MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c358b44f578fd2dedbb1899038415395ae2052c113aaa149481cde295e022bda. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c358b44f578fd2dedbb1899038415395ae2052c113aaa149481cde295e022bda
SHA3-384 hash: 97b00de2d395162c344e8c3e9865aa50c74b33034f4f6a8b4512d57accdc536dd51841d9208f4dc51925bdd6c21e2a8b
SHA1 hash: cde83e91ab26fcb242e6f71ffaf2faf0eae91a88
MD5 hash: 2f34ecaa3ce61f37ae89127383466d13
humanhash: purple-social-four-autumn
File name:Proof Of Payment_ _ Notificaton_Service_1.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'037'976 bytes
First seen:2020-10-13 12:40:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c242d5261d9662dc5ba58d8e22ce5eb1 (11 x ModiLoader, 1 x Loki, 1 x RemcosRAT)
ssdeep 24576:Bjo1Kn74XfBU8Rup5qmz5zd9QkuoNcAOQ9GeUH1Jn:B0s70fBUdLqM5ck7NcR7/
Threatray 1'022 similar samples on MalwareBazaar
TLSH B825BFF2F2914437D1371B788C1BA3B96939BE132E28A886ABF51D4C5F356417C39293
Reporter abuse_ch
Tags:exe RemcosRAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: rdns0.optifus.xyz
Sending IP: 149.56.8.130
From: noreply@fnb.co.za
Subject: Proof of Payment [Notification Service]
Attachment: Proof of Payment.img (contains "Proof Of Payment_ _ Notificaton_Service_1.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70463/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/489688
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Sigma detected: Fodhelper UAC Bypass
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 297299 Sample: Proof Of Payment_ _ Notific... Startdate: 13/10/2020 Architecture: WINDOWS Score: 100 60 Malicious sample detected (through community Yara rule) 2->60 62 Detected Remcos RAT 2->62 64 Yara detected Remcos RAT 2->64 66 2 other signatures 2->66 8 Proof Of Payment_ _ Notificaton_Service_1.exe 1 15 2->8         started        13 Quswdrv.exe 14 2->13         started        15 Quswdrv.exe 13 2->15         started        process3 dnsIp4 50 cdn.discordapp.com 162.159.133.233, 443, 49727, 49744 CLOUDFLARENETUS United States 8->50 52 discord.com 162.159.136.232, 443, 49725, 49726 CLOUDFLARENETUS United States 8->52 46 C:\Users\user\AppData\Local\...\Quswdrv.exe, PE32 8->46 dropped 76 Writes to foreign memory regions 8->76 78 Allocates memory in foreign processes 8->78 80 Creates a thread in another existing process (thread injection) 8->80 82 Injects a PE file into a foreign processes 8->82 17 ieinstal.exe 2 8->17         started        21 notepad.exe 4 8->21         started        54 162.159.137.232, 443, 49742, 49743 CLOUDFLARENETUS United States 13->54 56 162.159.129.233, 443, 49750 CLOUDFLARENETUS United States 15->56 file5 signatures6 process7 dnsIp8 48 216.38.7.225, 49741, 49747, 49751 ASN-GIGENETUS United States 17->48 68 Injects a PE file into a foreign processes 17->68 24 ieinstal.exe 1 17->24         started        27 ieinstal.exe 17->27         started        29 ieinstal.exe 13 17->29         started        36 3 other processes 17->36 44 C:\Users\Public44atso.bat, ASCII 21->44 dropped 32 cmd.exe 1 21->32         started        34 cmd.exe 1 21->34         started        file9 signatures10 process11 dnsIp12 70 Tries to steal Instant Messenger accounts or passwords 24->70 72 Tries to steal Mail credentials (via file access) 24->72 58 192.168.2.1 unknown unknown 29->58 74 Tries to harvest and steal browser information (history, passwords, etc) 29->74 38 conhost.exe 32->38         started        40 reg.exe 1 1 32->40         started        42 conhost.exe 34->42         started        signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c358b44f578fd2dedbb1899038415395ae2052c113aaa149481cde295e022bda/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-10-13 12:16:53 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ynmlit2xr7jn5w5rrgidqqktswxcauwbcovkcskidtpcsxqcfpna._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1718ca5c80e3a42cec338fea4417d36fda3facf65d2828ccf438098caedf9a7e
RemcosRAT
3e64029948a8c6ff5de11ab028df1acdc90b10a8953e7ffabd78fe3b3de84e61
RemcosRAT
5b1f1843bbb992e3d5c635aa69d8409de4ae4d3f04cf19994d8e953e99cf451a
RemcosRAT
835109646cd221028859f7d4c7de74be962091d60840952ca85053e396fdc593
RemcosRAT
8740660b719c87f2e9deb11c5fbda1a6ffd0c770a571d4945056d53e7a6b31c3
RemcosRAT
8f3b6a725b06abd223aa214244ba4756cba52419dd116506744c386133a805fe
RemcosRAT
91622a9d48459e615ea429ef8b03411ce90df650cedd5c451436ee36123593a9
RemcosRAT
9b60c965a1425ff01954ce6a917cb4486d5af5cb36f538233139042ea324a64e
RemcosRAT
d38c13a3092e9df1e541934564870c8a271148b1f90436ff86292d3c3ff21550
RemcosRAT
e9bc7c1d038965bb247e69816fbcad2444766abd7082eade34eea3c641025f94
RemcosRAT
+ 1'012 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
persistence trojan family:modiloader rat family:remcos
Link:
https://tria.ge/reports/201013-ct4nktxqg2/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader First Stage
ModiLoader, DBatLoader
Remcos
Unpacked files
SH256 hash:
ebb426dc96dce9a62297d652e258f0afea992ebd7803e408aaaeb63abad586fb
MD5 hash:
cced4823c1bc6b6a7e42989a66f4d0cc
SHA1 hash:
f22c2f67f4442207643e38aff41de1c5e12db73b
Detections:
win_dbatloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/c3bab97a-5235-4839-adac-9c36985afcda/
SH256 hash:
c358b44f578fd2dedbb1899038415395ae2052c113aaa149481cde295e022bda
MD5 hash:
2f34ecaa3ce61f37ae89127383466d13
SHA1 hash:
cde83e91ab26fcb242e6f71ffaf2faf0eae91a88
Link:
https://www.unpac.me/results/c3bab97a-5235-4839-adac-9c36985afcda/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c358b44f578fd2dedbb1899038415395ae2052c113aaa149481cde295e022bda

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_dbatloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

img 2881ebe7dff59d9cc638b491e4212369cca7dafee74ba3c376bdfb25a1d1a471

RemcosRAT

Executable exe c358b44f578fd2dedbb1899038415395ae2052c113aaa149481cde295e022bda

(this sample)

  
Dropped by
MD5 8376b85879de72186e8c8579561cd77c
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70463/
  
Dropped by
SHA256 2881ebe7dff59d9cc638b491e4212369cca7dafee74ba3c376bdfb25a1d1a471

Comments