MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4e47b27c701e89ac6a550ab1f8ecb6058c79d9f9bca9a56ec71e3baf01dc545. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4e47b27c701e89ac6a550ab1f8ecb6058c79d9f9bca9a56ec71e3baf01dc545
SHA3-384 hash: 20bf8dc5e2d7e396b8f7b16dbedec71a6ef61f53e2973887fd4d8483c4050bc2c713917a73966a853a7b123b38c4d332
SHA1 hash: e5b3db886e099565446ed394ed435d73b0cf57e5
MD5 hash: 4fb1dc3bdbdb30872a97b942cf5a3194
humanhash: uranus-ohio-ack-oven
File name:QUOTATION REQUEST.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:689'152 bytes
First seen:2021-03-06 06:03:47 UTC
Last seen:2021-03-10 00:29:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:SBRp10LxQWz5CqiwSC2KUBxv5Bil9/3mRXTcotqtybTMhXZY8K9cB6ZGRr2qD2ni:SuBzHiHC2+3yXptqAuM9cIZGn
Threatray 112 similar samples on MalwareBazaar
TLSH 05E4F1416B5052A0EFEC5BF55116D4C82361A09A1C9FE3280D42A0ED28FEF6E74E7DE7
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: slot0.allamaan-ae.com
Sending IP: 194.31.96.130
From: SALES04 <order@allamaan-ae.com>
Subject: RE: RFQ/AFTER SAMPLE TEST ORDER (QUOTATION REQUEST)
Attachment: QUOTATION REQUEST_20210305.ISO (contains "QUOTATION REQUEST.exe")

RemcosRAT C2:
awwes-antivirus.duckdns.org

Intelligence

File Origin
# of uploads :
10
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
QUOTATION REQUEST.exe
Verdict:
Malicious activity
Analysis date:
2021-03-06 06:06:21 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/ca7f96c7-e187-4ff3-8d44-8a18a40f8648

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/122575/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.45842459.2828.29636.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Deleting a recently created file
Running batch commands
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/630406
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected Remcos RAT
Detected unpacking (creates a PE file in dynamic memory)
Drops PE files with benign system names
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 364176 Sample: QUOTATION REQUEST.exe Startdate: 06/03/2021 Architecture: WINDOWS Score: 100 66 awwes-antivirus.duckdns.org 2->66 92 Found malware configuration 2->92 94 Malicious sample detected (through community Yara rule) 2->94 96 Multi AV Scanner detection for submitted file 2->96 98 15 other signatures 2->98 14 QUOTATION REQUEST.exe 3 2->14         started        17 svchost.exe 2->17         started        20 svchost.exe 2 2->20         started        22 9 other processes 2->22 signatures3 process4 dnsIp5 64 C:\Users\user\...\QUOTATION REQUEST.exe.log, ASCII 14->64 dropped 25 QUOTATION REQUEST.exe 4 5 14->25         started        88 Injects a PE file into a foreign processes 17->88 28 svchost.exe 17->28         started        30 svchost.exe 17->30         started        32 svchost.exe 17->32         started        34 svchost.exe 17->34         started        36 svchost.exe 20->36         started        68 127.0.0.1 unknown unknown 22->68 90 Changes security center settings (notifications, updates, antivirus, firewall) 22->90 file6 signatures7 process8 file9 60 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32 25->60 dropped 62 C:\Users\user\...\svchost.exe:Zone.Identifier, ASCII 25->62 dropped 38 wscript.exe 1 25->38         started        process10 process11 40 cmd.exe 1 38->40         started        process12 42 svchost.exe 3 40->42         started        45 conhost.exe 40->45         started        signatures13 100 Multi AV Scanner detection for dropped file 42->100 102 Detected unpacking (creates a PE file in dynamic memory) 42->102 104 Machine Learning detection for dropped file 42->104 106 Injects a PE file into a foreign processes 42->106 47 svchost.exe 42->47         started        process14 dnsIp15 78 awwes-antivirus.duckdns.org 55.154.4.71, 7933 DNIC-ASBLK-01534-01546US United States 47->78 80 System process connects to network (likely due to code injection or exploit) 47->80 82 Writes to foreign memory regions 47->82 84 Allocates memory in foreign processes 47->84 86 Injects a PE file into a foreign processes 47->86 51 svchost.exe 47->51         started        signatures16 process17 process18 53 iexplore.exe 51->53         started        process19 55 iexplore.exe 53->55         started        58 iexplore.exe 53->58         started        dnsIp20 70 github.com 140.82.121.3, 443, 49734, 49735 GITHUBUS United States 55->70 72 avatars.githubusercontent.com 185.199.110.133, 443, 49738, 49739 FASTLYUS Netherlands 55->72 74 consentdeliveryfd.azurefd.net 55->74 76 140.82.121.4, 443, 49748, 49749 GITHUBUS United States 58->76
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e4e47b27c701e89ac6a550ab1f8ecb6058c79d9f9bca9a56ec71e3baf01dc545/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-03-05 19:59:32 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4tshwj6hahujvrvfkcvr7dwlmbmmphm7tpfjuvxmohr3v4a5yvcq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
42ef2a340b9b5ec88d5ab83584f07ecc76e7b3842640aecd328ad9d85ad745e8
RemcosRAT
46131c5f93779a7547011c983be113cbf561fee1f4cba59ce8dd8f0bfb4a48f7
RemcosRAT
610aec487270d875f4c6a5fb4f128d636f817a36e40dc4db55c52505258d785f
RemcosRAT
941d7828d89da175afca52906a1e519707a09685f30332937917505fa8999f87
RemcosRAT
9736f5417c474a27c98a2323894d7948a0841fb74615e1909c0fabddc1e8bc2d
RemcosRAT
b0dad01939e09e869b27e59d7a7d7c79fdd31bb4a8c52153844c23c3c34bf368
RemcosRAT
b782581b1ca3da09fdf3ecbb173ee3ca1f313f5f325f407df976601cad8ce839
RemcosRAT
d6bb7d0218b0894bcc733065261069c1cb4e151b4ca367f37e888d2beacc0dd9
RemcosRAT
ef6ac1293cdfda22c8d940f96c5433f406a4c3666e6941e4f094a8cf50d04ac1
RemcosRAT
f8d06c20dc2af83af29551f384bbde4e5380911d8db0f9e56ca549bb5995d413
RemcosRAT
+ 102 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat
Link:
https://tria.ge/reports/210306-3f5ym4kk9j/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
awwes-antivirus.duckdns.org:7933
Unpacked files
SH256 hash:
f8b5b51efedb3e87493ac2439473564603cc3059d57956f209a7310e311a1027
MD5 hash:
d66f89bf838fb52ed59d311a99aea214
SHA1 hash:
342525c4aabbb92abf51459081d34ed0f1cdc965
Link:
https://www.unpac.me/results/9b1d82db-d248-414d-9008-68251c9a802f/
SH256 hash:
ea6a2ffcbee8668bea8b9ba8f16c12cc09ae4d6ff5774f750f0e80ebb3430cdc
MD5 hash:
ae425cc0bd3766550c2406ed14b797bb
SHA1 hash:
276c4315abb713cc5fade21e0f17b35be30cfdb6
Link:
https://www.unpac.me/results/9b1d82db-d248-414d-9008-68251c9a802f/
SH256 hash:
1237119244e38d1df9de5c48b5c155bf7f3d2109689df1484ab51babce3c521f
MD5 hash:
567feeb9feae4e7eb9513f2d1e453066
SHA1 hash:
1d4507a3687538f708be9c34b3339943005b8ef9
Detections:
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/9b1d82db-d248-414d-9008-68251c9a802f/
Parent samples :
e4e47b27c701e89ac6a550ab1f8ecb6058c79d9f9bca9a56ec71e3baf01dc545
57a1ee826afb333572965abe745c06597d0111f75494c586619d6b23d9ceda10
SH256 hash:
e4e47b27c701e89ac6a550ab1f8ecb6058c79d9f9bca9a56ec71e3baf01dc545
MD5 hash:
4fb1dc3bdbdb30872a97b942cf5a3194
SHA1 hash:
e5b3db886e099565446ed394ed435d73b0cf57e5
Link:
https://www.unpac.me/results/9b1d82db-d248-414d-9008-68251c9a802f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e4e47b27c701e89ac6a550ab1f8ecb6058c79d9f9bca9a56ec71e3baf01dc545

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

iso 7c8770273774eee5b3ea7cb745ec4c05b98db8a2c383afda959e20f9983d5aba

RemcosRAT

Executable exe e4e47b27c701e89ac6a550ab1f8ecb6058c79d9f9bca9a56ec71e3baf01dc545

(this sample)

  
Dropped by
MD5 c67f0be99d5a51ad5bb22eb906a40e7d
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/122575/
  
Dropped by
SHA256 7c8770273774eee5b3ea7cb745ec4c05b98db8a2c383afda959e20f9983d5aba

Comments