MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0ea02a7f014a75cdac99e151ad55106f49e8e4a068bb3df8b5d38c19778c248. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b0ea02a7f014a75cdac99e151ad55106f49e8e4a068bb3df8b5d38c19778c248
SHA3-384 hash: 7feaabdbc3f27238eee0e6dff07495bb95a1282d2fbac24f4d778653eed998d8b99826c849bd1c8c0f1cb3af2fbd92a4
SHA1 hash: 64ae1f4cc95bf39728cf3f3d01df5f0bcfd35ad0
MD5 hash: cebe856c1cf5664e201477f498a96765
humanhash: timing-ack-freddie-florida
File name:Order inqiury_11.........................................................................scr
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:490'736 bytes
First seen:2020-10-19 06:30:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:T39l3wnOPaYGyBIU9gPPB+bRaLMPIlqajMhMhMhMMMhMhMhMzMhMhMhMeMhMhMhc:T34CaYGyiN+aHqDQgSH
Threatray 883 similar samples on MalwareBazaar
TLSH 99A462DD12CD096FEC7D692B0F3060881DA1BDB32BA8E779D4E0B4F92171A10A76F558
Reporter abuse_ch
Tags:RemcosRAT scr


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: lokghs.xyz
Sending IP: 104.131.186.84
From: care@connectsmtp.tech
Subject: This is for your kind review and approval.
Attachment: Order inqiury_11.img (contains "Order inqiury_11.........................................................................scr")

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Launching a process
Creating a process with a hidden window
Creating a window
Adding an access-denied ACE
Creating a file
Connection attempt
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Connecting to a non-recommended domain
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Setting a global event handler for the keyboard
Enabling autorun by creating a file
Enabling autorun
Unauthorized injection to a system process
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/494902
Signature
.NET source code references suspicious native API functions
Connects to a pastebin service (likely for C&C)
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Country aware sample found (crashes after keyboard check)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Detected Remcos RAT
Drops PE files to the startup folder
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 299910 Sample: Order inqiury_11.............. Startdate: 19/10/2020 Architecture: WINDOWS Score: 100 57 grace2020.sytes.net 2->57 73 Malicious sample detected (through community Yara rule) 2->73 75 Multi AV Scanner detection for dropped file 2->75 77 Multi AV Scanner detection for submitted file 2->77 79 8 other signatures 2->79 8 Order inqiury_11.........................................................................exe 18 4 2->8         started        13 Order inqiury_11.........................................................................exe 2->13         started        15 Order inqiury_11.........................................................................exe 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 63 www.google.it 172.217.168.67 GOOGLEUS United States 8->63 65 hastebin.com 172.67.143.180, 443, 49731, 49747 CLOUDFLARENETUS United States 8->65 67 192.168.2.1 unknown unknown 8->67 51 Order inqiury_11.....................exe, PE32 8->51 dropped 53 Order inqiury_11.....exe:Zone.Identifier, ASCII 8->53 dropped 89 Creates an undocumented autostart registry key 8->89 91 Hides threads from debuggers 8->91 19 ilasm.exe 2 3 8->19         started        23 timeout.exe 1 8->23         started        25 WerFault.exe 23 9 8->25         started        93 Creates autostart registry keys with suspicious names 13->93 95 Creates multiple autostart registry keys 13->95 27 timeout.exe 13->27         started        69 104.24.127.89, 443, 49754, 49756 CLOUDFLARENETUS United States 15->69 55 Order inqiury_11.................exe.log, ASCII 15->55 dropped 29 timeout.exe 15->29         started        71 104.24.126.89, 443, 49745 CLOUDFLARENETUS United States 17->71 31 timeout.exe 17->31         started        33 timeout.exe 17->33         started        35 timeout.exe 17->35         started        37 5 other processes 17->37 file6 signatures7 process8 dnsIp9 59 grace2020.home-webserver.de 103.151.124.210, 8988 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN unknown 19->59 61 grace2020.sytes.net 19->61 81 Contains functionality to steal Chrome passwords or cookies 19->81 83 Contains functionality to capture and log keystrokes 19->83 85 Contains functionality to inject code into remote processes 19->85 87 Contains functionality to steal Firefox passwords or cookies 19->87 39 conhost.exe 23->39         started        41 conhost.exe 27->41         started        43 conhost.exe 29->43         started        45 conhost.exe 31->45         started        47 conhost.exe 33->47         started        49 conhost.exe 35->49         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b0ea02a7f014a75cdac99e151ad55106f49e8e4a068bb3df8b5d38c19778c248/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2020-10-18 23:38:17 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wdvafj7qcstvzwwjtykrvvkra32j5dska2f3hx4llu4mdf3yyjea._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1a1924da9d272ea46f8a0a62d7e2ecf01746e9a7621c8b1c36950788c3a3bd8c
RemcosRAT
485c1301f4bc84bc2d274f53222cf7ca5fbd8af8728d1aaa977a6574f577fb87
RemcosRAT
73034f52ab0662e125659b9771ecd27259b03e3635fbeda5d7252f53fb2bbc7f
RemcosRAT
736bd7b09aa1e987edac64868cc8e5db0d86e709652e0588e2023d052f3def8f
RemcosRAT
83eb442b175e4fe5a2fde6e8d72618eee280398f89a81da1f9c118d2c46032d4
RemcosRAT
857ad0bf941ee434d96692477bec16c72571ce266091ba4bcc6952f409aff198
RemcosRAT
be83ef519ed5e3e444b10b4dd8a77515cda4993c6ce69f565405c9c2bd0901bc
RemcosRAT
d7c62c1526c39e136b5c7a703c92ec5f8a67c987a7414e0cbb145172671a2293
RemcosRAT
e39c2e98071d4440d02e6d1aa86111536d6d01554489bd71f890455c05e424d3
RemcosRAT
eb1230ab4a5408a3d264bb51f1ff311fcf52aa97d52b801738cd5add365e77d2
RemcosRAT
+ 873 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
persistence rat family:remcos
Link:
https://tria.ge/reports/201019-h4wmkgt1na/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Modifies WinLogon for persistence
Remcos
Unpacked files
SH256 hash:
b0ea02a7f014a75cdac99e151ad55106f49e8e4a068bb3df8b5d38c19778c248
MD5 hash:
cebe856c1cf5664e201477f498a96765
SHA1 hash:
64ae1f4cc95bf39728cf3f3d01df5f0bcfd35ad0
Link:
https://www.unpac.me/results/f87eb4ec-a451-4d06-b038-409e182489ca/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Dropper
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/b0ea02a7f014a75cdac99e151ad55106f49e8e4a068bb3df8b5d38c19778c248

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

img 2c525ed26c4c1bb48ad362ab1f3f070019da82cab46f3a430d98acdde04e78e1

RemcosRAT

Executable exe b0ea02a7f014a75cdac99e151ad55106f49e8e4a068bb3df8b5d38c19778c248

(this sample)

  
Dropped by
MD5 e1b4db0e02dac858cd31e6a9cc4582e9
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 2c525ed26c4c1bb48ad362ab1f3f070019da82cab46f3a430d98acdde04e78e1
Cape
Cape
https://www.capesandbox.com/analysis/72725/

Comments