MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e86d9b9cdf1f341e2c2f811a31d371204d181385f6c32282057b976d25f53591. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e86d9b9cdf1f341e2c2f811a31d371204d181385f6c32282057b976d25f53591
SHA3-384 hash: d08c50c8c736b3c8fe82282d7305eeec313e3c56659998b0bec5849246a80a0afd0f1a202c5f7dedcdee0604a27f1013
SHA1 hash: d42a743fc58c54d9cddb264d0ab7a36bcc426a3a
MD5 hash: 81426248c731b1d4de7ae415603d89c4
humanhash: item-comet-green-virginia
File name:Tax accessment details_849408739380383672292897263.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:965'120 bytes
First seen:2020-10-19 10:38:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 319a8e5d178320ae582e370f06f62e46 (7 x ModiLoader, 4 x RemcosRAT)
ssdeep 12288:lY2jsH0s30vuwlPMSGUzoPLLJ3SSsD8O1slNn5IswLOQ:lzjm02wKazmLF6sT1A
Threatray 1'193 similar samples on MalwareBazaar
TLSH 7E257D33B2D24873D47329789D1B67A8AD3ABE102928B5463BF91C4C5F396413C7E297
Reporter abuse_ch
Tags:exe RemcosRAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: rdns1.bumbee.xyz
Sending IP: 51.254.83.62
From: ITAS Email.Services <ITAS.Email.Services@mof.gov.na>
Subject: IRD Assessment Notice for Tax Return
Attachment: Tax accessment details.img (contains "Tax accessment details_849408739380383672292897263.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/72896/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/495272
Signature
Allocates memory in foreign processes
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Fodhelper UAC Bypass
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 300091 Sample: Tax accessment details_8494... Startdate: 19/10/2020 Architecture: WINDOWS Score: 100 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Detected Remcos RAT 2->53 55 6 other signatures 2->55 8 Tax accessment details_849408739380383672292897263.exe 1 15 2->8         started        13 Ptxtdrv.exe 13 2->13         started        15 Ptxtdrv.exe 13 2->15         started        process3 dnsIp4 43 cdn.discordapp.com 162.159.129.233, 443, 49728 CLOUDFLARENETUS United States 8->43 39 C:\Users\user\AppData\Local\...\Ptxtdrv.exe, PE32 8->39 dropped 57 Writes to foreign memory regions 8->57 59 Allocates memory in foreign processes 8->59 61 Creates a thread in another existing process (thread injection) 8->61 17 notepad.exe 4 8->17         started        20 ieinstal.exe 2 8->20         started        45 162.159.133.233, 443, 49741 CLOUDFLARENETUS United States 13->45 63 Multi AV Scanner detection for dropped file 13->63 65 Injects a PE file into a foreign processes 13->65 23 ieinstal.exe 13->23         started        47 162.159.134.233, 443, 49744 CLOUDFLARENETUS United States 15->47 25 ieinstal.exe 15->25         started        file5 signatures6 process7 dnsIp8 37 C:\Users\Public37atso.bat, ASCII 17->37 dropped 27 cmd.exe 1 17->27         started        29 cmd.exe 1 17->29         started        41 216.38.7.225, 49737, 7082 ASN-GIGENETUS United States 20->41 file9 process10 process11 31 conhost.exe 27->31         started        33 reg.exe 1 1 27->33         started        35 conhost.exe 29->35         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e86d9b9cdf1f341e2c2f811a31d371204d181385f6c32282057b976d25f53591/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 07:50:10 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5bwzxhg7d42b4lbpqenddu3rebgrqe4f63bsfaqfpolw2jpvgwiq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
4284003dc87d3f8afa499b3edac620589dba8b1ac5d9a38d943dd0b381a473c5
RemcosRAT
74b843d9cabf046a044581d20033d93eecf9d8ea590ce9557569e40d990e6241
RemcosRAT
835109646cd221028859f7d4c7de74be962091d60840952ca85053e396fdc593
RemcosRAT
a798d4bc2652e8509948c52670f34f2e59149cb2aefc60e486f014ffa112771f
RemcosRAT
bccbf79de04b74827c578202ea728005a26780ac80ac64914374dbc5df2c6916
RemcosRAT
bd86ba6f082dfd404bc2f3544f5b39ce04084742b334ab00a80f0c12c94daa46
RemcosRAT
dd4198b0a2a1c500bed498963e966d3476b778e1b917434847abb81c987fba55
RemcosRAT
e7def582e6c764fb35cad598da8b83da969897d37241402df8c8bac2b870432f
RemcosRAT
e8001e686b3c1972277296e3ed20992b8fd67e7c7f8dc16a827e09d3f22b02e0
RemcosRAT
e9bc7c1d038965bb247e69816fbcad2444766abd7082eade34eea3c641025f94
RemcosRAT
+ 1'183 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
persistence trojan family:modiloader rat family:remcos
Link:
https://tria.ge/reports/201019-9fw79k3mmj/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader First Stage
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Unpacked files
SH256 hash:
e86d9b9cdf1f341e2c2f811a31d371204d181385f6c32282057b976d25f53591
MD5 hash:
81426248c731b1d4de7ae415603d89c4
SHA1 hash:
d42a743fc58c54d9cddb264d0ab7a36bcc426a3a
Link:
https://www.unpac.me/results/b9983913-878a-4257-851f-06f27341b4c5/
SH256 hash:
197c4fd2875357024805d13b06f68d0895c9ca76ad08dfea28419ed6a2e6b34a
MD5 hash:
7e0e380137cf15350a36bebe9a5c5daf
SHA1 hash:
fb8f7f834078e9b647beedd47199a96d1df147df
Link:
https://www.unpac.me/results/b9983913-878a-4257-851f-06f27341b4c5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e86d9b9cdf1f341e2c2f811a31d371204d181385f6c32282057b976d25f53591

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

img af12b8229cc9c53ec639cf37a146aad5bc89122225c3aaa8d2fda70a13e78f8b

RemcosRAT

Executable exe e86d9b9cdf1f341e2c2f811a31d371204d181385f6c32282057b976d25f53591

(this sample)

  
Dropped by
MD5 d87466f7848fa6ced5d4d6feac07107a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72896/
  
Dropped by
SHA256 af12b8229cc9c53ec639cf37a146aad5bc89122225c3aaa8d2fda70a13e78f8b

Comments