MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c86bcfe4e22cb50054b44e38fc4fb79624c4ed5bf9a26174754dbb5c1a6baff8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c86bcfe4e22cb50054b44e38fc4fb79624c4ed5bf9a26174754dbb5c1a6baff8
SHA3-384 hash: 6bdd6abd9cbfdc07ab995cfec403c8055234eb161f3f1c97eabf2e07bbfd7ac33274ee3f67c72886564c542b53826b25
SHA1 hash: 391b923fe56cebb29e4c417c03b7736997dfbf70
MD5 hash: bfa60d7ea15330bf22457f93f23f8f56
humanhash: whiskey-alpha-blue-wolfram
File name:Xiiclmip_Signed_.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'064'704 bytes
First seen:2020-07-21 07:49:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5e381c455fbb563ca5f2237e8dff94bd (4 x RemcosRAT, 2 x Formbook, 1 x NetWire)
ssdeep 24576:s0vtfbdNzTnlj/jllmyXkybwEIVKGfHNBJV2jjFP0MnlRK:s0v9f/kxEIVRfHfJV2nFP0Ml4
Threatray 956 similar samples on MalwareBazaar
TLSH 6535AF23F2A08D32D1331538DC535ABC9A6FBF153625984D6AE6DF088F3918179393A7
Reporter abuse_ch
Tags:exe RemcosRAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: smtp120.iad3a.emailsrvr.com
Sending IP: 173.203.187.120
From: Transmetrics Logistics <info@transmetrics.eu>
Reply-To: sophia.dante@transmetrics.eu
Subject: Transmetrics Logistics (Order ID: XIICIMIP )
Attachment: Xiiclmip_Signed_.img (contains "Xiiclmip_Signed_.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/29849/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Running batch commands
Creating a process with a hidden window
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/392831
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 248703 Sample: Xiiclmip_Signed_.exe Startdate: 21/07/2020 Architecture: WINDOWS Score: 100 63 xchilogs.duckdns.org 2->63 77 Malicious sample detected (through community Yara rule) 2->77 79 Multi AV Scanner detection for dropped file 2->79 81 Multi AV Scanner detection for submitted file 2->81 83 12 other signatures 2->83 11 Xiiclmip_Signed_.exe 1 3 2->11         started        16 mshta.exe 19 2->16         started        18 mshta.exe 19 2->18         started        signatures3 process4 dnsIp5 75 cdn.discordapp.com 162.159.129.233, 443, 49724 CLOUDFLARENETUS United States 11->75 57 C:\Users\user\AppData\Local\...\Xiiclfck.exe, PE32 11->57 dropped 93 Writes to foreign memory regions 11->93 95 Allocates memory in foreign processes 11->95 97 Creates a thread in another existing process (thread injection) 11->97 99 Injects a PE file into a foreign processes 11->99 20 TapiUnattend.exe 7 11->20         started        24 ieinstal.exe 2 11->24         started        101 DLL side loading technique detected 16->101 27 Xiiclfck.exe 16->27         started        29 Xiiclfck.exe 18->29         started        file6 signatures7 process8 dnsIp9 53 C:\Users\Public\propsys.dll, PE32+ 20->53 dropped 55 C:\Users\Public\fodhelper.exe, PE32+ 20->55 dropped 87 Drops PE files to the user root directory 20->87 31 cmd.exe 5 20->31         started        34 cmd.exe 1 20->34         started        65 xchilogs.duckdns.org 91.193.75.176, 49726, 49731, 49732 DAVID_CRAIGGG Serbia 24->65 67 162.159.135.233, 443, 49728 CLOUDFLARENETUS United States 27->67 69 cdn.discordapp.com 27->69 89 Multi AV Scanner detection for dropped file 27->89 91 Machine Learning detection for dropped file 27->91 71 162.159.133.233, 443, 49730 CLOUDFLARENETUS United States 29->71 73 cdn.discordapp.com 29->73 file10 signatures11 process12 file13 59 C:\Windows \System32\propsys.dll, PE32+ 31->59 dropped 61 C:\Windows \System32\fodhelper.exe, PE32+ 31->61 dropped 36 fodhelper.exe 31->36         started        39 conhost.exe 31->39         started        41 conhost.exe 34->41         started        43 reg.exe 1 1 34->43         started        45 reg.exe 1 34->45         started        process14 signatures15 85 Drops executables to the windows directory (C:\Windows) and starts them 36->85 47 cmd.exe 1 36->47         started        process16 process17 49 conhost.exe 47->49         started        51 cmd.exe 1 47->51         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c86bcfe4e22cb50054b44e38fc4fb79624c4ed5bf9a26174754dbb5c1a6baff8/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-21 07:51:06 UTC
AV detection:
36 of 48 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zbv47zhcfs2qavfujy4pyt5xsysmj3k37grgc5dvjw5vygtlv74a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0755d371e5549b67564d6dfa29600f76226a3dae42acaa8a6d0a82402e57bf86
RemcosRAT
485c1301f4bc84bc2d274f53222cf7ca5fbd8af8728d1aaa977a6574f577fb87
RemcosRAT
4ea16682c6d48eb737c1857beceadc3d3077921c03fa62d9dad44d551d92729d
RemcosRAT
53136d19559089e0674af4ad81621b99a031741edcc486eb3d402fd180b1b77e
RemcosRAT
7720da8dd623a00812870efdb75c2f2571417599ebfabcff48d2bd95cd029ea2
RemcosRAT
83eb442b175e4fe5a2fde6e8d72618eee280398f89a81da1f9c118d2c46032d4
RemcosRAT
9930543939f97818319ed031530d9e084994331aa4b06a304faeb321bbcc63db
RemcosRAT
a1c561c21720c4f1c3626276db6afc2c12b1aae9304c78518763eb78454f84b8
RemcosRAT
c232e05f633d3e2bd0a1486a955d7f72eb9155408a635666306d922b333809b2
RemcosRAT
eb1230ab4a5408a3d264bb51f1ff311fcf52aa97d52b801738cd5add365e77d2
RemcosRAT
+ 946 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
persistence rat family:remcos
Link:
https://tria.ge/reports/200721-tpvy6m64se/
Behaviour
Script User-Agent
Suspicious use of WriteProcessMemory
Modifies registry key
Suspicious use of SetThreadContext
Adds Run key to start application
Remcos
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c86bcfe4e22cb50054b44e38fc4fb79624c4ed5bf9a26174754dbb5c1a6baff8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

img d166661084f8edd78fa9313d22dca34944d5ac5877240d7e0fb7e064f9daddee

RemcosRAT

Executable exe c86bcfe4e22cb50054b44e38fc4fb79624c4ed5bf9a26174754dbb5c1a6baff8

(this sample)

  
Dropped by
MD5 4dcc0865a7e26574cd56dd94a973fecd
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d166661084f8edd78fa9313d22dca34944d5ac5877240d7e0fb7e064f9daddee
Cape
Cape
https://www.capesandbox.com/analysis/29849/

Comments