MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec61eb67057660a18fa9d4465b12830c2bbded3234a401dd441176db16176803. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 7 File information Comments

SHA256 hash:	ec61eb67057660a18fa9d4465b12830c2bbded3234a401dd441176db16176803
SHA3-384 hash:	98ad014082e3e185222f5e8791f5016f66e75e11c747f6f2a21c20ad17d5ba8215244267452994af23a0c10793e3de70
SHA1 hash:	2ffb77203c1fa719e7df160a11fb2462843ed1b5
MD5 hash:	807d184706be5d985443653bab74c2a7
humanhash:	princess-king-angel-montana
File name:	GST Invoice - No.SKDC2001006133.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'332'736 bytes
First seen:	2021-01-08 19:04:33 UTC
Last seen:	2021-01-08 20:28:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'655 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	24576:eN5s3GblHVZTQfB4M85h6cUUXLX7KSH8br:5EbZT5X37LxE
Threatray	14 similar samples on MalwareBazaar
TLSH	2C556B205211DB19F1A973FA406600F467F8BC07BF15E5BABEA430A60459AC28F7767F
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

abuse_ch

Malspam distributing RemcosRAT:

HELO: skdc-consultants.com
Sending IP: 212.83.46.26
From: M/s.SKDC Consultants Limited <info@skdc-consultants.com>
Subject: GST Invoice SKDC2001006133 Notification
Attachment: GST Invoice - No.SKDC2001006133.rar (contains "GST Invoice - No.SKDC2001006133.exe")

RemcosRAT C2:
212.83.46.26:4023

Intelligence

File Origin

# of uploads :

# of downloads :

318

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

GST Invoice - No.SKDC2001006133.exe

Verdict:

Malicious activity

Analysis date:

2021-01-08 19:07:01 UTC

Tags:

rat remcos

Link:

https://app.any.run/tasks/2811c413-b79a-4363-afa7-82115494dc10

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/111075/

Detection(s):

SecuriteInfo.com.FileRepMalware.9135.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/577084

Signature

Contains functionality to capture and log keystrokes

Contains functionality to detect virtual machines (IN, VMware)

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Detected Remcos RAT

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM_3

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/ec61eb67057660a18fa9d4465b12830c2bbded3234a401dd441176db16176803/

Threat name:

ByteCode-MSIL.Trojan.Pwsx

Status:

Malicious

First seen:

2021-01-08 15:02:41 UTC

AV detection:

10 of 28 (35.71%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5rq6wzyfozqkdd5j2rdfweudbqv333jsgssadxkecf3nwfqxnabq._file

Verdict:

unknown

RemcosRAT

170e7582bfe11285c88fe6197b4a50a466a3f84465b8d73a1dbd0f79c90d9306

RemcosRAT

48cec3239b87cae63ce7f7a0c5b1b0ff2a21a6bfb9542a9ced8e015e99ae6ab2

RemcosRAT

61079c74aff96424d4b6d794636faa4d7bfd9df2ba67a506164d4168ca6bb234

RemcosRAT

ae56d57584819808e38b6b430dd066a14cc036cec568a0832de08e3f65bccc87

RemcosRAT

b612173e75cc939bb718725850a57a1487095d863db268758b5ee0bf2463f89d

RemcosRAT

ceaa237a1cecea60118cad22275777cfa4ff64ea121d317d7e32ab3df4e10412

RemcosRAT

e8b4d9d1b29d05b29c9a9fcf170748418899cc2438901a69b4f9f0a31e602ffc

RemcosRAT

f0e0f6dc0ab4b552d2e5fd7053c5c57c7e6c6f21a11fe34da5fd9a01f0b24753

RemcosRAT

fa2fea7b2c7e6d02c40890b178133c0c21e6e1182c170c09de4550e85c98e67f

RemcosRAT

+ 4 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos rat

Link:

https://tria.ge/reports/210108-1197a4b5ga/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Remcos

Malware Config

C2 Extraction:

212.83.46.26:4023

Unpacked files

SH256 hash:

ca4fa8df4c85368d2317cebb9f95d5d4cb4a3c791766c6d3e6e60206713c8b60

MD5 hash:

2fa72a9f5b2c9fd4443f4ddc26d7b632

SHA1 hash:

22a4e09b89ee1a3af11f0ddb36fe78b5d34d189c

Detections:

win_remcos_g0

win_remcos_auto

Link:

https://www.unpac.me/results/c2b639ab-7ff6-47be-ae85-8f3059624e52/

Parent samples :

200c65040041056006600f5a6ed2bbc3281a6e440a12d24a84544d65e157288e
ec61eb67057660a18fa9d4465b12830c2bbded3234a401dd441176db16176803
d93d98295e3aebd631b2fd6d1a47ddd5ed0597343bf2c0ed870d6bdb59cb6192
6a2ffd2b362dd38d2518163bd6c849366ab37d38a446845cc9789dcd02f8e7db

SH256 hash:

296620e9308a1069ca98d27c426f25f5c1f87d9240bb371c657571034b0261b5

MD5 hash:

4cf24d41a7882216740280e3294cb853

SHA1 hash:

6bcb31d3dc0a7d71da1067a628168664202769a4

Link:

https://www.unpac.me/results/c2b639ab-7ff6-47be-ae85-8f3059624e52/

SH256 hash:

7faa23efac09110c9550380933883779b4d1224f6946e65b64bf6c2819daee02

MD5 hash:

1a5c3b860471074b15d681194f48916e

SHA1 hash:

8b060595d3a4002f90b6ea64276bba2008cdcaf9

Link:

https://www.unpac.me/results/c2b639ab-7ff6-47be-ae85-8f3059624e52/

SH256 hash:

ec61eb67057660a18fa9d4465b12830c2bbded3234a401dd441176db16176803

MD5 hash:

807d184706be5d985443653bab74c2a7

SHA1 hash:

2ffb77203c1fa719e7df160a11fb2462843ed1b5

Link:

https://www.unpac.me/results/c2b639ab-7ff6-47be-ae85-8f3059624e52/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ec61eb67057660a18fa9d4465b12830c2bbded3234a401dd441176db16176803

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator