MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6ef2fa76295250302a28b6ab29ea1cb71845aaba07b027717f9766a52c94cc2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6ef2fa76295250302a28b6ab29ea1cb71845aaba07b027717f9766a52c94cc2
SHA3-384 hash: c6b5fc16a9f67fc47c43a80400d09360eb38ff3112ec6319d8d445149df34f93705a093f2c677deb789915c06fad7b0e
SHA1 hash: b467e2cb55f0f48c1f230212970c6848a40e56da
MD5 hash: 95fb4097ed989a5d6876ae6a9e2ea70c
humanhash: kentucky-april-oxygen-uniform
File name:Payment Receipt.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:7'168 bytes
First seen:2021-01-30 06:22:40 UTC
Last seen:2021-01-30 07:57:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 96:uazPzjrnHrAxN35YnnC3DnwcE2oYlnlYJnLLPL0KffjM4guzo80u6cRXmmNlNYXn:uaTQ+iRVRnlYJLLLTeug5cNQJ
Threatray 26 similar samples on MalwareBazaar
TLSH 85E1191253F10337C78A03B70DE356125B7AD304EAA79B7F1498A2AB0F925444693771
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: sachkasath.com
Sending IP: 103.147.184.53
From: Payment Invoice <rr72idxy@sachkasath.com>
Subject: Your Payment Was Successfully Sent
Attachment: Payment Receipt.rar (contains "Payment Receipt.exe")

RemcosRAT C2:
103.147.184.53:4042

Intelligence

File Origin
# of uploads :
2
# of downloads :
245
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment Receipt.exe
Verdict:
Malicious activity
Analysis date:
2021-01-30 06:24:24 UTC
Tags:
loader
Link:
https://app.any.run/tasks/142970be-02bc-4c67-87f6-5c7ad248e07a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/114870/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Running batch commands
Creating a file
Launching a process
Creating a window
Creating a process with a hidden window
Sending a UDP request
Deleting a recently created file
Using the Windows Management Instrumentation requests
DNS request
Sending a custom TCP request
Possible injection to a system process
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/594494
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Detected Remcos RAT
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Remcos
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 346285 Sample: Payment Receipt.exe Startdate: 30/01/2021 Architecture: WINDOWS Score: 100 88 raw.githubusercontent.com 2->88 90 github.map.fastly.net 2->90 104 Malicious sample detected (through community Yara rule) 2->104 106 Antivirus / Scanner detection for submitted sample 2->106 108 Multi AV Scanner detection for submitted file 2->108 110 10 other signatures 2->110 12 Payment Receipt.exe 14 5 2->12         started        15 startup.exe 1 2->15         started        18 startup.exe 2->18         started        20 startup.exe 2->20         started        signatures3 process4 dnsIp5 74 C:\Users\user\AppData\Local\...\startup.exe, PE32 12->74 dropped 76 C:\Users\user\...\Payment Receipt.exe.log, ASCII 12->76 dropped 22 startup.exe 2 12->22         started        25 cmd.exe 1 12->25         started        98 192.168.2.1 unknown unknown 15->98 27 mshta.exe 15->27         started        29 mshta.exe 18->29         started        31 mshta.exe 20->31         started        file6 process7 signatures8 114 Multi AV Scanner detection for dropped file 22->114 33 mshta.exe 23 22->33         started        36 conhost.exe 25->36         started        38 schtasks.exe 1 25->38         started        40 powershell.exe 27->40         started        43 powershell.exe 29->43         started        45 powershell.exe 31->45         started        process9 dnsIp10 78 139.59.113.124, 49738, 49742, 49743 DIGITALOCEAN-ASNUS Singapore 33->78 47 powershell.exe 15 22 33->47         started        80 raw.githubusercontent.com 40->80 82 github.map.fastly.net 40->82 116 Writes to foreign memory regions 40->116 118 Sample uses process hollowing technique 40->118 120 Injects a PE file into a foreign processes 40->120 50 startup.exe 40->50         started        52 conhost.exe 40->52         started        54 RegAsm.exe 40->54         started        84 raw.githubusercontent.com 43->84 86 github.map.fastly.net 43->86 56 conhost.exe 43->56         started        58 conhost.exe 45->58         started        signatures11 process12 dnsIp13 100 raw.githubusercontent.com 47->100 102 github.map.fastly.net 151.101.0.133, 443, 49769, 49778 FASTLYUS United States 47->102 60 RegAsm.exe 47->60         started        64 conhost.exe 47->64         started        66 mshta.exe 50->66         started        process14 dnsIp15 96 103.147.184.53, 4042, 49771 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN unknown 60->96 122 Contains functionality to detect virtual machines (IN, VMware) 60->122 124 Contains functionality to steal Chrome passwords or cookies 60->124 126 Contains functionality to capture and log keystrokes 60->126 128 3 other signatures 60->128 68 powershell.exe 66->68         started        signatures16 process17 dnsIp18 92 raw.githubusercontent.com 68->92 94 github.map.fastly.net 68->94 112 Injects a PE file into a foreign processes 68->112 72 conhost.exe 68->72         started        signatures19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c6ef2fa76295250302a28b6ab29ea1cb71845aaba07b027717f9766a52c94cc2/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-30 06:23:08 UTC
AV detection:
14 of 46 (30.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y3xs7j3csusqgavcrnvlfhvbznyyiwvlub5qe5yx7f3guuwjjtba._file
Verdict:
unknown
Similar samples:
0494a9fb7d3360da05ce76def600f533d818465fd625ff765cd15cc65a9b2c07
RemcosRAT
1676e36eec12118ae10d1f090b6bf269d3f3c3ff771ecb0422231946415b2b13
RemcosRAT
390a3c19f40c0c0cc56ae4c15c6f8aa159c00d08887ac52d0d8d7a5d1eb51b0c
RemcosRAT
7210dc31f2e68cbad04a8e9167b76554db1f7c46b0bcd0c23c43be9b85cb67e7
RemcosRAT
9c18efeceb64bc5ce4d06ebfcb15dd3e9d132201b2ee6d870a80c8d2ddb9b8b3
RemcosRAT
b620d76117123aa2d044495ee0c0d85b5c1ba0985cb53cb149a350da07ea003c
RemcosRAT
bf5d5c28bec7bdcf41fad771fd465ba6bb9a56e053c9470a6e10293466109d3c
RemcosRAT
dea877be3b8ceb7eb4cb1bb40895bc6886d3ccb0f2498e7b3c4257d726a7d896
RemcosRAT
ea8f64464c29c09b37c9f05be40718e144a375aeb920ed699fb3dea644d508aa
RemcosRAT
f512e47ce691f996f43e74cb07be9443f5aa34e1ebcdf3c52c9601da073ea779
RemcosRAT
+ 16 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos ransomware rat
Link:
https://tria.ge/reports/210130-adbwddkfqe/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Blocklisted process makes network request
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
103.147.184.53:4042
Unpacked files
SH256 hash:
c6ef2fa76295250302a28b6ab29ea1cb71845aaba07b027717f9766a52c94cc2
MD5 hash:
95fb4097ed989a5d6876ae6a9e2ea70c
SHA1 hash:
b467e2cb55f0f48c1f230212970c6848a40e56da
Link:
https://www.unpac.me/results/193cd739-1a7d-4008-a766-84c0eac821f1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c6ef2fa76295250302a28b6ab29ea1cb71845aaba07b027717f9766a52c94cc2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

rar 3a0ec0bb5c2a2623c3ce7edf505dc65396b1d9e9bafd0addd3100bd728c23af2

RemcosRAT

Executable exe c6ef2fa76295250302a28b6ab29ea1cb71845aaba07b027717f9766a52c94cc2

(this sample)

  
Dropped by
MD5 7054705eebc8756c33907d59a25a4a6a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 3a0ec0bb5c2a2623c3ce7edf505dc65396b1d9e9bafd0addd3100bd728c23af2
Cape
Cape
https://www.capesandbox.com/analysis/114870/

Comments