MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8001e686b3c1972277296e3ed20992b8fd67e7c7f8dc16a827e09d3f22b02e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e8001e686b3c1972277296e3ed20992b8fd67e7c7f8dc16a827e09d3f22b02e0
SHA3-384 hash: d1a6b27fd9772b028a0dbd1e61fc69e6f405a418a52f3212e509cf01a9af2225bfef8800b38edef9db65acbd11b2cd60
SHA1 hash: 89848db0d6cde19c555b6852115d1523d1d43bfa
MD5 hash: 6b4604a93b2dde679dbfd3a9a3b37337
humanhash: ohio-hotel-alanine-butter
File name:Yeni sipariş TVOP-MIO 102020,pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:646'808 bytes
First seen:2020-10-16 13:05:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash af00c2cd3e1abe86ddbb239e27958d26 (6 x ModiLoader, 3 x RemcosRAT, 1 x Formbook)
ssdeep 12288:BEu6Ai+3QzSx++O8AySJxv/EJIy3m8A71UzFvCM2T4F1smtv1mHRm4DhKte1NDGi:F6pexT1YJS8xZzet0mINr91
Threatray 1'071 similar samples on MalwareBazaar
TLSH A1D49F66F2D1C837C373253C8C5B96B49825BD5D2F2569772AE83D8C5F39382342A293
Reporter abuse_ch
Tags:exe geo RemcosRAT TUR


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: plesk1.enpatagonia.net
Sending IP: 209.126.124.211
From: Teknoplus Machine <info@teknoplusmakina.com.tr>
Subject: Yeni sipariş TVOP-MIO 10/2020
Attachment: Yeni sipariş TVOP-MIO 102020,pdf.iso (contains "Yeni sipariş TVOP-MIO 102020,pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/72037/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Connection attempt to an infection source
Unauthorized injection to a system process
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/493681
Signature
Allocates memory in foreign processes
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Fodhelper UAC Bypass
Sigma detected: Remcos
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 299302 Sample: Yeni sipari#U015f TVOP-MIO ... Startdate: 16/10/2020 Architecture: WINDOWS Score: 100 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Detected Remcos RAT 2->51 53 9 other signatures 2->53 8 Yeni sipari#U015f TVOP-MIO 102020,pdf.exe 1 15 2->8         started        13 Ibundrv.exe 13 2->13         started        15 Ibundrv.exe 13 2->15         started        process3 dnsIp4 43 cdn.discordapp.com 162.159.133.233, 443, 49721, 49742 CLOUDFLARENETUS United States 8->43 39 C:\Users\user\AppData\Local\...\Ibundrv.exe, PE32 8->39 dropped 55 Writes to foreign memory regions 8->55 57 Allocates memory in foreign processes 8->57 59 Creates a thread in another existing process (thread injection) 8->59 17 notepad.exe 4 8->17         started        20 ieinstal.exe 2 8->20         started        45 192.168.2.1 unknown unknown 13->45 61 Multi AV Scanner detection for dropped file 13->61 63 Injects a PE file into a foreign processes 13->63 23 ieinstal.exe 13->23         started        25 ieinstal.exe 15->25         started        file5 signatures6 process7 dnsIp8 37 C:\Users\Public37atso.bat, ASCII 17->37 dropped 27 cmd.exe 1 17->27         started        29 cmd.exe 1 17->29         started        41 insidelife1.ddns.net 216.38.7.231, 49740, 8811 ASN-GIGENETUS United States 20->41 file9 process10 process11 31 conhost.exe 27->31         started        33 reg.exe 1 1 27->33         started        35 conhost.exe 29->35         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e8001e686b3c1972277296e3ed20992b8fd67e7c7f8dc16a827e09d3f22b02e0/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-10-16 10:43:53 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5aab42dlhqmxej3ss3r62iezfoh5m7t4p6g4c2ucpye5h4rlalqa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
5b1f1843bbb992e3d5c635aa69d8409de4ae4d3f04cf19994d8e953e99cf451a
RemcosRAT
835109646cd221028859f7d4c7de74be962091d60840952ca85053e396fdc593
RemcosRAT
9b60c965a1425ff01954ce6a917cb4486d5af5cb36f538233139042ea324a64e
RemcosRAT
b8c6d9ced99143d34fd8829125c6ff46bc0c55569f401ec4d1354f3d0825c4c4
RemcosRAT
bccbf79de04b74827c578202ea728005a26780ac80ac64914374dbc5df2c6916
RemcosRAT
bd86ba6f082dfd404bc2f3544f5b39ce04084742b334ab00a80f0c12c94daa46
RemcosRAT
c358b44f578fd2dedbb1899038415395ae2052c113aaa149481cde295e022bda
RemcosRAT
dd4198b0a2a1c500bed498963e966d3476b778e1b917434847abb81c987fba55
RemcosRAT
e7def582e6c764fb35cad598da8b83da969897d37241402df8c8bac2b870432f
RemcosRAT
e9bc7c1d038965bb247e69816fbcad2444766abd7082eade34eea3c641025f94
RemcosRAT
+ 1'061 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
persistence trojan family:modiloader rat family:remcos
Link:
https://tria.ge/reports/201016-pcyxv4b7xs/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader First Stage
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Unpacked files
SH256 hash:
197c4fd2875357024805d13b06f68d0895c9ca76ad08dfea28419ed6a2e6b34a
MD5 hash:
7e0e380137cf15350a36bebe9a5c5daf
SHA1 hash:
fb8f7f834078e9b647beedd47199a96d1df147df
Link:
https://www.unpac.me/results/9f982c22-5e9e-45db-a2f2-86ded392c4bd/
SH256 hash:
e8001e686b3c1972277296e3ed20992b8fd67e7c7f8dc16a827e09d3f22b02e0
MD5 hash:
6b4604a93b2dde679dbfd3a9a3b37337
SHA1 hash:
89848db0d6cde19c555b6852115d1523d1d43bfa
Link:
https://www.unpac.me/results/9f982c22-5e9e-45db-a2f2-86ded392c4bd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/e8001e686b3c1972277296e3ed20992b8fd67e7c7f8dc16a827e09d3f22b02e0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

iso 707ed4e58e9a7bad0fa337d4e067757c2196b8ae4eba4f89bb17d644cb135edf

RemcosRAT

Executable exe e8001e686b3c1972277296e3ed20992b8fd67e7c7f8dc16a827e09d3f22b02e0

(this sample)

  
Dropped by
MD5 149cc0508db085438a4bf6e5eaaf1ffa
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72037/
  
Dropped by
SHA256 707ed4e58e9a7bad0fa337d4e067757c2196b8ae4eba4f89bb17d644cb135edf

Comments