MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9503dc6cff1393c176eb25789982c93cd5055f27934c43e57154c642d2ea5d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 6 File information Comments

SHA256 hash:	d9503dc6cff1393c176eb25789982c93cd5055f27934c43e57154c642d2ea5d4
SHA3-384 hash:	21702b6e3c768d28be3857ae20a042d4e15cced4c91eb1b2ad4fee541a1e211b4c5bb24e0ec4b68ed367c1d16a7c105d
SHA1 hash:	0c9a273a6f54ce9d2e09905a08c9e91e95b83728
MD5 hash:	3047d8f78ee4d873093656c9f03c5620
humanhash:	floor-delta-mississippi-blue
File name:	6LLq1Biu3Aqcf0n.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	816'128 bytes
First seen:	2020-10-23 11:33:32 UTC
Last seen:	2020-10-24 13:27:51 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:S6BVKjy2EkrJP6/QsGYtPTvM9C8Cif/l6I0GqvvcVZBU9rRDlnZzYU:SYVKjy2EkrJPh07EhvwP0qRZG
Threatray	963 similar samples on MalwareBazaar
TLSH	9705CF0223E89F18F5BF57389528101057F9BD42AB27D2ADBDD140DE1DB2B818F56B2B
Reporter	abuse_ch
Tags:	exe nVpn RAT RemcosRAT UPS

abuse_ch

Malspam distributing RemcosRAT:

HELO: grace3
Sending IP: 52.175.253.95
From: "UPS Customer Service" <pkinfo@ups.com>
Subject: UPS - Package Arrival Notification
Attachment: UPS Details.img (contains "6LLq1Biu3Aqcf0n.exe")

RemcosRAT C2s:
u875414.nsupdate.info
u875414.nvpn.to
u875414.ddns.net
u875414.duckdns.org

Intelligence

File Origin

# of uploads :

# of downloads :

110

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/75025/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader33.63577.18097.8883.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Creating a file

DNS request

Setting a global event handler for the keyboard

Connection attempt to an infection source

Enabling autorun by creating a file

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/508070

Signature

.NET source code contains potential unpacker

Binary contains a suspicious time stamp

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Detected Remcos RAT

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM_3

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d9503dc6cff1393c176eb25789982c93cd5055f27934c43e57154c642d2ea5d4/

Threat name:

ByteCode-MSIL.Trojan.Taskun

Status:

Malicious

First seen:

2020-10-23 10:30:19 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3fid3rwp6e4tyf3owjlytgbmspgvavpspe2mipsxcvggiljouxka._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

564d8ca154a08dbbe3af33d3ec5b5345c31fa8a56d536f9b22063c99db8455d7

RemcosRAT

6bc296fc9ae6bdb27ca23398f69bfb7b44d69734ff0e03a3322fdf688117e2f5

RemcosRAT

911f22d0fdceeec6e8e6426b0111c1632e6b70f21940584aa05345ac470c4c4f

RemcosRAT

9e184fecd3e0be67e11c78d407fe8e1f5f75573b32801bf00055745ef3c86225

RemcosRAT

c3c62460fce1e7c6964339da00bc229e02872c21de66a35c3aba8592ef7a8872

RemcosRAT

cc15e8a9e04355389815d8a7be4c34746c87a2a9d672e426c01b00ad0a583069

RemcosRAT

d8e49c2f12a39f106cc3449ec923265bb5cd10d8b67cc58f45719c9ed4b666f1

RemcosRAT

f535414d7bdcacff5db6ba209be888ebcd7996b1602a3b78a574b72d03cca147

RemcosRAT

f6977b9a40a17a0adc85487b7c8095d295257c6a74ec335d22b76a70884d0cac

RemcosRAT

+ 953 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

rat family:remcos

Link:

https://tria.ge/reports/201023-9x3gt3xvpn/

Behaviour

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Remcos

Unpacked files

SH256 hash:

d9503dc6cff1393c176eb25789982c93cd5055f27934c43e57154c642d2ea5d4

MD5 hash:

3047d8f78ee4d873093656c9f03c5620

SHA1 hash:

0c9a273a6f54ce9d2e09905a08c9e91e95b83728

Link:

https://www.unpac.me/results/80f850bc-20d8-4ce1-aebf-7be9dd3f7570/

SH256 hash:

cfdfa1e229e14c9da408398614488e3e9b444e5c4704df6608a111fe2c958f28

MD5 hash:

9daf74faeeaba2e93309927f8da6963a

SHA1 hash:

5d0de861589e1bb8e2b62e841ecbbf5daed34b2e

Link:

https://www.unpac.me/results/80f850bc-20d8-4ce1-aebf-7be9dd3f7570/

SH256 hash:

425a92abb44b3c946b655d32d4938a2fdbf6f3c7d7fb7ef3a4c981ad9ac4d1bc

MD5 hash:

3fe698a3040011a9455ffbecf9ee574c

SHA1 hash:

be61c88fd30f3a42ab2d3f8a78c038ff16bbcd00

Link:

https://www.unpac.me/results/80f850bc-20d8-4ce1-aebf-7be9dd3f7570/

SH256 hash:

bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049

MD5 hash:

a92cc1f6e0a2742350dfda6726db14c0

SHA1 hash:

e5404e3ed46498deb8ad8966a774540c2b8e9c1e

Link:

https://www.unpac.me/results/80f850bc-20d8-4ce1-aebf-7be9dd3f7570/

SH256 hash:

5f4046b03b49d8e644c335e1f6095942c749f9da6a21c27301e067c98bfdf448

MD5 hash:

37ad9ffbc2e2d4111b162292a7eb7e63

SHA1 hash:

a4822557ed9f3a3dfd7ef7166fe4baadc1d4e368

Detections:

win_remcos_g0

win_remcos_auto

Link:

https://www.unpac.me/results/80f850bc-20d8-4ce1-aebf-7be9dd3f7570/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Remcos

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d9503dc6cff1393c176eb25789982c93cd5055f27934c43e57154c642d2ea5d4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator