MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9bc7c1d038965bb247e69816fbcad2444766abd7082eade34eea3c641025f94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e9bc7c1d038965bb247e69816fbcad2444766abd7082eade34eea3c641025f94
SHA3-384 hash: 54ac8f28d44c6d8a54979dd47654893f485b9720e36c635865016accd75cb739cd7cf8521408647e1dc2b1f65e603383
SHA1 hash: b974b89218b4c0164545bb651dc0689f91c47b89
MD5 hash: e077b301522bfd0a74cfb73578d970c0
humanhash: hydrogen-uranus-cat-earth
File name:OC CVE6535 _TVOP-MIO 10(C) 2020,pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'304'064 bytes
First seen:2020-10-09 06:00:42 UTC
Last seen:2020-10-09 07:09:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7d3e89b16ba0d66bb1ffb3848ff742e0 (4 x ModiLoader, 1 x RemcosRAT)
ssdeep 12288:lonlgoDygsQFgvMGgxZpjKvtg+7agQNVTIR+uixf0McyUu3jhpny2:lolgVfZvMhQRxW0W3zy
Threatray 980 similar samples on MalwareBazaar
TLSH 6E558D12B281DC36D1E21E39DD1BD2BCE526BE502D27A48737E43F4DBF352513A26292
Reporter abuse_ch
Tags:exe RemcosRAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: cloudserver10.qpc.co.th
Sending IP: 203.154.39.142
From: Johanna alejandra <ventas1@ivanbohman.com.ec>
Subject: RE: CONFIRMACIÓN DE PEDIDO CVE6535
Attachment: OC CVE6535 _TVOP-MIO 10C 2020,pdf.iso (contains "OC CVE6535 _TVOP-MIO 10(C) 2020,pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69405/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/486271
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 295583 Sample: OC CVE6535 _TVOP-MIO 10(C) ... Startdate: 09/10/2020 Architecture: WINDOWS Score: 100 25 insidelife1.ddns.net 2->25 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus / Scanner detection for submitted sample 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 10 other signatures 2->45 7 Ohesnek.exe 13 2->7         started        11 OC CVE6535 _TVOP-MIO 10(C) 2020,pdf.exe 1 15 2->11         started        14 Ohesnek.exe 13 2->14         started        signatures3 process4 dnsIp5 31 162.159.137.232, 443, 49718, 49719 CLOUDFLARENETUS United States 7->31 47 Antivirus detection for dropped file 7->47 49 Multi AV Scanner detection for dropped file 7->49 51 Machine Learning detection for dropped file 7->51 16 ieinstal.exe 7->16         started        33 discord.com 162.159.128.233, 443, 49702, 49703 CLOUDFLARENETUS United States 11->33 35 cdn.discordapp.com 162.159.129.233, 443, 49704, 49720 CLOUDFLARENETUS United States 11->35 23 C:\Users\user\AppData\Local\...\Ohesnek.exe, PE32 11->23 dropped 53 Writes to foreign memory regions 11->53 55 Allocates memory in foreign processes 11->55 57 Creates a thread in another existing process (thread injection) 11->57 18 ieinstal.exe 2 11->18         started        37 162.159.133.233, 443, 49727 CLOUDFLARENETUS United States 14->37 59 Injects a PE file into a foreign processes 14->59 21 ieinstal.exe 14->21         started        file6 signatures7 process8 dnsIp9 27 insidelife1.ddns.net 216.38.7.231, 49712, 49713, 49714 ASN-GIGENETUS United States 18->27 29 192.168.2.1 unknown unknown 18->29
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e9bc7c1d038965bb247e69816fbcad2444766abd7082eade34eea3c641025f94/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-10-09 01:36:03 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5g6hyhidrfs3wjd6ngaw7pfnerchm2v5ocbovxru52r4mqicl6ka._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
4791861118e0be776fd14153e2feca7d25f5a91a6c32a997385f5ae272e3d7c8
RemcosRAT
4f36a71d9195b8639ff47c95e8980ee7f0f5a22371e75e91042c4ad10de1b39c
RemcosRAT
50e7b9a736f734ffd4d57d93f93a89e454a4e5147ec7dac2c3f3e5f5fee6fd5f
RemcosRAT
6274c01dd6783517a68267d2c6c2af38143ed35074cfc2372d8bc385a7c5f4e9
RemcosRAT
6c882aeb918e424cefe1068a6d3fbff5526c31e185716bf3a0d5ae0295772f09
RemcosRAT
76d8f7539bba2cd5acd833f384ad0fb2191ce3553b65416de53869461622b177
RemcosRAT
8f3b6a725b06abd223aa214244ba4756cba52419dd116506744c386133a805fe
RemcosRAT
a1c644a64801c61e1649517c3debc28b194b4f9d43e1a99bc28724f652c3ca5e
RemcosRAT
a798d4bc2652e8509948c52670f34f2e59149cb2aefc60e486f014ffa112771f
RemcosRAT
fda7edab2bfba6005bc2f82548b9dcef7deec1fef238acc5fee12322d2b2629e
RemcosRAT
+ 970 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
persistence trojan family:modiloader rat family:remcos
Link:
https://tria.ge/reports/201009-x1bvaty76e/
Behaviour
Modifies system certificate store
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader First Stage
ModiLoader, DBatLoader
Remcos
Unpacked files
SH256 hash:
e9bc7c1d038965bb247e69816fbcad2444766abd7082eade34eea3c641025f94
MD5 hash:
e077b301522bfd0a74cfb73578d970c0
SHA1 hash:
b974b89218b4c0164545bb651dc0689f91c47b89
Link:
https://www.unpac.me/results/9c080ef6-d024-43f7-a831-5c9d2b53be19/
SH256 hash:
42a07d63354e1d0ad1f418992c665e442b9cb4896e8353a94ba8cce3f5c7c49d
MD5 hash:
197d635b482de2b7a2320124ad836a47
SHA1 hash:
d38db7474ddb05f315b891a0bf2c70dc6fad5108
Detections:
win_dbatloader_g0
Create hunting rule
win_dbatloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/9c080ef6-d024-43f7-a831-5c9d2b53be19/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e9bc7c1d038965bb247e69816fbcad2444766abd7082eade34eea3c641025f94

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_dbatloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_dbatloader_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Description:targets loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

iso e6603a7d484d75d21404c42b025cd4a85b89ff8cac9b820e7c90f82d05f29b0f

RemcosRAT

Executable exe e9bc7c1d038965bb247e69816fbcad2444766abd7082eade34eea3c641025f94

(this sample)

  
Dropped by
MD5 7c411f26c1ade2f9e5c51adf552c4eda
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69405/
  
Dropped by
SHA256 e6603a7d484d75d21404c42b025cd4a85b89ff8cac9b820e7c90f82d05f29b0f

Comments