MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bfe422f569af77aa4f5b1b9f1e85f6c89b7ca62540c368d5e5b152f68154a478. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bfe422f569af77aa4f5b1b9f1e85f6c89b7ca62540c368d5e5b152f68154a478
SHA3-384 hash: 50730b6c0e666ed9ba1b920dec63ee679a0af324decf873898cdd1c002c7491385c07c8afcb41fc69a6607e369f0b374
SHA1 hash: 04214758794d18604c5fbc59c66dc30fe47a70a4
MD5 hash: 5c79e7985f29d10c562edc2345df8a95
humanhash: nebraska-double-harry-wolfram
File name:Give Offer CVE6535 _TVOP-MIO, pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:970'352 bytes
First seen:2021-05-11 10:28:19 UTC
Last seen:2021-05-11 12:08:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b64b452434f9b4c79d8cd285903a399f (4 x RemcosRAT, 1 x AgentTesla, 1 x Loki)
ssdeep 12288:/AQUdCLsY8iOnhm8q9vvgh8RWvezDm+hz24S0EmwoKtJ7RXXBLeU/Oy/oE:/AB5iGhyR7PlRMlHVXXBqUD/oE
Threatray 1'813 similar samples on MalwareBazaar
TLSH 0F250621A2414722F46E3B34C82AB2505BE57E7C2DD4136AE6B53B4B4B3F2502DE51BF
Reporter abuse_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/155014/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/778609
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the user root directory
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Suspicious powershell command line found
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 411007 Sample: Give Offer CVE6535 _TVOP-MI... Startdate: 11/05/2021 Architecture: WINDOWS Score: 100 84 Found malware configuration 2->84 86 Malicious sample detected (through community Yara rule) 2->86 88 Multi AV Scanner detection for dropped file 2->88 90 7 other signatures 2->90 11 Give Offer CVE6535 _TVOP-MIO, pdf.exe 1 23 2->11         started        16 Fnvgdi.exe 15 2->16         started        18 Fnvgdi.exe 16 2->18         started        process3 dnsIp4 70 onedrive.live.com 11->70 72 dm-files.fe.1drv.com 11->72 74 96ifqg.dm.files.1drv.com 11->74 56 C:\Users\Public56etplwiz.exe, PE32+ 11->56 dropped 58 C:\Users\Public58ETUTILS.dll, PE32+ 11->58 dropped 60 C:\Users\Public\Fnvgdi\Fnvgdi.exe, PE32 11->60 dropped 62 C:\Users\Public\Cdex.bat, ASCII 11->62 dropped 106 Writes to foreign memory regions 11->106 108 Allocates memory in foreign processes 11->108 110 Creates a thread in another existing process (thread injection) 11->110 20 cmd.exe 1 11->20         started        22 dialer.exe 2 11->22         started        76 onedrive.live.com 16->76 80 2 other IPs or domains 16->80 112 Multi AV Scanner detection for dropped file 16->112 114 Machine Learning detection for dropped file 16->114 116 Injects a PE file into a foreign processes 16->116 78 onedrive.live.com 18->78 82 2 other IPs or domains 18->82 26 mobsync.exe 18->26         started        file5 signatures6 process7 dnsIp8 28 cmd.exe 5 20->28         started        32 conhost.exe 20->32         started        68 79.134.225.8, 4241, 49715, 49716 FINK-TELECOM-SERVICESCH Switzerland 22->68 96 Contains functionalty to change the wallpaper 22->96 98 Contains functionality to steal Chrome passwords or cookies 22->98 100 Contains functionality to capture and log keystrokes 22->100 102 2 other signatures 22->102 signatures9 process10 file11 64 C:\Windows \System3264etplwiz.exe, PE32+ 28->64 dropped 66 C:\Windows \System3266ETUTILS.dll, PE32+ 28->66 dropped 118 Drops executables to the windows directory (C:\Windows) and starts them 28->118 34 Netplwiz.exe 28->34         started        36 conhost.exe 28->36         started        signatures12 process13 process14 38 cmd.exe 1 34->38         started        41 MpCmdRun.exe 36->41         started        signatures15 92 Suspicious powershell command line found 38->92 94 Adds a directory exclusion to Windows Defender 38->94 43 powershell.exe 27 38->43         started        46 svchost.exe 38->46         started        48 conhost.exe 38->48         started        50 DpiScaling.exe 38->50         started        52 conhost.exe 41->52         started        process16 signatures17 104 DLL side loading technique detected 43->104 54 conhost.exe 43->54         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bfe422f569af77aa4f5b1b9f1e85f6c89b7ca62540c368d5e5b152f68154a478/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2021-05-11 10:29:12 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x7scf5ljv532ut23dopr5bpwzcnxzjrfidbwrvpfwfjpnakuur4a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
17c742f29afb5c4352f3fb0079fbb0b2d72da1e65cfc59695f9a7259088b4615
RemcosRAT
1d61d1e99f05f85dbe885fc183a1b5fe81c0d47350868484186705d491a6577a
RemcosRAT
3483cf3d7087f312aa5e6de882cd7893e2add074a30158141173a242443cd6c0
RemcosRAT
37d7dd5be37e03b4168ad2339f996d2b42a7552212e34fbc041f872838ab85e4
RemcosRAT
512f42f440c86ec0b776da00cb7be1aac494914af73a8d47ada5b6a4b5f208eb
RemcosRAT
52fa8487efeb8b203fb1f37501c366088b71de4ded620695ba2e34e8c0f446a2
RemcosRAT
9e226f4878d21f5b1497b6c0d69e452f8a531634b3f8951e51049b5b4cafa8f7
RemcosRAT
d67dde5621d6de76562bc2812f04f986b441601b088aa936d821c0504eb4f7aa
RemcosRAT
e65bff9943ab7ccc3713619a8d908f6caf5392c0c47defe3b66ca9009d2177ed
RemcosRAT
f4f0c2b0fcc641a850b0aaf356f5119f7d6568be3d4b5251a6c6dec1b3e7920f
RemcosRAT
+ 1'803 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat
Link:
https://tria.ge/reports/210511-6r4s5mcvrs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
79.134.225.8:4241
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bfe422f569af77aa4f5b1b9f1e85f6c89b7ca62540c368d5e5b152f68154a478

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_56f008e69a7c4c3feb389c66eaf58259
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:MALWARE_Win_DLAgent07
Create hunting rule
Author:ditekSHen
Description:Detects delf downloader agent

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/155014/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-11 11:14:35 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.025] Anti-Behavioral Analysis::Software Breakpoints
1) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
2) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
3) [F0002.002] Collection::Polling
5) [C0026.002] Data Micro-objective::XOR::Encode Data
8) [C0051] File System Micro-objective::Read File
9) [C0052] File System Micro-objective::Writes File
10) [C0007] Memory Micro-objective::Allocate Memory
11) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
12) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
13) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
14) [C0038] Process Micro-objective::Create Thread
15) [C0041] Process Micro-objective::Set Thread Local Storage Value
16) [C0018] Process Micro-objective::Terminate Process