MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf7daffb305f782ab2a5744978ed4f3307872c83af09b298410dc3abf85f4d2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf7daffb305f782ab2a5744978ed4f3307872c83af09b298410dc3abf85f4d2c
SHA3-384 hash: e197c761e1e5ae5a106418f5285bea183b740deab380406c8f3ea2d2d42210efd2589e0d8f5bae8da4305d0b02b28dea
SHA1 hash: 535e6a2d056122d839951fc9497da863603df116
MD5 hash: 227fcaa1401145a5eee5a23806d462e0
humanhash: papa-seventeen-oklahoma-twelve
File name:INVOICE DE BANQUE GALORE TES3.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:732'160 bytes
First seen:2020-10-08 13:11:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 08b568ba8157e92f7412717386120665 (6 x Loki, 1 x NanoCore, 1 x RemcosRAT)
ssdeep 12288:7kE61gQORc0CmUCXvyaLc/oemqQtlCjiSc4YupoGVB7Rl6:ofWW07vyf3m/SDYupoGVB7Rl6
Threatray 790 similar samples on MalwareBazaar
TLSH 49F49D22A2E155F7C16636399C0B57BC9CFABD50EE2478866BF5DC4C8F38681342E193
Reporter abuse_ch
Tags:exe nVpn RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: pro28.emailserver.vn
Sending IP: 103.15.48.248
From: DS Smith <admin@cgco.com.vn>
Subject: PLEASE TREAT AS URGENT-FINAL INVOICE FOR MT25
Attachment: INVOICE DE BANQUE GALORE TES3.zip (contains "INVOICE DE BANQUE GALORE TES3.exe")

RemcosRAT C2:
23.105.131.157:62084

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69250/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Creating a file in the Program Files subdirectories
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Deleting a recently created file
Running batch commands
Connection attempt
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Setting a global event handler for the keyboard
Unauthorized injection to a system process
Enabling autorun by creating a file
Enabling autorun
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/485482
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates an undocumented autostart registry key
Delayed program exit found
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Drops VBS files to the startup folder
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Drops script at startup location
Sigma detected: Remcos
Writes to foreign memory regions
Yara detected Keylogger Generic
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 295293 Sample: INVOICE DE BANQUE GALORE TES3.exe Startdate: 08/10/2020 Architecture: WINDOWS Score: 100 75 Malicious sample detected (through community Yara rule) 2->75 77 Antivirus detection for dropped file 2->77 79 Antivirus / Scanner detection for submitted sample 2->79 81 18 other signatures 2->81 10 INVOICE DE BANQUE GALORE TES3.exe 2->10         started        13 wscript.exe 2->13         started        15 remcos.exe 2->15         started        17 2 other processes 2->17 process3 signatures4 95 Writes to foreign memory regions 10->95 97 Allocates memory in foreign processes 10->97 99 Maps a DLL or memory area into another process 10->99 101 Queues an APC in another process (thread injection) 10->101 19 INVOICE DE BANQUE GALORE TES3.exe 6 5 10->19         started        23 notepad.exe 1 10->23         started        25 remcos.exe 13->25         started        27 remcos.exe 15->27         started        29 notepad.exe 1 15->29         started        31 remcos.exe 17->31         started        33 notepad.exe 1 17->33         started        35 notepad.exe 1 17->35         started        37 remcos.exe 17->37         started        process5 file6 59 C:\Program Files (x86)\Remcos\remcos.exe, PE32 19->59 dropped 61 C:\...\remcos.exe:Zone.Identifier, ASCII 19->61 dropped 83 Creates an undocumented autostart registry key 19->83 39 wscript.exe 1 19->39         started        85 Drops VBS files to the startup folder 23->85 87 Delayed program exit found 23->87 89 Writes to foreign memory regions 25->89 91 Allocates memory in foreign processes 25->91 93 Maps a DLL or memory area into another process 25->93 41 notepad.exe 25->41         started        44 remcos.exe 25->44         started        signatures7 process8 file9 46 cmd.exe 1 39->46         started        65 C:\Users\user\AppData\Roaming\...\hector.vbs, ASCII 41->65 dropped process10 process11 48 remcos.exe 46->48         started        51 conhost.exe 46->51         started        signatures12 69 Writes to foreign memory regions 48->69 71 Allocates memory in foreign processes 48->71 73 Maps a DLL or memory area into another process 48->73 53 remcos.exe 2 5 48->53         started        57 notepad.exe 1 48->57         started        process13 dnsIp14 67 23.105.131.157, 49726, 49727, 49728 LEASEWEB-USA-NYC-11US United States 53->67 63 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 53->63 dropped file15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bf7daffb305f782ab2a5744978ed4f3307872c83af09b298410dc3abf85f4d2c/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-10-08 06:14:23 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=x56276zql54cvmvforexr3kpgmdyoledv4e3fgcbbxb2x6c7juwa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
4096056536154e1fa5a10e3495cd3ddadf7c01022b7b65b0c35a67b2eac2bc6b
RemcosRAT
4ea16682c6d48eb737c1857beceadc3d3077921c03fa62d9dad44d551d92729d
RemcosRAT
6274c01dd6783517a68267d2c6c2af38143ed35074cfc2372d8bc385a7c5f4e9
RemcosRAT
6c882aeb918e424cefe1068a6d3fbff5526c31e185716bf3a0d5ae0295772f09
RemcosRAT
763d415415add2ffc6d482373e211c8c8b647ee46ade5e8dacce10f79d515e2b
RemcosRAT
84a066f7294211d47a88b38b0ad9ff2f0e385973c4a3b92b39b2df25e178aca8
RemcosRAT
92f26df2b8881b2971127cc9bd67d17924b895e4124092d49fdc6ebe4d362620
RemcosRAT
a1c561c21720c4f1c3626276db6afc2c12b1aae9304c78518763eb78454f84b8
RemcosRAT
b8d1d962744d0c6ab3abe293c4671b3ba6524f623f9d6f02361bc60eec7b4cb4
RemcosRAT
c0b1ba178d886a9d71fb7ffd5b169bf023021e13c545e3cd8d15461221dd2006
RemcosRAT
+ 780 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
rat family:remcos persistence
Link:
https://tria.ge/reports/201008-eqr7q3shnn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Adds policy Run key to start application
Executes dropped EXE
Remcos
Unpacked files
SH256 hash:
bf7daffb305f782ab2a5744978ed4f3307872c83af09b298410dc3abf85f4d2c
MD5 hash:
227fcaa1401145a5eee5a23806d462e0
SHA1 hash:
535e6a2d056122d839951fc9497da863603df116
Link:
https://www.unpac.me/results/5a25621e-5567-4d41-900f-f370a7d35bec/
SH256 hash:
8e9800b28e53b09d431338e6453a6ddbace493d34df89e62d7bb14b7bbcd71f9
MD5 hash:
f152c272eb2f716f4eaea8174b75293e
SHA1 hash:
60cd79141aff88e3c6951e0626db0afec7cc008d
Link:
https://www.unpac.me/results/5a25621e-5567-4d41-900f-f370a7d35bec/
SH256 hash:
3571c7bebd48e4073484bc2c65c838dbc41f69103b56242c3687ee129123be6e
MD5 hash:
cddb4149ad52acdbcddc24f09a592f9f
SHA1 hash:
3a7c7c702bc5d65eb9124c8d576d33d487be39b3
Link:
https://www.unpac.me/results/5a25621e-5567-4d41-900f-f370a7d35bec/
SH256 hash:
9ece7f07dfd6a2373c01441bd0f2d666b0699c62f1b5506a7dd8a44bb6ca8b6c
MD5 hash:
0d4cfda8f43b7cca30dbfcee13dd3bde
SHA1 hash:
7e57a14d6787f935d0210392ffab7cfa8882aadd
Link:
https://www.unpac.me/results/5a25621e-5567-4d41-900f-f370a7d35bec/
SH256 hash:
2a8769ed16acbd683b280232ac7da7d2cbeaf273b40f1c44f5add3ebd4ca55f4
MD5 hash:
11f8c08e6306ab66e9b0a6f1017c7413
SHA1 hash:
5882cfa3cbc535c77587a948691d753ed170b5ce
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/5a25621e-5567-4d41-900f-f370a7d35bec/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bf7daffb305f782ab2a5744978ed4f3307872c83af09b298410dc3abf85f4d2c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip 7d88086a02dc7a7bf54c9e8b86500ea59dca25e856bbb779473692c638ff9902

RemcosRAT

Executable exe bf7daffb305f782ab2a5744978ed4f3307872c83af09b298410dc3abf85f4d2c

(this sample)

  
Dropped by
MD5 2e689f9bd66b22fb21fa2783714687dc
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69250/
  
Dropped by
SHA256 7d88086a02dc7a7bf54c9e8b86500ea59dca25e856bbb779473692c638ff9902

Comments