MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b530ffc8af72cb51943f2fb8f38bc778c4544f57b61de593960dd4a97327ca64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b530ffc8af72cb51943f2fb8f38bc778c4544f57b61de593960dd4a97327ca64
SHA3-384 hash: d9f58e6cb32d11963a2a8efa4fe03b8452284fd1d33ad6fe70984a1c1de030dc436d57f0e0e810f0f79db65d64b22b43
SHA1 hash: 03c5bcdc077a42a8f8c51bbd4c1975d74572ce14
MD5 hash: 9ba9616a69760f5904e6442cb21c0449
humanhash: william-xray-golf-burger
File name:Contract.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:771'072 bytes
First seen:2020-10-21 07:55:52 UTC
Last seen:2020-10-25 21:44:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:AesDpcJqvOnF9e2iNoRLAROZOuNjHUwVo11OwNVWdfqXP0tDz:A/1KFbho1AwNVWd9
Threatray 882 similar samples on MalwareBazaar
TLSH DDF4CE3532E9BF10E06D463BC9A0A461DBFADC03EA12D46ABCDD369D5FB1BA50512703
Reporter abuse_ch
Tags:exe nVpn RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: arslanturktr.com
Sending IP: 37.49.225.237
From: Ensar Ozserdar | Arslanturk S.A <ensar.ozserdar@arslanturktr.com>
Subject: New Contract
Attachment: Contract.gz (contains "Contract.exe")

RemcosRAT C2:
185.140.53.233:2021

Hosted on nVpn:

% Information related to '185.140.53.0 - 185.140.53.255'

% Abuse contact for '185.140.53.0 - 185.140.53.255' is 'abuse@privacyfirst.sh'

inetnum: 185.140.53.0 - 185.140.53.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-BE
country: BE
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2016-10-17T23:24:00Z
last-modified: 2020-10-02T20:59:33Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/73881/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a file
Forced shutdown of a system process
Enabling autorun by creating a file
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/505367
Signature
Detected Remcos RAT
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 301712 Sample: Contract.exe Startdate: 21/10/2020 Architecture: WINDOWS Score: 100 28 Multi AV Scanner detection for dropped file 2->28 30 Sigma detected: Scheduled temp file as task from temp location 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 7 other signatures 2->34 7 Contract.exe 7 2->7         started        process3 file4 20 C:\Users\user\AppData\Roaming\PETFmPo.exe, PE32 7->20 dropped 22 C:\Users\user\...\PETFmPo.exe:Zone.Identifier, ASCII 7->22 dropped 24 C:\Users\user\AppData\Local\...\tmp2E20.tmp, XML 7->24 dropped 26 C:\Users\user\AppData\...\Contract.exe.log, ASCII 7->26 dropped 10 schtasks.exe 1 7->10         started        12 vbc.exe 7->12         started        14 vbc.exe 7->14         started        16 3 other processes 7->16 process5 process6 18 conhost.exe 10->18         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b530ffc8af72cb51943f2fb8f38bc778c4544f57b61de593960dd4a97327ca64/
Threat name:
ByteCode-MSIL.Trojan.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2020-10-20 17:35:56 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wuyp7sfpolfvdfb7f64phc6hpdcfit2xwyo6le4wbxkks4zhzjsa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
03f5b9544b3bb2db290e54dfe203f425374d973ac225df52a7cb29adc7998726
RemcosRAT
287597fcffd11298b757ac806606000d8dd4c3c2641891c1932a1e76348d9922
RemcosRAT
2ac56457e5dfd887f318ab16bbc8fa9711095b8cb4cae99f5a34358c9a8502f0
RemcosRAT
54a48d5630f8a4ca57c1107678b3cb68ea03e80878db3dc2ddb9d92227ad542d
RemcosRAT
69b99d16f072c6ab2687da255681f3f1c3a97746bfe516b206644a5056a99425
RemcosRAT
867ec49152a23a8e5ea628a48ec1810db588a716b922e6d1c8e7c45116908d24
RemcosRAT
a7154f13f8a8a66f47afafe4099e6e760aef60af8eb8d66de0d8ee83cfe1ef8b
RemcosRAT
b329339955fe03c374ef32667a175ff2d0a8ac1df1b930f7afcc1e44bed3d89c
RemcosRAT
c1db0bc7089675799a66c321a0401a402b94e0d455037b0cbd76e54188de43c8
RemcosRAT
c5bfbac52396976e672116e5fb07d6cae05d2b07b749d08283a26bcf29677dbe
RemcosRAT
+ 872 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
rat family:remcos
Link:
https://tria.ge/reports/201021-ts1fl73qd6/
Behaviour
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Remcos
Unpacked files
SH256 hash:
b530ffc8af72cb51943f2fb8f38bc778c4544f57b61de593960dd4a97327ca64
MD5 hash:
9ba9616a69760f5904e6442cb21c0449
SHA1 hash:
03c5bcdc077a42a8f8c51bbd4c1975d74572ce14
Link:
https://www.unpac.me/results/2f41ce2b-1d57-4cc8-af3f-03bb248d51a4/
SH256 hash:
a80a256ec6a2ed86b7dd19c83421c607ad09dd32d31f114c6404e90ba2c2d055
MD5 hash:
233b5f9868d8f1d371ab49570cfccfda
SHA1 hash:
45ce263c7cd9717d985d2d12433dc2c05632efd4
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/2f41ce2b-1d57-4cc8-af3f-03bb248d51a4/
SH256 hash:
5443ddc4c8c2b7a556475f4e55f4fd9fcfbf444dc6421d781d80d262c49fe68c
MD5 hash:
c2a6cad80c9d398b877b7e4e615236f3
SHA1 hash:
7b87a00ec656240f911f265b7a263ae9133d5163
Link:
https://www.unpac.me/results/2f41ce2b-1d57-4cc8-af3f-03bb248d51a4/
SH256 hash:
cd1cf0960810b949e177cd8e19892a3b9e7bf016db53248ba6355331878d9211
MD5 hash:
a3f94479fd5f96e0ee95f7fd6d67d60c
SHA1 hash:
c417aaf2fc3cb75caea6321d47c76dfad4b35144
Link:
https://www.unpac.me/results/2f41ce2b-1d57-4cc8-af3f-03bb248d51a4/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/2f41ce2b-1d57-4cc8-af3f-03bb248d51a4/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

gz eea572fb9472de5c82d78ac917a741c3404b86688a23c434713ef4892b19d2db

RemcosRAT

Executable exe b530ffc8af72cb51943f2fb8f38bc778c4544f57b61de593960dd4a97327ca64

(this sample)

  
Dropped by
MD5 6789d3324ece92378e6b32905ab81934
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/73881/
  
Dropped by
SHA256 eea572fb9472de5c82d78ac917a741c3404b86688a23c434713ef4892b19d2db

Comments