MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d93d98295e3aebd631b2fd6d1a47ddd5ed0597343bf2c0ed870d6bdb59cb6192. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 11

Intelligence 11 IOCs YARA 7 File information Comments

SHA256 hash:	d93d98295e3aebd631b2fd6d1a47ddd5ed0597343bf2c0ed870d6bdb59cb6192
SHA3-384 hash:	2eb9025454173ba107dcac0e1ccf0117fe2b95ea801fad0f6298a9219b351bf7b1b8d0fdaa9183213b597482b3a62ca0
SHA1 hash:	cbc6e8e8e9c777b708350f4be1e14393d0c0551a
MD5 hash:	a3d8e6527b3cd4d2e74539af7918fc34
humanhash:	aspen-fish-pip-hawaii
File name:	PO NO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	826'880 bytes
First seen:	2021-01-11 09:00:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:iOcC0E+v7femqz0BNYpt+4+vwrKAxwvKY3+1gPBWpYGcz98:yl4+YrKAxoH36gPBWC1zG
Threatray	17 similar samples on MalwareBazaar
TLSH	E40528559BDD9313D3AC16BD244101611EE1FF79F3D8E228ED55B0E6AAB2F2800FE192
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

abuse_ch

Malspam distributing RemcosRAT:

HELO: mailblock3.hostneverdie.com
Sending IP: 27.254.41.200
From: Abhijeet P. Gade <mohsen@alhayatice.com>
Subject: PO MKL1-20-06053_WO_201065
Attachment: PO NO. MKL1-20-06053 TECHNICAL SPECIFICATION.rar (contains "PO NO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe")

RemcosRAT C2:
212.83.46.26:4023

Intelligence

File Origin

# of uploads :

# of downloads :

134

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PO NO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe

Verdict:

Malicious activity

Analysis date:

2021-01-11 09:05:41 UTC

Tags:

trojan rat remcos

Link:

https://app.any.run/tasks/f7f96317-a627-4282-8c94-623176d5713c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/111255/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Enabling autorun by creating a file

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/577754

Signature

Binary contains a suspicious time stamp

Contains functionality to capture and log keystrokes

Contains functionality to detect virtual machines (IN, VMware)

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Detected Remcos RAT

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Sigma detected: Remcos

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM_3

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/d93d98295e3aebd631b2fd6d1a47ddd5ed0597343bf2c0ed870d6bdb59cb6192/

Threat name:

Win32.Trojan.Pwsx

Status:

Malicious

First seen:

2021-01-11 09:01:16 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

5 of 46 (10.87%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3e6zqkk6hlv5mmns7vwrur652xwqlfzuhpzmb3mhbvv5wwolmgja._file

Verdict:

unknown

RemcosRAT

06f143f2f9c6638d78f77f282959296fbec4d4dbd3b77029d91d3bb650201f5b

RemcosRAT

1b6a34ba043c45cfc63367a5a35d3c58b074d723c666d018b3c4c0d950e42b40

RemcosRAT

6ff2bdc1f84168996dc5e78e976f7ea1a8db3727d051d9a76aefb401db0bae52

RemcosRAT

85729ea0b65a0a56b59f3e8ed961d4ce07f34804fb6b466b6d1c32e17cda4d8d

RemcosRAT

a13d885104ce1f6005c956cb50e82aec853b48b98c881d6b71fda31580f139f7

RemcosRAT

a63c16cb1a26010951dc0d60261f95b7236cd70c4843e906503ba7421ee139e2

RemcosRAT

b775f99027bd54675dc308d80174478b62f33f6c432a7e2849ddf970b118bf41

RemcosRAT

cd038025a544b6ef40204a1f7dc30f723790b16996bd540cc3cdbb6e47e8d242

RemcosRAT

e141c331bbc43440e353a82fd9ac6e5446d6d9a6da6882026a086e34bb44f0f6

RemcosRAT

+ 7 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos rat

Link:

https://tria.ge/reports/210111-egcxc8ye5j/

Behaviour

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetThreadContext

Remcos

Malware Config

C2 Extraction:

212.83.46.26:4023

Unpacked files

SH256 hash:

d93d98295e3aebd631b2fd6d1a47ddd5ed0597343bf2c0ed870d6bdb59cb6192

MD5 hash:

a3d8e6527b3cd4d2e74539af7918fc34

SHA1 hash:

cbc6e8e8e9c777b708350f4be1e14393d0c0551a

Link:

https://www.unpac.me/results/b53496f9-fed1-4af7-a93d-3ba634cbe5bf/

SH256 hash:

ca4fa8df4c85368d2317cebb9f95d5d4cb4a3c791766c6d3e6e60206713c8b60

MD5 hash:

2fa72a9f5b2c9fd4443f4ddc26d7b632

SHA1 hash:

22a4e09b89ee1a3af11f0ddb36fe78b5d34d189c

Detections:

win_remcos_g0

win_remcos_auto

Link:

https://www.unpac.me/results/b53496f9-fed1-4af7-a93d-3ba634cbe5bf/

Parent samples :

200c65040041056006600f5a6ed2bbc3281a6e440a12d24a84544d65e157288e
ec61eb67057660a18fa9d4465b12830c2bbded3234a401dd441176db16176803
d93d98295e3aebd631b2fd6d1a47ddd5ed0597343bf2c0ed870d6bdb59cb6192
6a2ffd2b362dd38d2518163bd6c849366ab37d38a446845cc9789dcd02f8e7db

SH256 hash:

2674a23369cb941e6d3069236dd589548b484dd880618644de27e73d918bc6bd

MD5 hash:

48f024a4db75ebd06849bf2856227cff

SHA1 hash:

4274771a65c586039edfcecfb2e85565aa455040

Link:

https://www.unpac.me/results/b53496f9-fed1-4af7-a93d-3ba634cbe5bf/

SH256 hash:

296620e9308a1069ca98d27c426f25f5c1f87d9240bb371c657571034b0261b5

MD5 hash:

4cf24d41a7882216740280e3294cb853

SHA1 hash:

6bcb31d3dc0a7d71da1067a628168664202769a4

Link:

https://www.unpac.me/results/b53496f9-fed1-4af7-a93d-3ba634cbe5bf/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d93d98295e3aebd631b2fd6d1a47ddd5ed0597343bf2c0ed870d6bdb59cb6192

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator