MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b782581b1ca3da09fdf3ecbb173ee3ca1f313f5f325f407df976601cad8ce839. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b782581b1ca3da09fdf3ecbb173ee3ca1f313f5f325f407df976601cad8ce839
SHA3-384 hash: a36ff1037deb23b58217eb445c5a518c339999accd98163eb4794eba3207c173ad0ab0a51556f0307269efa3d8cf7937
SHA1 hash: f29c3c60e4281577b6fe65073160a1f560f71c2a
MD5 hash: 40816f91fa4c2ea57edd6933dbf5b1b8
humanhash: bravo-happy-california-alaska
File name:PO AR483-1590436 FOR J-3000433707 PROJT.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'156'936 bytes
First seen:2021-03-02 07:47:25 UTC
Last seen:2021-03-02 14:33:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fa25291894013102f014c94861e7259a (5 x RemcosRAT, 2 x AgentTesla, 2 x Loki)
ssdeep 12288:4R61okjK9imvFqzAUC9AXVA9eQqcYcST6EAmWv13bGPlbX2dypFAu40CZLCRuCM:4cw9isFqznC9SAsQ7m8dGPfFAu40S
Threatray 202 similar samples on MalwareBazaar
TLSH E7357C91E3434876D57717398C3A5E35582ABE116939E58E3AADBC3C1FF72C2242324B
Reporter abuse_ch
Tags:exe RemcosRAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: hosted-by.rootlayer.net
Sending IP: 185.222.57.246
From: "Deepak Jadhav H.R.G" <purchase1@aquavalv.com>
Subject: RV: PO /AR483-159043 & PO /AR483-1590436 FOR J-3000433707 PROJT
Attachment: PO AR483-1590436 FOR J-3000433707 PROJT.r00 (contains "PO AR483-1590436 FOR J-3000433707 PROJT.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SOA AFRI SHALIHA - MARAKISH Updated.exe
Verdict:
Malicious activity
Analysis date:
2021-03-02 08:06:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4832bede-ebcb-4cbe-86c3-cf7a00c87c4a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/120835/
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Launching a process
Reading critical registry keys
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Stealing user critical data
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/623399
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 360689 Sample: PO AR483-1590436 FOR J-3000... Startdate: 02/03/2021 Architecture: WINDOWS Score: 100 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 6 other signatures 2->49 7 PO AR483-1590436 FOR J-3000433707 PROJT.exe 1 18 2->7         started        12 Wbxojtec.exe 2->12         started        14 Wbxojtec.exe 2->14         started        process3 dnsIp4 39 cdn.discordapp.com 162.159.135.233, 443, 49738 CLOUDFLARENETUS United States 7->39 35 C:\Users\Public\Libraries\Wbxojtec.exe, PE32 7->35 dropped 59 Writes to foreign memory regions 7->59 61 Allocates memory in foreign processes 7->61 63 Creates a thread in another existing process (thread injection) 7->63 16 ctfmon.exe 2 3 7->16         started        65 Multi AV Scanner detection for dropped file 12->65 67 Injects a PE file into a foreign processes 12->67 21 iscsicpl.exe 12->21         started        23 secinit.exe 14->23         started        file5 signatures6 process7 dnsIp8 37 tulicknewfavour.ddns.net 54.39.198.226, 4033, 49749, 49750 OVHFR Canada 16->37 33 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 16->33 dropped 51 Tries to steal Mail credentials (via file registry) 16->51 53 Contains functionality to inject code into remote processes 16->53 55 Contains functionality to steal Firefox passwords or cookies 16->55 57 2 other signatures 16->57 25 ctfmon.exe 1 16->25         started        28 ctfmon.exe 13 16->28         started        31 ctfmon.exe 1 16->31         started        file9 signatures10 process11 dnsIp12 69 Tries to steal Instant Messenger accounts or passwords 25->69 71 Tries to steal Mail credentials (via file access) 25->71 41 192.168.2.1 unknown unknown 28->41 73 Tries to harvest and steal browser information (history, passwords, etc) 28->73 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b782581b1ca3da09fdf3ecbb173ee3ca1f313f5f325f407df976601cad8ce839/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-03-02 06:25:56 UTC
AV detection:
11 of 47 (23.40%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w6bfqgy4upnat7pt5s5ropxdziptcp27gjpua7pzozqbzlmm5a4q._file
Verdict:
malicious
Similar samples:
11b16ba733f2f4f10ac58021eecaf5668551a73e2a1acfae99745c50bfccbb44
RemcosRAT
37d7dd5be37e03b4168ad2339f996d2b42a7552212e34fbc041f872838ab85e4
RemcosRAT
46131c5f93779a7547011c983be113cbf561fee1f4cba59ce8dd8f0bfb4a48f7
RemcosRAT
a972b68b050a973ba7815570e6b6d85c20629defc5c4c5bfd3f44abae041feb5
RemcosRAT
c14895a7d0ca2633b565af7c08e77aef32397f4fdc78fd3560d2f23d89aa6d6a
RemcosRAT
d96b554a08cd2f503d6a1ffe5303b34f8bd6f91b369bd95e9d16642b4fece2cb
RemcosRAT
e3fceaabe401036d5b259a767747f86c6563db8d122c87e70506ce84ad622638
RemcosRAT
e86d9b9cdf1f341e2c2f811a31d371204d181385f6c32282057b976d25f53591
RemcosRAT
f5b21be44a7076a4414adf52f6bae43d0dfbcd460bc35921e5ea81549ea16f4a
RemcosRAT
f7e29cbf47c9804eb341836873ea6837be7a46639978f44d9ba2670d47e68d56
RemcosRAT
+ 192 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat
Link:
https://tria.ge/reports/210302-389thdh832/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
tulicknewfavour.ddns.net:4033
Unpacked files
SH256 hash:
d1f0293349ad4591df80151cd2f6e2ad82dd525dce362ddd12ad5fee68bbc847
MD5 hash:
35ec36fe55e56e6e748a5cdfe5ad906c
SHA1 hash:
eaf3539ea4e29217be3f6f5de98e48cbe1acc137
Link:
https://www.unpac.me/results/864b3ddd-7430-4ff7-a7c9-8c1d25b343c1/
SH256 hash:
e4f24d6c095cd14f29cc45fcaf83ca215b312190db47e885ab928bc4146648bd
MD5 hash:
4affbf95497aa0c581bddea142c12c95
SHA1 hash:
803da67530de4eb5f73c8c4b8d1b01bfbc54eefc
Link:
https://www.unpac.me/results/864b3ddd-7430-4ff7-a7c9-8c1d25b343c1/
SH256 hash:
5bcde4d165f66f58ce0446462a038b7ae84e2fd2275885f61f68287547aac66d
MD5 hash:
34cb499bbd566c24dcf888e9bab46083
SHA1 hash:
3bb97e3103868691e57e7cf3be88a7ff30f46ea1
Link:
https://www.unpac.me/results/864b3ddd-7430-4ff7-a7c9-8c1d25b343c1/
SH256 hash:
341ef2ca81eebbb4471a6b85b9207a37dc29a358c2b7e399c44c936ed92a1b16
MD5 hash:
4e13746ff1035d5bb59c46f236268c6d
SHA1 hash:
0eb3e9f72a36e873a535cd07e125f65b54665a97
Link:
https://www.unpac.me/results/864b3ddd-7430-4ff7-a7c9-8c1d25b343c1/
SH256 hash:
b782581b1ca3da09fdf3ecbb173ee3ca1f313f5f325f407df976601cad8ce839
MD5 hash:
40816f91fa4c2ea57edd6933dbf5b1b8
SHA1 hash:
f29c3c60e4281577b6fe65073160a1f560f71c2a
Link:
https://www.unpac.me/results/864b3ddd-7430-4ff7-a7c9-8c1d25b343c1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b782581b1ca3da09fdf3ecbb173ee3ca1f313f5f325f407df976601cad8ce839

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

r00 9ae23c9941b43097d3af543cdd0f39a34da6e0d312262b7b517bdc15f701c180

RemcosRAT

Executable exe b782581b1ca3da09fdf3ecbb173ee3ca1f313f5f325f407df976601cad8ce839

(this sample)

  
Dropped by
MD5 54451b04afc65ddf5a807670bf69b77b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/120835/
  
Dropped by
SHA256 9ae23c9941b43097d3af543cdd0f39a34da6e0d312262b7b517bdc15f701c180

Comments