MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd2130b9722512ac8b0e510c2c6ca47186055272b3835754a0e2469989baecfd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd2130b9722512ac8b0e510c2c6ca47186055272b3835754a0e2469989baecfd
SHA3-384 hash: 566b4e8bfabeb4c8b8fe18d0a5556f9e1f09a09dd413c0b133b291187a28af83c7c9accf7b4702a3374ce0d1aaaecef2
SHA1 hash: a66edc593ad703480ad38314acacb7eb2eb2ed2f
MD5 hash: 17753468b5976b8e8d3b8fac52d122e0
humanhash: yankee-fourteen-mockingbird-salami
File name:Purchase Order.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:45'800 bytes
First seen:2021-03-10 07:21:50 UTC
Last seen:2021-03-10 08:50:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 768:QU78GMLODPooB10s0ryWp5fXTCuR0cbSGtv0TkxI/nRhu:8GyObh10ssLXTqhkxI/S
Threatray 232 similar samples on MalwareBazaar
TLSH 16233B207D985647E4EB6DBA60E7371C1F2E63D17F02A52ADE48905FBC03A927ADC118
Reporter abuse_ch
Tags:exe OVPN RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: lucky1.263xmail.com
Sending IP: 211.157.147.131
From: 张贵强 <sale20@chinachuangxin.net>
Subject: Valid Prices
Attachment: 0264578884_6845134_8565900_pdf.bv.7z (contains "Purchase Order.exe")

RemcosRAT C2:
feromo.duckdns.org:8078 (185.157.161.113)

Intelligence

File Origin
# of uploads :
2
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase Order.exe
Verdict:
Malicious activity
Analysis date:
2021-03-10 07:22:53 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/c90ec959-400d-4f85-ab0c-b1480b8c0207

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/123483/
Detection(s):
SecuriteInfo.com.MSIL.TrojanDownloader.Agent.HNP.28975.18983.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending an HTTP GET request
Creating a file
Moving a recently created file
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a service
Deleting a recently created file
Launching a process
Running batch commands
Unauthorized injection to a recently created process
Adding an access-denied ACE
Sending a custom TCP request
Sending a UDP request
Creating a file in the %AppData% subdirectories
Setting a single autorun event
Blocking the User Account Control
Setting a global event handler for the keyboard
Adding exclusions to Windows Defender
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/633946
Signature
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Country aware sample found (crashes after keyboard check)
Delayed program exit found
Detected Remcos RAT
Drops PE files with benign system names
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Sigma detected: Remcos
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 365946 Sample: Purchase Order.exe Startdate: 10/03/2021 Architecture: WINDOWS Score: 100 67 Multi AV Scanner detection for domain / URL 2->67 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 18 other signatures 2->73 7 Purchase Order.exe 23 14 2->7         started        12 explorer.exe 2->12         started        14 explorer.exe 2->14         started        16 7 other processes 2->16 process3 dnsIp4 63 liverpoolofcfanclub.com 172.67.174.240, 49723, 49734, 80 CLOUDFLARENETUS United States 7->63 65 192.168.2.1 unknown unknown 7->65 49 C:\Program Files\Common Files\...\svchost.exe, PE32 7->49 dropped 51 C:\...\svchost.exe:Zone.Identifier, ASCII 7->51 dropped 53 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 7->53 dropped 75 Adds a directory exclusion to Windows Defender 7->75 77 Hides threads from debuggers 7->77 79 Injects a PE file into a foreign processes 7->79 18 Purchase Order.exe 7->18         started        22 cmd.exe 7->22         started        24 powershell.exe 24 7->24         started        33 4 other processes 7->33 26 svchost.exe 12->26         started        29 svchost.exe 14->29         started        31 WerFault.exe 16->31         started        file5 signatures6 process7 dnsIp8 55 feromo.duckdns.org 185.157.161.113, 49728, 8078 OBE-EUROPEObenetworkEuropeSE Sweden 18->55 47 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 18->47 dropped 35 conhost.exe 22->35         started        37 timeout.exe 22->37         started        39 conhost.exe 24->39         started        57 liverpoolofcfanclub.com 26->57 81 System process connects to network (likely due to code injection or exploit) 26->81 59 104.21.31.39, 49742, 80 CLOUDFLARENETUS United States 29->59 61 liverpoolofcfanclub.com 29->61 41 AdvancedRun.exe 33->41         started        43 conhost.exe 33->43         started        45 conhost.exe 33->45         started        file9 signatures10 process11
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-03-10 07:22:09 UTC
AV detection:
4 of 47 (8.51%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xuqtbolseujkzcyokegcy3feogdakutswobvovfa4jdjtcn25t6q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
26c230cde9fb7544f7e3762f1abac39f6c8f0d2db0689178b223e0e68d2a6a0a
RemcosRAT
492823289d0cbc07c789546fda1d7bbee05327c29964f5738f70e82ae7c4f4ad
RemcosRAT
57a1ee826afb333572965abe745c06597d0111f75494c586619d6b23d9ceda10
RemcosRAT
6b19b6261188bd102c2139595fa66347ee5717906e85d9fa90fd20e4209a91b0
RemcosRAT
88908ef35a39d6295a1b5775b08f2f44b3ccfad8bec6bf4e4a067428ed95262e
RemcosRAT
b0dad01939e09e869b27e59d7a7d7c79fdd31bb4a8c52153844c23c3c34bf368
RemcosRAT
b782581b1ca3da09fdf3ecbb173ee3ca1f313f5f325f407df976601cad8ce839
RemcosRAT
d6bb7d0218b0894bcc733065261069c1cb4e151b4ca367f37e888d2beacc0dd9
RemcosRAT
e4e47b27c701e89ac6a550ab1f8ecb6058c79d9f9bca9a56ec71e3baf01dc545
RemcosRAT
ef6ac1293cdfda22c8d940f96c5433f406a4c3666e6941e4f094a8cf50d04ac1
RemcosRAT
+ 222 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos evasion persistence rat trojan
Link:
https://tria.ge/reports/210310-yjg3d6hse6/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Windows security modification
Executes dropped EXE
Nirsoft
Modifies Windows Defender Real-time Protection settings
Remcos
Turns off Windows Defender SpyNet reporting
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
feromo.duckdns.org:8078
Unpacked files
SH256 hash:
bd2130b9722512ac8b0e510c2c6ca47186055272b3835754a0e2469989baecfd
MD5 hash:
17753468b5976b8e8d3b8fac52d122e0
SHA1 hash:
a66edc593ad703480ad38314acacb7eb2eb2ed2f
Link:
https://www.unpac.me/results/0f7127b1-0603-47df-be54-1189588f5f63/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.10
Link:
https://yomi.yoroi.company/submissions/bd2130b9722512ac8b0e510c2c6ca47186055272b3835754a0e2469989baecfd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Matiex

zip d889909dc9815fc9aab4b571acf5cd0b97933053070197b3f5bce583a80f1780

RemcosRAT

Executable exe bd2130b9722512ac8b0e510c2c6ca47186055272b3835754a0e2469989baecfd

(this sample)

  
Dropped by
MD5 94d7716329ca00b6c5b384406b8007eb
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/123483/
  
Dropped by
SHA256 d889909dc9815fc9aab4b571acf5cd0b97933053070197b3f5bce583a80f1780

Comments