MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb63c61554ccc2caa79eec3705c3e4ce41626e88f375a8a1bc5b514e489b0f04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb63c61554ccc2caa79eec3705c3e4ce41626e88f375a8a1bc5b514e489b0f04
SHA3-384 hash: da33f26ed07524d92133e5cb90943ea0f2e14bad5fe33f503b117f0efbc961a65a1c4e672376d12510a062f50c3a83ce
SHA1 hash: be82c83d63d323015982225aebf2acce068ba2bf
MD5 hash: 44ad9e1f56ffbfba3631d687efebaf11
humanhash: nine-autumn-florida-cardinal
File name:AD Re Order Confirmation-7645,pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:700'416 bytes
First seen:2021-08-30 09:27:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f781791341b79e2aa49e6187b296c562 (3 x Formbook, 1 x RemcosRAT, 1 x AveMariaRAT)
ssdeep 12288:9bSAuiSYEczIDyTFiPKu5mHNiMyqcLHazX:9bS78z7PuCwHqRD
Threatray 520 similar samples on MalwareBazaar
TLSH T123E46CFE9D4C0A32D56219F89C7A467860267E503B14AC0722F87E1FFE31796716A372
dhash icon f0c0db6c6a7af0fc (24 x Formbook, 6 x QuasarRAT, 5 x RemcosRAT)
Reporter lowmal3
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AD Re Order Confirmation-7645,pdf.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-30 09:28:38 UTC
Tags:
installer
Link:
https://app.any.run/tasks/12ec6246-6e45-4f10-8175-439b696c4a46

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/183683/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Deleting a recently created file
Launching a process
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Connection attempt to an infection source
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Sending a TCP request to an infection source
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0c5f5293-d5ff-4e8d-bc33-a3e64f2bbe1e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/841466
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject threads in other processes
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bb63c61554ccc2caa79eec3705c3e4ce41626e88f375a8a1bc5b514e489b0f04/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-08-30 09:28:05 UTC
AV detection:
16 of 45 (35.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xnr4mfkuztbmvj465q3qlq7ezzawe3ui6n22rin4lniu4se3b4ca._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
11f6a46954cdec78fec52771521926ff6917af81f79e3dc1198a38571b7d7519
RemcosRAT
62960caf3d007638be89631e502733f30c42a9ba0269e8c00457c9dec10e9136
RemcosRAT
7eb677c1c5c60d34da90cab2b4ea019c500b5c3db6964cc14849dbe2f9f5fa30
RemcosRAT
860e16c192167d5dd823b8e533858cdada7aa9b3173254f2f57031af68b84e0c
RemcosRAT
b9384216a5aea20cd398e51c6549bb84d6b252f3fde114010e3cc0c60b1e2b13
RemcosRAT
dc1bb96ddee60e15d3344fc4b0413634a54974ef9e854628157800c9d695f028
RemcosRAT
e6930000e13aa3deafe16f78fcfca8e6276e18ba6a252b8045dfaf570f044328
RemcosRAT
+ 510 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:new era persistence rat
Link:
https://tria.ge/reports/210830-55t8ynw232/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
thankyoulord4real.ddns.net:3030
Unpacked files
SH256 hash:
4e1202f3e7e04b0b3ca1df164bf5381f24063c142317e774d4e5d88b2b3ac744
MD5 hash:
aa23dee2c34813d67fe9c67ec784782a
SHA1 hash:
10b2e7af7cb9d6f852e6d607875a8c9613538930
Link:
https://www.unpac.me/results/e484b261-0895-4cd3-be10-87f27b6b019b/
SH256 hash:
bb63c61554ccc2caa79eec3705c3e4ce41626e88f375a8a1bc5b514e489b0f04
MD5 hash:
44ad9e1f56ffbfba3631d687efebaf11
SHA1 hash:
be82c83d63d323015982225aebf2acce068ba2bf
Link:
https://www.unpac.me/results/e484b261-0895-4cd3-be10-87f27b6b019b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/bb63c61554cc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bb63c61554ccc2caa79eec3705c3e4ce41626e88f375a8a1bc5b514e489b0f04

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe bb63c61554ccc2caa79eec3705c3e4ce41626e88f375a8a1bc5b514e489b0f04

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/183683/

Comments