MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2169ac5c124981adad2629a6f763a39b0031e22d082ee4e07130630a3ee308b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d2169ac5c124981adad2629a6f763a39b0031e22d082ee4e07130630a3ee308b
SHA3-384 hash: 2661075364052b89b926b68348f5976948d8ebbf2c88f40d2f802caba445677d3be812fdcde537ce19b55a4fb47efad8
SHA1 hash: 8d1ca12451580805f0552d957498469dea2d3933
MD5 hash: 10c0f58505e536746e14ff6b4b4ecc74
humanhash: yankee-vegan-louisiana-steak
File name:6278216733 (BILL OF LADING COMMERCIAL INVOICE).exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:339'456 bytes
First seen:2020-12-03 17:32:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9fdf9ab4488734a1a0f7e4bcd2d39ea4 (8 x Matiex, 1 x Loki, 1 x RemcosRAT)
ssdeep 6144:bXyhZrLkIZK6EdWCf2wXvyhOrhsy+KUQF2ieTW7Z:bXIrQIZbEgCf2fhOrh7+pieg
Threatray 1'196 similar samples on MalwareBazaar
TLSH 4574E0217581C072F29615798275CBB9582FBC312B6868CB2BD03ABD9F723D2963534F
Reporter abuse_ch
Tags:DHL exe nVpn RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: slot0.deinflae.com
Sending IP: 45.85.90.138
From: billing.help@dhl.com
Subject: Bill of Landing Commercial Invoice DHL 63636653 Dispatch
Attachment: 6278216733 BILL OF LADING COMMERCIAL INVOICE.IMG (contains "6278216733 (BILL OF LADING COMMERCIAL INVOICE).exe")

RemcosRAT C2:
79.134.225.75:1199

Hosted on nVpn:

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
200
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/106649/
Detection(s):
PUA.Win.Downloader.Firseria-6804617-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Sending a UDP request
Sending a TCP request to an infection source
Result
Gathering data
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/554963
Signature
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Detected Remcos RAT
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d2169ac5c124981adad2629a6f763a39b0031e22d082ee4e07130630a3ee308b/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-12-03 17:33:09 UTC
AV detection:
32 of 48 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2iljvrobesmbvwwsmkng65r2hgyaghrc2cbo4tqhcmddbi7ogcfq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
02153d544f745e7688a5f5f801ef4c2c197349fc79089b422d101f4f345fed8f
RemcosRAT
2efa13d0516f3ee1dc4b80c718cda030cc66275d9f0d829371dd49ce1fe0d612
RemcosRAT
4f718a40662228b1b5efca4664eb07f6d1918b62bc8b29598410d1dc5bb76c70
RemcosRAT
570e5bb05a57a95438fe1f61a116ab1d0de2bb2b0703745adea8ff45780d4a57
RemcosRAT
bc8513a74ddfc1a9a78fbdbf39d90a61d59819dfb116846daf730693622c3c69
RemcosRAT
be9005c3def853773256e54e0d8f307a7cd323fa0e86b4691c6e8619b9632afd
RemcosRAT
e85de613abef99e65212dcd6f8077b03763fa37fa81e7921907c9e9c3859b632
RemcosRAT
f2a8ae610f1847b1344ffaa1c252543a9e4f5208b0644be9d8f5d7d6770c9ae2
RemcosRAT
fa5850a0ba8809631d4e3f5a3f8cafa133b3d6ae37088eeb934ec13d1bc9f368
RemcosRAT
fd5d3f13248cae6e74e968391619b6b1caa78c3a28b5a3185684acfa1ef1ac41
RemcosRAT
+ 1'186 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos rat
Link:
https://tria.ge/reports/201203-cngwd8kwn2/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Remcos
Malware Config
C2 Extraction:
79.134.225.75:1199
Unpacked files
SH256 hash:
acd7b01badb4b2a3de363f9e365085dafa24aa8bd3a21e55fc7cc095558157c2
MD5 hash:
120615d1be7e082d96713fb984380924
SHA1 hash:
ed8ecaee73efd0c626d5aadfbe311350156e9989
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/4801bbdb-f35a-45e3-b943-83dc5f3c61af/
SH256 hash:
d2169ac5c124981adad2629a6f763a39b0031e22d082ee4e07130630a3ee308b
MD5 hash:
10c0f58505e536746e14ff6b4b4ecc74
SHA1 hash:
8d1ca12451580805f0552d957498469dea2d3933
Link:
https://www.unpac.me/results/4801bbdb-f35a-45e3-b943-83dc5f3c61af/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d2169ac5c124981adad2629a6f763a39b0031e22d082ee4e07130630a3ee308b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

img 16cb5d2d856a5875d922500357914292e21825a52bfae5809f449bd88650d84b

RemcosRAT

Executable exe d2169ac5c124981adad2629a6f763a39b0031e22d082ee4e07130630a3ee308b

(this sample)

  
Dropped by
MD5 1761579969045b01e3a4cf67c1691db0
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/106649/
  
Dropped by
SHA256 16cb5d2d856a5875d922500357914292e21825a52bfae5809f449bd88650d84b

Comments