MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb3e82e9c93c6b7b44dd782d26d22ad26f323176f8662642397d6d271754768d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb3e82e9c93c6b7b44dd782d26d22ad26f323176f8662642397d6d271754768d
SHA3-384 hash: 3b340c5cc4d785b64b7cbd1e71d7f293be5c1d7436d18c608814d22f462eeb8f3e8f1d2c629570a8560bd542f4e5a697
SHA1 hash: e7eabd570ec2dce1203d013a11599a8c627b527a
MD5 hash: 14a7ac7e8a7cc68ee2040ea5f3bb145e
humanhash: lithium-saturn-timing-queen
File name:New Doc 20211401#_our new price.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:98'304 bytes
First seen:2021-01-21 06:15:42 UTC
Last seen:2021-01-21 08:33:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash cdaaae34b462dd94bb47458bdb1adef4 (3 x RemcosRAT)
ssdeep 1536:Go4qgC1Zc5NDyFCG1Pc+HdNW2XLnolNIj:Gop1+5N+FCG1PcmN/Lnkmj
Threatray 724 similar samples on MalwareBazaar
TLSH 4FA3C233B140E7F5C6DBB5F95B2286A800597CF00B5AD907AD793A192E723E3CC15A4E
Reporter abuse_ch
Tags:exe nVpn RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: mta0.haichufanq.com
Sending IP: 64.227.106.27
From: AMOS GROUP INDUSTRIAL INC <exports@haichufanq.com>
Subject: New Doc 2021//1401#_our new price
Attachment: New Doc 20211401_our new price.rar (contains "New Doc 20211401#_our new price.exe")

RemcosRAT C2:
oluchi.ddns.net:2405 (91.193.75.243)

Pointing to nVpn:

% Information related to '91.193.75.0 - 91.193.75.255'

% Abuse contact for '91.193.75.0 - 91.193.75.255' is 'abuse@privacyfirst.sh'

inetnum: 91.193.75.0 - 91.193.75.255
descr: Moscow, Russia
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-RU2
country: RU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
abuse-c: ACRO34258-RIPE
mnt-by: PRIVACYFIRST-MNT
mnt-by: RIPE-NCC-END-MNT
org: ORG-KHd1-RIPE
status: ASSIGNED PI
created: 2012-06-04T11:05:55Z
last-modified: 2021-01-03T20:17:23Z
source: RIPE
sponsoring-org: ORG-MW1-RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
138
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New Doc 20211401#_our new price.exe
Verdict:
No threats detected
Analysis date:
2021-01-21 06:16:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/36fccab2-557d-42e0-b594-af019caf6bbc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/113208/
Detection(s):
Win.Malware.Banload-6981577-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file in the %temp% subdirectories
DNS request
Sending a custom TCP request
Creating a file
Creating a file in the %AppData% subdirectories
Setting a single autorun event
Setting a global event handler for the keyboard
Sending a TCP request to an infection source
Result
Threat name:
Remcos GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/586916
Signature
Contains functionality to hide a thread from the debugger
Creates autostart registry keys with suspicious values (likely registry only malware)
Detected Remcos RAT
Hides threads from debuggers
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 342481 Sample: New Doc 20211401#_our new p... Startdate: 21/01/2021 Architecture: WINDOWS Score: 100 36 oluchi.ddns.net 2->36 38 g.msn.com 2->38 64 Multi AV Scanner detection for submitted file 2->64 66 Detected Remcos RAT 2->66 68 Yara detected GuLoader 2->68 70 5 other signatures 2->70 8 New Doc 20211401#_our new price.exe 1 2 2->8         started        11 wscript.exe 2->11         started        13 wscript.exe 2->13         started        signatures3 process4 signatures5 72 Creates autostart registry keys with suspicious values (likely registry only malware) 8->72 74 Tries to detect Any.run 8->74 76 Hides threads from debuggers 8->76 15 New Doc 20211401#_our new price.exe 2 12 8->15         started        20 Indtastningsfacilitet.exe 2 11->20         started        22 Indtastningsfacilitet.exe 2 13->22         started        process6 dnsIp7 52 oluchi.ddns.net 91.193.75.243, 2405, 49726, 49735 DAVID_CRAIGGG Serbia 15->52 54 192.168.2.1 unknown unknown 15->54 56 3 other IPs or domains 15->56 30 C:\Users\user\...\Indtastningsfacilitet.exe, PE32 15->30 dropped 32 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 15->32 dropped 34 C:\Users\user\...\Indtastningsfacilitet.vbs, ASCII 15->34 dropped 58 Multi AV Scanner detection for dropped file 20->58 60 Tries to detect Any.run 20->60 62 Hides threads from debuggers 20->62 24 Indtastningsfacilitet.exe 7 20->24         started        28 Indtastningsfacilitet.exe 7 22->28         started        file8 signatures9 process10 dnsIp11 40 onedrive.live.com 24->40 42 fkteua.db.files.1drv.com 24->42 44 db-files.fe.1drv.com 24->44 78 Tries to detect Any.run 24->78 80 Hides threads from debuggers 24->80 46 onedrive.live.com 28->46 48 fkteua.db.files.1drv.com 28->48 50 db-files.fe.1drv.com 28->50 signatures12
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cb3e82e9c93c6b7b44dd782d26d22ad26f323176f8662642397d6d271754768d/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-21 06:16:06 UTC
AV detection:
10 of 46 (21.74%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zm7if2ojhrvxwrg5pawsnurk2jxtemlw7btcmqrzpvwsof2uo2gq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
0f73e9d58b85ae9061722f0720ab2f76f9884042b9ac260e5c102564d4572004
RemcosRAT
4d0dfe01c27dfd2c35464a3f435cfb4cad6e996d6fc407cc8f10fc0b3d0692fe
RemcosRAT
6617979630def30c8a103baceedd1ddb972a53b984de91682aa93451faf833bb
RemcosRAT
7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267
RemcosRAT
8c6cae9078b175b331c1d6154045deea386850a75e4e2a250fe4f4d920cf1a4a
RemcosRAT
c6cf35735aff0eba459a6a1f4b65722ba08dfb0beed54b0df8e9be3ec3edba98
RemcosRAT
cfad7f3408fcc08ca91d0e0fe624088c1c2fda17b460e17812c0362061124b18
RemcosRAT
d3aa9fd1ed4af3cc3a49e612b93a03f799ada340c1c086f7403448fe77115bb1
RemcosRAT
e3b2ff8c1d0d00c708a0217e985a20a45789e92e99a7a9b0699cc232196a8687
RemcosRAT
e7cf4a0d3f94afea480bf5e64a658029d02191330244697ba9afd81dd5b56386
RemcosRAT
+ 714 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat
Link:
https://tria.ge/reports/210121-xnrd5j3bxe/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Remcos
Unpacked files
SH256 hash:
49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3
MD5 hash:
1f1b425190b2fb0396ad2d538b1060ba
SHA1 hash:
413f98641d46fdcabfcaf64f29495667de6282ea
Link:
https://www.unpac.me/results/a2ce71b5-cef0-4472-adc8-89de022ac0e0/
SH256 hash:
cb3e82e9c93c6b7b44dd782d26d22ad26f323176f8662642397d6d271754768d
MD5 hash:
14a7ac7e8a7cc68ee2040ea5f3bb145e
SHA1 hash:
e7eabd570ec2dce1203d013a11599a8c627b527a
Link:
https://www.unpac.me/results/a2ce71b5-cef0-4472-adc8-89de022ac0e0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Backdoor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cb3e82e9c93c6b7b44dd782d26d22ad26f323176f8662642397d6d271754768d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

rar 940c010936a1b972456fc19a8c44aa0ba3ce2383354b5d54f03497cb96682efd

RemcosRAT

Executable exe cb3e82e9c93c6b7b44dd782d26d22ad26f323176f8662642397d6d271754768d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/972948/
  
Dropped by
MD5 870c77bdfcb696529a6f4681a24465f1
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 940c010936a1b972456fc19a8c44aa0ba3ce2383354b5d54f03497cb96682efd
Cape
Cape
https://www.capesandbox.com/analysis/113208/

Comments