MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5ba143b36eb77a1899c07ef016155b3b7ef73b83456cadf534245896360b902. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b5ba143b36eb77a1899c07ef016155b3b7ef73b83456cadf534245896360b902
SHA3-384 hash: 987df865be28fab5bb318b9878be0545c0773f73252c948710849ce4d0cbe7adb5d5f7786ae4c80746976f8799ac2af4
SHA1 hash: f05a4a42784b285505bb00f6e0c0de2b8cf9c8cf
MD5 hash: d4ed086e18e4e909036c8ef1603b8050
humanhash: comet-lithium-two-ink
File name:1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..img.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:679'936 bytes
First seen:2020-10-19 06:26:03 UTC
Last seen:2020-10-19 06:45:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 6144:6PlrhN4EownzAI0iQKSTPrv4vXZ+k2wkj6Da+LvrURp+N4QhEu4MuS+7GaDoo8:6RhNMwJ0iQnPsZ+kfiYnLiQrOrSQGqy
Threatray 884 similar samples on MalwareBazaar
TLSH A0E47C1422841F58F07EA7765164049097F7BD42DB38C90EBDD87AC92E32F82CB67A5B
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: vps.gia-heniern.com
Sending IP: 45.95.169.150
From: Mr. Kwi Bong, Yoo/General Manager <kwibong.yoo1@lotte.net>
Subject: [IOCL Barauni PP] RFQ No. RFQ-IOCL-PP-IN-301/ MACHINES AND DEVICES/Request for Quotation(For Proposal)
Attachment: 1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..img.iso (contains "1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..img.exe")

RemcosRAT C2:
doublegrace2020.ddns.net:7171 (185.19.85.135)

Intelligence

File Origin
# of uploads :
2
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/72716/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.424.29672.8859.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Running batch commands
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/494907
Signature
.NET source code contains potential unpacker
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Detected Remcos RAT
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Writes many files with high entropy
Yara detected AntiVM_3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 299914 Sample: 1-RFQ-IOCL-PP-IN-301 BID IN... Startdate: 19/10/2020 Architecture: WINDOWS Score: 100 57 doublegrace2020.ddns.net 2->57 67 Malicious sample detected (through community Yara rule) 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 Detected Remcos RAT 2->71 73 11 other signatures 2->73 11 1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..img.exe 3 2->11         started        15 remcos.exe 2 2->15         started        17 remcos.exe 2->17         started        signatures3 process4 file5 55 1-RFQ-IOCL-PP-IN-3...-10-14..img.exe.log, ASCII 11->55 dropped 75 Injects a PE file into a foreign processes 11->75 19 1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..img.exe 4 5 11->19         started        22 1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..img.exe 11->22         started        24 remcos.exe 15->24         started        26 remcos.exe 15->26         started        28 remcos.exe 17->28         started        signatures6 process7 file8 43 C:\Users\user\AppData\Roaming\...\remcos.exe, PE32 19->43 dropped 45 C:\Users\user\...\remcos.exe:Zone.Identifier, ASCII 19->45 dropped 30 wscript.exe 1 19->30         started        process9 process10 32 cmd.exe 1 30->32         started        process11 34 remcos.exe 3 32->34         started        37 conhost.exe 32->37         started        signatures12 61 Multi AV Scanner detection for dropped file 34->61 63 Writes many files with high entropy 34->63 65 Injects a PE file into a foreign processes 34->65 39 remcos.exe 2 155 34->39         started        process13 dnsIp14 59 doublegrace2020.ddns.net 185.19.85.135, 49729, 49731, 49732 DATAWIRE-ASCH Switzerland 39->59 47 C:\Users\user\...\time_20201019_093500.dat, data 39->47 dropped 49 C:\Users\user\...\time_20201019_093459.dat, data 39->49 dropped 51 C:\Users\user\...\time_20201019_093458.dat, data 39->51 dropped 53 72 other malicious files 39->53 dropped file15
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b5ba143b36eb77a1899c07ef016155b3b7ef73b83456cadf534245896360b902/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 00:53:51 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ww5biozw5n32dcm4a7xqcykvwo36645ygrlmvx2tijcysy3axeba._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1a1924da9d272ea46f8a0a62d7e2ecf01746e9a7621c8b1c36950788c3a3bd8c
RemcosRAT
485c1301f4bc84bc2d274f53222cf7ca5fbd8af8728d1aaa977a6574f577fb87
RemcosRAT
73034f52ab0662e125659b9771ecd27259b03e3635fbeda5d7252f53fb2bbc7f
RemcosRAT
736bd7b09aa1e987edac64868cc8e5db0d86e709652e0588e2023d052f3def8f
RemcosRAT
83eb442b175e4fe5a2fde6e8d72618eee280398f89a81da1f9c118d2c46032d4
RemcosRAT
857ad0bf941ee434d96692477bec16c72571ce266091ba4bcc6952f409aff198
RemcosRAT
be83ef519ed5e3e444b10b4dd8a77515cda4993c6ce69f565405c9c2bd0901bc
RemcosRAT
d7c62c1526c39e136b5c7a703c92ec5f8a67c987a7414e0cbb145172671a2293
RemcosRAT
e39c2e98071d4440d02e6d1aa86111536d6d01554489bd71f890455c05e424d3
RemcosRAT
eb1230ab4a5408a3d264bb51f1ff311fcf52aa97d52b801738cd5add365e77d2
RemcosRAT
+ 874 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
rat family:remcos persistence
Link:
https://tria.ge/reports/201019-f9kzgm357j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
doublegrace2020.ddns.net:7171
Unpacked files
SH256 hash:
b5ba143b36eb77a1899c07ef016155b3b7ef73b83456cadf534245896360b902
MD5 hash:
d4ed086e18e4e909036c8ef1603b8050
SHA1 hash:
f05a4a42784b285505bb00f6e0c0de2b8cf9c8cf
Link:
https://www.unpac.me/results/6177c451-2c75-4004-b2d0-25414c3011cf/
SH256 hash:
bde75d18495ee9870676a409332c8b5807e1a7597f3b00e385ab9aaefa616db8
MD5 hash:
f11d6b80fe0ff87191fa4cb927d9b412
SHA1 hash:
8bf88050eb1898db65d1ce15ded19ee181718b42
Link:
https://www.unpac.me/results/6177c451-2c75-4004-b2d0-25414c3011cf/
SH256 hash:
1e4ce40e1a016e06be41407548bb338851e01a2f234e2f9b2a9eff2ca1871c2d
MD5 hash:
7a9c23475359cb26a7001b1432feac51
SHA1 hash:
931dc900df530bf2e3abde95be197806b1c21c06
Link:
https://www.unpac.me/results/6177c451-2c75-4004-b2d0-25414c3011cf/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/6177c451-2c75-4004-b2d0-25414c3011cf/
SH256 hash:
9e6c69cdc5127863dd5f70c213c1c691d10d35e8cb0a8d4283ea76d50090fec2
MD5 hash:
78d75f044a80df9b2990b99b4e41d963
SHA1 hash:
5773172248ace768fc24f9d7f7b4841bb0bd2e43
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/6177c451-2c75-4004-b2d0-25414c3011cf/
Parent samples :
1befcab4a8d97cea8592fa608814f038fd956a5f1f2ddfd9ee8b9402045a705a
b5ba143b36eb77a1899c07ef016155b3b7ef73b83456cadf534245896360b902
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b5ba143b36eb77a1899c07ef016155b3b7ef73b83456cadf534245896360b902

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

iso e3b998992a867b3dcc1628a15aa96c114c50e9aac5838e2eb23db291b739fb91

RemcosRAT

Executable exe b5ba143b36eb77a1899c07ef016155b3b7ef73b83456cadf534245896360b902

(this sample)

  
Dropped by
MD5 e97a5c86c2cf12a2153db8d902e72431
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 e3b998992a867b3dcc1628a15aa96c114c50e9aac5838e2eb23db291b739fb91
Cape
Cape
https://www.capesandbox.com/analysis/72716/

Comments