MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cbf5b54d5d1c70086efefea16f38b80a329cb96bb5a59e709b0ab2304acb157c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 7 File information Comments

SHA256 hash:	cbf5b54d5d1c70086efefea16f38b80a329cb96bb5a59e709b0ab2304acb157c
SHA3-384 hash:	52500761a3f2a5410e6b9525fcddb5aad0319cfd19f14ba804fca74e88a2abada92d7725d10b59e0eb899f1d75d5e846
SHA1 hash:	14c6081d17ff3ee28b67d0647767cb42169ce0b4
MD5 hash:	23f61dde4507b23de8228b969a9f363c
humanhash:	zulu-colorado-mango-xray
File name:	MV CHEN GLORY 1 Q88.DOC.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	917'136 bytes
First seen:	2021-02-16 14:18:35 UTC
Last seen:	2021-02-16 15:38:32 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	64b747126920f2db0c64929f48d320a0 (10 x RemcosRAT)
ssdeep	12288:DOzzcxrBWwx/vdym2RHAxMGD5usGjgICoDaMycZ+HB9:DUzQJ1Z2xzGDAsG0ItDocGB9
Threatray	63 similar samples on MalwareBazaar
TLSH	C615B2F2E95A8E31F05B153DE58EF7341826BCF1391D846A4EE4BB09AAA331C35114B7
Reporter	abuse_ch
Tags:	exe HostGator RAT RemcosRAT

abuse_ch

Malspam distributing RemcosRAT:

HELO: gateway30.websitewelcome.com
Sending IP: 192.185.152.11
From: Ca-Marine Co.Ltd <camarinesnp@gmail.com>
Subject: FOR SALE: MV CHEN GLORY 1 / BOX/SID GC / 12,6K DWT / BLT 98 CHN
Attachment: MV CHEN GLORY 1 Q88.xz (contains "MV CHEN GLORY 1 Q88.DOC.exe")

RemcosRAT C2:
chx-ch.ddns.net:6855 (207.32.217.11)

Intelligence

File Origin

# of uploads :

# of downloads :

123

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

https://bazaar.abuse.ch/browse/

Verdict:

Malicious activity

Analysis date:

2021-02-16 18:11:01 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d4dc676c-440f-47e3-a5db-0cb7570c46b3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/117342/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Sending a custom TCP request

Creating a file

Deleting a recently created file

Sending a UDP request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/609104

Signature

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Uses an obfuscated file name to hide its real file extension (double extension)

Uses dynamic DNS services

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cbf5b54d5d1c70086efefea16f38b80a329cb96bb5a59e709b0ab2304acb157c/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2021-02-16 14:19:07 UTC

AV detection:

18 of 28 (64.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=zp23ktk5dryaq3x672qw6ofybizjzollwwsz44e3bkzdaswlcv6a._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

20fe5347a7254b7f5d75c7fce2542b88abdb8d1939afe621544c61d35e45bdee

RemcosRAT

2a344d464465069aa8739a45ecba1b6de4ef4ba4cc2b8128af5a54112c507058

RemcosRAT

350d9e0fce3c72fb6c63235194c1e9c986d38c13866e756f85c31faa95f4ef2b

RemcosRAT

7372fe2e6401cdbca755f752e7e8407a8a5fbaf81ca5e692705a9819977dc447

RemcosRAT

933d0f6581cbeffb81bdd14c08cab5336829bb6ecc95eea0488ac70d36e70b5c

RemcosRAT

c062b4a790666b338f7955ea792605bf0244a8d36cb1050c602727ff6d654e36

RemcosRAT

d00cdc47ecf61320c65927dd2cd3ec52e5d1496264ba527b019eebca8d9b3410

RemcosRAT

e5065ecce465f659ef4f82667fc0c3bccb3e596497d884cc95b61008ec1a707b

RemcosRAT

f436b8e7b214f3f56d0c62326e37653f87184760b406ab4f6eae79a5c34297b1

RemcosRAT

+ 53 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos persistence rat

Link:

https://tria.ge/reports/210216-1lyxake8f2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Adds Run key to start application

Remcos

Unpacked files

SH256 hash:

6c5faf9784abeff03bdbe2522b9da9862ac8eb9d333f608f8ef28719565968df

MD5 hash:

dff8986eae6a2b85730955c35b506f1a

SHA1 hash:

0b20d24bdd350524c25f5d513d1b3f8e4315c989

Link:

https://www.unpac.me/results/e7dfc0f8-6592-4b1b-b1b3-80ba2eb868da/

SH256 hash:

cbf5b54d5d1c70086efefea16f38b80a329cb96bb5a59e709b0ab2304acb157c

MD5 hash:

23f61dde4507b23de8228b969a9f363c

SHA1 hash:

14c6081d17ff3ee28b67d0647767cb42169ce0b4

Link:

https://www.unpac.me/results/e7dfc0f8-6592-4b1b-b1b3-80ba2eb868da/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cbf5b54d5d1c70086efefea16f38b80a329cb96bb5a59e709b0ab2304acb157c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip a7f33a24ee55565a86a40e567d40441e2600ec80380b5bfe96ed88bdcfcaac70

RemcosRAT

exe cbf5b54d5d1c70086efefea16f38b80a329cb96bb5a59e709b0ab2304acb157c

(this sample)

Dropped by

MD5 01e7ee706159293af9475b6b2700234a

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/117342/

Dropped by

SHA256 a7f33a24ee55565a86a40e567d40441e2600ec80380b5bfe96ed88bdcfcaac70

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample