MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb4567c5c6b82e5de38e47ac7047d3d7d072d3b235ff537090ee5d96fcf1e22b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 8

Intelligence 8 IOCs YARA 6 File information Comments

SHA256 hash:	cb4567c5c6b82e5de38e47ac7047d3d7d072d3b235ff537090ee5d96fcf1e22b
SHA3-384 hash:	ab265f1e4f7ff0b9f33ac7015f7f61583299deedf027ea5f3addc3aa9a71b77d33748ce349834044fac50c62bf599b0a
SHA1 hash:	4e24962df9c03eb9439fc67d3c7750c817313bf4
MD5 hash:	891d42aa07046303cc7745a73882dd8d
humanhash:	carolina-quebec-colorado-kilo
File name:	DOC_ECS9522020102615040053_5778_952.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	861'016 bytes
First seen:	2020-10-27 10:26:06 UTC
Last seen:	2020-10-27 12:16:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:ez/4Zj0j4kV44z0TyvqKd4nb2XOKS83tS:P
Threatray	985 similar samples on MalwareBazaar
TLSH	F005E57C798515A3D673A13394F505A3F9E4288A73F80C6B03C2B708296AF1A7D9736D
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

abuse_ch

Malspam distributing RemcosRAT:

HELO: mailserver.euroslotpars.com
Sending IP: 198.50.206.180
From: Sydler packs<del6@gsicargo.com>
Subject: Re: Payment Advise
Attachment: DOC_ECS9522020102615040053_5778_952.rar (contains "DOC_ECS9522020102615040053_5778_952.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/79811/

Detection(s):

PUA.Win.Trojan.Generic-6629274-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a file in the %AppData% subdirectories

Launching a process

Creating a file

DNS request

Enabling the 'hidden' option for recently created files

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Setting a global event handler for the keyboard

Connection attempt to an infection source

Unauthorized injection to a system process

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/513328

Signature

.NET source code contains very large strings

Allocates memory in foreign processes

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Detected Remcos RAT

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cb4567c5c6b82e5de38e47ac7047d3d7d072d3b235ff537090ee5d96fcf1e22b/

Threat name:

ByteCode-MSIL.Backdoor.Remcos

Status:

Malicious

First seen:

2020-10-27 04:37:13 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=zncwprogxaxf3y4oi6whar6t27ihfu5sgx7vg4eq5zozn7hr4ivq._file

Verdict:

malicious

Label(s):

remcos

masslogger

RemcosRAT

1a1a49629b078b28852b0c9de34d8581ddb2c06bf09950bc4fc07262b65f72a7

RemcosRAT

3e306d7047d78c4f7381e51c0fa80b840e5fa76b14393195faea2791166671b5

RemcosRAT

485c1301f4bc84bc2d274f53222cf7ca5fbd8af8728d1aaa977a6574f577fb87

RemcosRAT

5fcc312a31029c692e592e1b70ec22e1008cfb3df910ab2fec80a193d420fe08

RemcosRAT

65228df6e85371a2b4b1e5340f11e36cdc94f8b39bda216c0ed143eaac36912b

RemcosRAT

7a6f6659840dc30d797d816e1b2bbeb847c36c2e330fe45369b9037a113e8bc6

RemcosRAT

b530ffc8af72cb51943f2fb8f38bc778c4544f57b61de593960dd4a97327ca64

RemcosRAT

ca60958a09d1cd5817504857d90b846a9ce6f6ee1bed7686318b3741108b709c

RemcosRAT

e32decb9aac454a38a186b4f7bc59e471c78e2cf6a5fff25c0d8b68d1c46805c

RemcosRAT

+ 975 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

persistence rat family:remcos

Link:

https://tria.ge/reports/201027-wewmfjdwcs/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetThreadContext

Adds Run key to start application

Uses the VBS compiler for execution

Remcos

Malware Config

C2 Extraction:

www.kesaihk.com:5004

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator