287d96e-7a5a-488f-838c-1a8d1292701a/

SH256 hash:

aa5c39997004aa4812c18e151a5bfd5d2fda4a380c8d1f34111cafcee955dcff

MD5 hash:

3c024d9569b3dee99aefea280984bedc

SHA1 hash:

7a51e6e933f4ddf15e6c5e6da41d2ec46e764c03

Link:

https://www.unpac.me/results/b287d96e-7a5a-488f-838c-1a8d1292701a/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/aa5c39997004/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.50

Link:

https://yomi.yoroi.company/submissions/aa5c39997004aa4812c18e151a5bfd5d2fda4a380c8d1f34111cafcee955dcff

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/193752/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample