MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d5b1dfa52d7b7e4a025f3c2c9084005e6e41eb48b81711ae58ab1b641ef99e64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	d5b1dfa52d7b7e4a025f3c2c9084005e6e41eb48b81711ae58ab1b641ef99e64
SHA3-384 hash:	894c51f9dc5f5ad34f482eb7878ede3a0d079a2861082830f9e8dcb242b6b1ad2b374a85d579ad854fc7db91839ffd98
SHA1 hash:	12791de4dbb7dc0e1583889cceeab91efcfd1468
MD5 hash:	0ea77d8f2114ab848d609e5eee93f177
humanhash:	london-april-nineteen-monkey
File name:	#56161_PO_13.8.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	993'895 bytes
First seen:	2020-08-13 11:00:21 UTC
Last seen:	2020-08-13 12:24:31 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	63ffa342653757fae1740debddf4f48a (5 x ModiLoader, 1 x RemcosRAT)
ssdeep	12288:nxtU/mq2LfX9V9GrGK4Ilr9Yz4sUsgu+Cj/RegBKYEt8XO+/GFAlNgnP8MZj:nrHLfNDKZ/nSfj/MgB1h5lNgnPP
Threatray	920 similar samples on MalwareBazaar
TLSH	D225CF1B7A815033DB1B073E8C37D68D5F2569617C1888A91EE50F8C9D28F9B30BAC1B
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

abuse_ch

Malspam distributing RemcosRAT:

HELO: poydorus.t.mk
Sending IP: 195.26.152.36
From: Seneda Antovic <tanja@bargala.com.mk>
Subject: 2400 RFQ/19/003 - for our office
Attachment: 56161_PO_13.8.rar (contains "#56161_PO_13.8.exe")

RemcosRAT C2:
marketingsiamgrains.zapto.org:7762 (115.134.100.130)

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/45106/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

DNS request

Sending a custom TCP request

Creating a file

Launching a process

Creating a file in the %AppData% subdirectories

Setting a single autorun event

Unauthorized injection to a recently created process by context flags manipulation

Setting a global event handler for the keyboard

Connection attempt to an infection source

Result

Threat name:

Remcos

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/425937

Signature

Allocates memory in foreign processes

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Detected Remcos RAT

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Sigma detected: Remcos

Writes to foreign memory regions

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d5b1dfa52d7b7e4a025f3c2c9084005e6e41eb48b81711ae58ab1b641ef99e64/

Threat name:

Win32.Trojan.Delf

Status:

Malicious

First seen:

2020-08-13 11:02:18 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2wy57jjnpn7euas7hqwjbbaalzxed22ixalrdlsyvmnwihxztzsa._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

4ea16682c6d48eb737c1857beceadc3d3077921c03fa62d9dad44d551d92729d

RemcosRAT

53136d19559089e0674af4ad81621b99a031741edcc486eb3d402fd180b1b77e

RemcosRAT

7720da8dd623a00812870efdb75c2f2571417599ebfabcff48d2bd95cd029ea2

RemcosRAT

83eb442b175e4fe5a2fde6e8d72618eee280398f89a81da1f9c118d2c46032d4

RemcosRAT

9930543939f97818319ed031530d9e084994331aa4b06a304faeb321bbcc63db

RemcosRAT

a1c561c21720c4f1c3626276db6afc2c12b1aae9304c78518763eb78454f84b8

RemcosRAT

c232e05f633d3e2bd0a1486a955d7f72eb9155408a635666306d922b333809b2

RemcosRAT

c86bcfe4e22cb50054b44e38fc4fb79624c4ed5bf9a26174754dbb5c1a6baff8

RemcosRAT

eb1230ab4a5408a3d264bb51f1ff311fcf52aa97d52b801738cd5add365e77d2

RemcosRAT

+ 910 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

persistence rat family:remcos

Link:

https://tria.ge/reports/200813-1p243vyk2j/

Behaviour

Script User-Agent

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Remcos

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d5b1dfa52d7b7e4a025f3c2c9084005e6e41eb48b81711ae58ab1b641ef99e64

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	win_dbatloader_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator