MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8ff5642173ea1664b856f47468ebf4778be3154b7b0a6bfa6a0950f51973c69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b8ff5642173ea1664b856f47468ebf4778be3154b7b0a6bfa6a0950f51973c69
SHA3-384 hash: 1561c7266d7b06559b98d2b76585d6aa7c0bc22d65536f85d7cdd97f4431036a945c0d587f5aee15d3a65fbc6ad96da4
SHA1 hash: 443d2fefd67e9a01b16131f57b7ed10a95f72426
MD5 hash: b8815a518089222dd6e48341df39c4bb
humanhash: rugby-summer-rugby-avocado
File name:Urgent RFQ_AP65425652_032421.pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'133'568 bytes
First seen:2021-09-21 16:54:32 UTC
Last seen:2021-09-21 18:01:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bc8cc1eea5c25ce2056d7da92bd98134 (9 x RemcosRAT, 3 x NetWire, 1 x AveMariaRAT)
ssdeep 12288:lIspEfnP8N/seflQTshT8aqeTW39Kq6eoAdrL7SUbDz5Zp:320N/seflZhTmiW3A6rPzz5Z
Threatray 7 similar samples on MalwareBazaar
TLSH T117356DE6B3C0D8E4EC207E3ECC85B2815316B7F629668C8C6DA47E4C19A1A51F4BD45F
File icon (PE):PE icon
dhash icon 8ccc0c37e3969a68 (8 x RemcosRAT, 2 x NetWire, 1 x BitRAT)
Reporter James_inthe_box
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
285
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Urgent RFQ_AP65425652_032421.pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-09-21 16:56:50 UTC
Tags:
installer trojan rat remcos
Link:
https://app.any.run/tasks/7216f9a8-80be-4d74-b0c4-742ba65dd3b7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189940/
Detection(s):
SecuriteInfo.com.ArtemisB8815A518089.2641.23959.UNOFFICIAL
Create hunting rule

Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/81d34684-caad-4ffc-8c4f-f5cc0f7a348c
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/855086
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 487517 Sample: Urgent RFQ_AP65425652_03242... Startdate: 21/09/2021 Architecture: WINDOWS Score: 100 59 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->59 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 7 other signatures 2->65 8 Urgent RFQ_AP65425652_032421.pdf.exe 1 22 2->8         started        13 Xfykryc.exe 15 2->13         started        15 Xfykryc.exe 15 2->15         started        process3 dnsIp4 45 sn-files.fe.1drv.com 8->45 47 onedrive.live.com 8->47 49 m1qpyq.sn.files.1drv.com 8->49 41 C:\Users\Public\Libraries\...\Xfykryc.exe, PE32 8->41 dropped 75 Writes to foreign memory regions 8->75 77 Creates a thread in another existing process (thread injection) 8->77 79 Injects a PE file into a foreign processes 8->79 17 DpiScaling.exe 2 8->17         started        21 cmd.exe 1 8->21         started        23 cmd.exe 1 8->23         started        51 sn-files.fe.1drv.com 13->51 55 2 other IPs or domains 13->55 81 Multi AV Scanner detection for dropped file 13->81 25 DpiScaling.exe 13->25         started        53 sn-files.fe.1drv.com 15->53 57 2 other IPs or domains 15->57 27 DpiScaling.exe 15->27         started        file5 signatures6 process7 dnsIp8 43 manneedmoney.ddns.net 185.140.53.130, 49743, 6642 DAVID_CRAIGGG Sweden 17->43 67 Contains functionality to steal Chrome passwords or cookies 17->67 69 Contains functionality to inject code into remote processes 17->69 71 Contains functionality to steal Firefox passwords or cookies 17->71 73 Delayed program exit found 17->73 29 reg.exe 1 21->29         started        31 conhost.exe 21->31         started        33 cmd.exe 1 23->33         started        35 conhost.exe 23->35         started        signatures9 process10 process11 37 conhost.exe 29->37         started        39 conhost.exe 33->39         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b8ff5642173ea1664b856f47468ebf4778be3154b7b0a6bfa6a0950f51973c69/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-09-21 16:54:20 UTC
AV detection:
5 of 45 (11.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xd7vmqqxh2qwms4fn5dundv7i54l4mkuw6yknp5guckq6umxhruq._file
Verdict:
malicious
Similar samples:
27bc88fd389ded5b1102d7ef23245aceeb4a516c7291afc954abb876898aa42f
RemcosRAT
3234ff5f304bb4f6a94ca5e0d56073a6fcfbb65e582dff4a509351d44b039fe9
RemcosRAT
5f14d3a74387554c330e7ee790f26fb55c5bfeb1dbefc6f2de93ba69d46383e8
RemcosRAT
a3aab02445dfa2ff67c27a8965fb2263965c2ad3f31475e6b6a4459b5c191827
RemcosRAT
b17c3b52340b1f33f4c2e5ce9eb6de617bd28c9525d12b56de031f5367bf7f9a
RemcosRAT
b52667bbd4f7c03e8384a218fd44ff9fc76741a25baf8b658205191433914baa
RemcosRAT
bd47342e4916289cdab05ec453d284432add03e4bbe2fc9da584103369f9cbc9
RemcosRAT
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:gr8est persistence rat
Link:
https://tria.ge/reports/210921-ve58qsaab9/
Behaviour
Modifies registry key
Suspicious use of WriteProcessMemory
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
manneedmoney.ddns.net:6642
Unpacked files
SH256 hash:
9df5839fe41103d241af27c07ec4fce4adfb9129cb57fe6d3fd9a396a750fb49
MD5 hash:
36e70e671e5390c2363ea8803df1c84a
SHA1 hash:
8905d18a2eb8299c800331aee4bbd05afa8f5bcc
Link:
https://www.unpac.me/results/4c4ffe48-fdd1-4c4d-b013-8c9a702c5edf/
SH256 hash:
b8ff5642173ea1664b856f47468ebf4778be3154b7b0a6bfa6a0950f51973c69
MD5 hash:
b8815a518089222dd6e48341df39c4bb
SHA1 hash:
443d2fefd67e9a01b16131f57b7ed10a95f72426
Link:
https://www.unpac.me/results/4c4ffe48-fdd1-4c4d-b013-8c9a702c5edf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b8ff5642173ea1664b856f47468ebf4778be3154b7b0a6bfa6a0950f51973c69

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/189940/

Comments