MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6930000e13aa3deafe16f78fcfca8e6276e18ba6a252b8045dfaf570f044328. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6930000e13aa3deafe16f78fcfca8e6276e18ba6a252b8045dfaf570f044328
SHA3-384 hash: f59d0901aa3061b49f7559113ef0a7ebe870b1b1bf8aae2b2d0abfee77edad3ec8d91b329c8f5ed2264d5fed8669fa91
SHA1 hash: c3b8c48aabb26827184eb6705a2adee4a5301ab7
MD5 hash: 476691329c39995b54054d56b4d7eb51
humanhash: stairway-blossom-avocado-alanine
File name:New Order No.0342.scr
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'294'089 bytes
First seen:2021-08-09 14:24:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:rAOcZAhh4rutcbhCPBhcoy+r58kwKemE3EJkq3XFQYcqa6lCKK5/GOv:t+eMhCfcyr5VcV0JkWX6Kt7Ov
Threatray 1'208 similar samples on MalwareBazaar
TLSH T1AC552301B6D2C872E47329365A32BB156D7E3D206E24DB1EA3E019ADEE351905634FF3
dhash icon f1f8ece470f0b0b2 (7 x NanoCore, 2 x RemcosRAT, 2 x HawkEye)
Reporter Anonymous
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New Order No.0342.scr
Verdict:
Malicious activity
Analysis date:
2021-08-09 14:31:41 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/3b4e1d7d-b1bb-4b8d-9d98-f3e3ee1f4eab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/177620/
Detection(s):
Win.Malware.Lisk-9868843-0
Create hunting rule

Win.Malware.Qshell-9875653-0
Create hunting rule

SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Sending a UDP request
Launching a process
Creating a file in the %temp% directory
Adding an access-denied ACE
Setting a keyboard event handler
Connection attempt to an infection source
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Query of malicious DNS domain
Sending a TCP request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/388f06d2-cc7b-4727-85d9-1e35badc1a73
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/829705
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected Remcos RAT
Drops PE files with a suspicious file extension
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Process Start Without DLL
Writes to foreign memory regions
Yara detected AntiVM autoit script
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 462133 Sample: New Order No.0342.scr Startdate: 09/08/2021 Architecture: WINDOWS Score: 100 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Detected Remcos RAT 2->44 46 5 other signatures 2->46 7 New Order No.0342.exe 37 2->7         started        10 orcadwtsg.pif 2->10         started        process3 file4 34 C:\Users\user\24286637\orcadwtsg.pif, PE32 7->34 dropped 12 orcadwtsg.pif 1 3 7->12         started        16 mshta.exe 10->16         started        18 mshta.exe 10->18         started        20 mshta.exe 10->20         started        22 5 other processes 10->22 process5 file6 36 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 12->36 dropped 56 Multi AV Scanner detection for dropped file 12->56 58 Writes to foreign memory regions 12->58 60 Allocates memory in foreign processes 12->60 62 Injects a PE file into a foreign processes 12->62 24 RegSvcs.exe 2 3 12->24         started        28 mshta.exe 12->28         started        30 mshta.exe 12->30         started        32 5 other processes 12->32 signatures7 process8 dnsIp9 38 mgc0147.hopto.org 194.5.98.158, 2930, 49749 DANILENKODE Netherlands 24->38 48 Contains functionality to steal Chrome passwords or cookies 24->48 50 Contains functionality to inject code into remote processes 24->50 52 Contains functionality to steal Firefox passwords or cookies 24->52 54 2 other signatures 24->54 signatures10
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e6930000e13aa3deafe16f78fcfca8e6276e18ba6a252b8045dfaf570f044328/
Threat name:
Win32.PUA.Wacapew
Create hunting rule
Status:
Malicious
First seen:
2021-08-09 12:06:20 UTC
AV detection:
21 of 46 (45.65%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=42jqaahbhkr55l7bn54pz7fi4ytw4gf2nissxacf36xvodyeimua._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
022a59ed972a0a93af024278929ae49d28e59382e620c283dd3b701f24a218d4
RemcosRAT
1bf63394fcf232d3a303d17df87252e2f47c43205edadc99ed15a50c9e193ebc
RemcosRAT
20abcc84d40d1b7314e3f293c510ee4f5199d43db15074aa79705c98bacf5ff5
RemcosRAT
63df29d3fa84705de35251b66c3cf555ba225d9a2b064edbd566ccd1b3c59e07
RemcosRAT
7cf95c0b9a54fa67fcd82ab0dc3dddbbb3861b9c4111a12e628f0003b02e41d9
RemcosRAT
831b9a469de0d9441e977b8b055235bf56e2a51a9fb0c4a08424c733e33271d7
RemcosRAT
c8a4462c6b8f5d8728d5374adc98def5a5c38dd97d70a1c3859c876bfbe3fbd0
RemcosRAT
ebbc6f882c469db06196cbeea3ef7b62899229ef1f89234ef3ace2f83ce2b557
RemcosRAT
ee9581098eb9fed674854c0f2579b5bfb17ae7788cdbb15abaa3c5af3af50ecc
RemcosRAT
f1f545de09f0d7a4b5adcbfd695e64333d6195e53c120cacfb1e276d8fc7afed
RemcosRAT
+ 1'198 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:nanocore family:remcos botnet:august$$$ keylogger persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/210809-j2fdlephgx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
NanoCore
Remcos
Malware Config
C2 Extraction:
mgc0147.hopto.org:2930
Unpacked files
SH256 hash:
a2d2e637b29a827ecdec40054219c2513802a00b450c2425d8faad69d6e45d5a
MD5 hash:
5176435870507716fe4d3fa2093e0317
SHA1 hash:
88a2ddc0caa76f762d6f2df27431a8f95980f317
Detections:
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/237752a2-84a3-4ab1-9e46-1a8989c10ce4/
SH256 hash:
063b729800db1703b1d8ef8693dcf90488403ebe328d9be6db4d3d3a4e54e3ea
MD5 hash:
78ead1a82dbad1b230845c7278dff57d
SHA1 hash:
be691a2b287970063e970135684f7351e11cae82
Link:
https://www.unpac.me/results/237752a2-84a3-4ab1-9e46-1a8989c10ce4/
SH256 hash:
e6930000e13aa3deafe16f78fcfca8e6276e18ba6a252b8045dfaf570f044328
MD5 hash:
476691329c39995b54054d56b4d7eb51
SHA1 hash:
c3b8c48aabb26827184eb6705a2adee4a5301ab7
Link:
https://www.unpac.me/results/237752a2-84a3-4ab1-9e46-1a8989c10ce4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e6930000e13aa3deafe16f78fcfca8e6276e18ba6a252b8045dfaf570f044328

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/177620/

Comments