MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb6affdde93718be644073a946c21fee8a7c8e1312a6009c6ee76ded4a5d6eb6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb6affdde93718be644073a946c21fee8a7c8e1312a6009c6ee76ded4a5d6eb6
SHA3-384 hash: 6fdc148d7c69c3dba9c12b84a2417e765c8ed300b25c65272f40f63c56264ee75a81b3ecef344571196a59d85a5f7364
SHA1 hash: 8be2997d20fbc96d61a621c6b10bb256f39dae18
MD5 hash: d46d8a670410537b5df62b9b2b84f425
humanhash: xray-minnesota-fifteen-single
File name:DHL_118030 documento de recibo (Confirmación (Por favor, firmar),Pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:752'128 bytes
First seen:2020-08-15 05:53:31 UTC
Last seen:2020-08-15 06:52:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:kGwZOMqvxu1Rz4S2ALxL4XUha1AgISuKlAxYkVJ28amKyt0GiS+KqEHsa:YsMqvxQLxLfoAjSGYkv28amKyt0GRqj
Threatray 1'085 similar samples on MalwareBazaar
TLSH A4F45AE0FD20EA4DD11982F9CB8E898483F96C0A67A1DDB57BD73359006230DCDDA9D9
Reporter abuse_ch
Tags:DHL ESP exe geo RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: sip2-191.nexcess.net
Sending IP: 104.207.255.152
From: DHL Support <support@dhl.com>
Subject: RV: Notificación de envío de DHL
Attachment: DHL_118030 documento de recibo (Confirmación (Por favor, firmar),Pdf.iso (contains "DHL_118030 documento de recibo (Confirmación (Por favor, firmar),Pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/46228/
Detection(s):
SecuriteInfo.com.Variant.Barys.11488.16388.19727.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/431682
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cb6affdde93718be644073a946c21fee8a7c8e1312a6009c6ee76ded4a5d6eb6/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-08-15 05:55:10 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=znvp7xpjg4ml4zcaoouunqq752fhzdqtcktabhdo45w62ss5n23a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
3ad93466a6cf17944a21b708648e557f7b5ed91866932bbc0bbef14ca9805a70
RemcosRAT
485c1301f4bc84bc2d274f53222cf7ca5fbd8af8728d1aaa977a6574f577fb87
RemcosRAT
67163c34b396f7fc4a1dec14c1a0e598d5ac5786e6c26f11c8b8b16b31b70f4c
RemcosRAT
7720da8dd623a00812870efdb75c2f2571417599ebfabcff48d2bd95cd029ea2
RemcosRAT
83eb442b175e4fe5a2fde6e8d72618eee280398f89a81da1f9c118d2c46032d4
RemcosRAT
9930543939f97818319ed031530d9e084994331aa4b06a304faeb321bbcc63db
RemcosRAT
a1c561c21720c4f1c3626276db6afc2c12b1aae9304c78518763eb78454f84b8
RemcosRAT
c86bcfe4e22cb50054b44e38fc4fb79624c4ed5bf9a26174754dbb5c1a6baff8
RemcosRAT
d18a9ab5894eef77fd871647912b9a4aa51e4124568055c8aca3537fd150b7e3
RemcosRAT
eb1230ab4a5408a3d264bb51f1ff311fcf52aa97d52b801738cd5add365e77d2
RemcosRAT
+ 1'075 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
rat family:remcos
Link:
https://tria.ge/reports/200815-35xaswgqqa/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Remcos
Malware Config
C2 Extraction:
nagod1.ddns.net:8811
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cb6affdde93718be644073a946c21fee8a7c8e1312a6009c6ee76ded4a5d6eb6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

iso 3f75080ee97df5a8b2af50f85e5fe177712b77bef3f4d381a93451b30c019fa8

RemcosRAT

Executable exe cb6affdde93718be644073a946c21fee8a7c8e1312a6009c6ee76ded4a5d6eb6

(this sample)

  
Dropped by
MD5 dad4ca91d605df794f1417b8396eb292
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/46228/
  
Dropped by
SHA256 3f75080ee97df5a8b2af50f85e5fe177712b77bef3f4d381a93451b30c019fa8

Comments