MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c55730133205122e022bb1681c30d9843889e63bd4f16497f6bbe08f2758e2ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	c55730133205122e022bb1681c30d9843889e63bd4f16497f6bbe08f2758e2ba
SHA3-384 hash:	7316bb6a7674488670c2b5bb13806e30dd3e3a5ed9329e7e5d05bc3793c8eda7a766981f02bf80d9138e8fc8500f06db
SHA1 hash:	382e4bd6bf6e11f152b5a7c46201e271a03b9cf1
MD5 hash:	6d6bf1335e34cba12d227c6bdcebcfb8
humanhash:	robert-maine-robert-angel
File name:	Confirmation of order inquiry rar.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	703'664 bytes
First seen:	2020-10-26 14:17:50 UTC
Last seen:	2020-10-26 15:58:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:7maR1uzbfeEtaoECO9ff4W4sm5xMja1+dk+AZy5qCGtHqX4vdaiqkOc1/WjS7iB+:yaRDE4oM9ff45sm5xEkHC44VOKS8y
Threatray	23 similar samples on MalwareBazaar
TLSH	88E40D3CAE8425A36277E276A0F50587FEE8659673784D4B02C33B482D5AF063D9734E
Reporter	abuse_ch
Tags:	exe RemcosRAT

abuse_ch

Malspam distributing unidentified malware:

HELO: mail.nipponcarsrl.com.ar
Sending IP: 200.114.86.103
From: ATL Loizou Group <info@atl-loizou.com>
Subject: ***SPAM*** order inquiry
Attachment: Confirmation of order inquiry rar.rar (contains "Confirmation of order inquiry rar.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

71

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/79167/

Detection(s):

PUA.Win.Trojan.Generic-6629274-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Launching the default Windows debugger (dwwin.exe)

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/512007

Signature

.NET source code contains very large strings

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Country aware sample found (crashes after keyboard check)

Detected Remcos RAT

Initial sample is a PE file and has a suspicious name

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/c55730133205122e022bb1681c30d9843889e63bd4f16497f6bbe08f2758e2ba/

Threat name:

ByteCode-MSIL.Spyware.Stelega

Status:

Malicious

First seen:

2020-10-26 07:44:59 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yvltaezsaujc4arlwfubymgzqq4itzr32tywjf7wxpqi6j2y4k5a._file

Verdict:

unknown

Similar samples:

1a1a49629b078b28852b0c9de34d8581ddb2c06bf09950bc4fc07262b65f72a7

40e91b54dfb08b396759074f6018c28433f771a9c6c66ff5b1789d786c591c87

5daf2d7810dd11918744b2d357a35015ef491fdd5c0365d4b83efdb6404a0bb8

5dfddf368f0f0406128d3138f485cd1da0a69bebe4e3ffafabf2410463e03ee9

786dd4d9050a7a8d83b60280da6360b73ebf5680da7c9e5d8f6762f425ba099e

8361cd02491b2a0651e89129aaaa8956409596683821eed908d47987902e0716

8ea1d5e023c174a65c047ecf0f633ef66ba5adfd58ff0cc09ad084fd31f84278

b78257912955d636db85f7fc299662ebd040df5c2919f2614e52aaf511b54d05

dafee937bbe45fe3398e06d60f2177c42a20e41f9bc5c22dcadbf284cdf4fb75

f089cbd6d20afda4f1e00ed09abd44c9f271c8db61bbb1ce07048fadda34b1ec

+ 13 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/201026-7l7j327436/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar 4f6894107c44af2883f5747f27896ff5c687e4c8a3277f731fac97eafbe2f5a1

exe c55730133205122e022bb1681c30d9843889e63bd4f16497f6bbe08f2758e2ba

(this sample)

Dropped by

MD5 0a8a2e66a4bc199e14596608435f5441

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 4f6894107c44af2883f5747f27896ff5c687e4c8a3277f731fac97eafbe2f5a1

Cape

Cape

https://www.capesandbox.com/analysis/79167/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample