MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da7ce8060ef04b847aeb11d727b9d8fad9526dc3314adce4ffa5e0b597ac5547. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	da7ce8060ef04b847aeb11d727b9d8fad9526dc3314adce4ffa5e0b597ac5547
SHA3-384 hash:	5dafdec6c4620b8a320b8883ee03906e61f5c0ad31d2c1a7f93b0dbf5dc87aba64e3532f1f51fd7aab67b83b6de24a8a
SHA1 hash:	137863bbdd60c663637b165ec8ee4e41de62451d
MD5 hash:	aac4374e9fb5cbca02eba15724b72f03
humanhash:	lima-venus-iowa-chicken
File name:	DHL_DOCUMENT,pdf.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	439'808 bytes
First seen:	2020-07-21 05:55:25 UTC
Last seen:	2020-07-21 07:24:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:Khh9RCv7pSyRw6TB35v9X4w1X40pHVMaaT0dWF5I3DNr:zB7awp5q0dm5IR
Threatray	888 similar samples on MalwareBazaar
TLSH	29940640E7B446D9EBAA17B8E431C0304765BD1AA7E6E7481BC5FCAB39723518703F62
Reporter	abuse_ch
Tags:	DHL exe nVpn RAT RemcosRAT

abuse_ch

Malspam distributing RemcosRAT:

HELO: corporate.orangemali.net
Sending IP: 197.155.141.42
From: DHL <notification@dhl.com>
Subject: DHL ON DEMAND DELIVERY NOTIFICATION
Attachment: DHL_DOCUMENT,pdf.zip (contains "DHL_DOCUMENT,pdf.exe")

RemcosRAT C2:
jamesanderson68986.ddns.net:1965 (185.244.30.9)

Pointing to nVpn:

% Information related to '185.244.30.0 - 185.244.30.255'

% Abuse contact for '185.244.30.0 - 185.244.30.255' is 'abuse@privacyfirst.sh'

inetnum: 185.244.30.0 - 185.244.30.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-HU
country: HU
descr: Budapest, Hungary
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-10-29T14:10:27Z
last-modified: 2020-07-17T11:52:57Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/29674/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WYG.10225.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Creating a file

Creating a file in the %AppData% subdirectories

Setting a global event handler for the keyboard

Sending a TCP request to an infection source

Enabling autorun with Startup directory

Unauthorized injection to a system process

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/392432

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/da7ce8060ef04b847aeb11d727b9d8fad9526dc3314adce4ffa5e0b597ac5547/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-07-21 05:57:06 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3j6oqbqo6bfyi6xlchlspooy7lmve3odgffnzzh7uxqllf5mkvdq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

6307b6ffc48a88aeeff567c7a296ca6daf830f9b4eecf9f48352c489e5256fca

RemcosRAT

671759b97f6889b6732fb377b5af7ccc9df5e8769c2aa07a371caab68c5639fd

RemcosRAT

8ee4be1165d1e195defb89faee6746304f38293aac4f59d332408e3bff243822

RemcosRAT

92d2689159c5984751e67f61486e25a8f66921d372249af5ac22078cf22c8be9

RemcosRAT

946cdeba80da84a83af805ec82e7f07819ed853356d1d546be0c5ac28b5f70d4

RemcosRAT

9b8bfd519d8bbe5a7c285f61c73abef27b4e18a22076d036698ec943b5e61c01

RemcosRAT

9f56641fa34365d546b70d51aa82899b863a4781a3e51f6e78c62fa198472a79

RemcosRAT

a78239b17de3eac55e5fcbeceefdd2fe78f76888a2639f54024232b4dcda394c

RemcosRAT

ac0b86bf664770295ad2de9a46edabc374040a467471a61fdac436d52e451964

RemcosRAT

+ 878 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

rat family:remcos

Link:

https://tria.ge/reports/200721-y8wp4fp3k6/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Uses the VBS compiler for execution

Remcos

Malware Config

C2 Extraction:

jamesanderson68986.ddns.net:1965

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Unknown

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/da7ce8060ef04b847aeb11d727b9d8fad9526dc3314adce4ffa5e0b597ac5547

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator