MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec84a8bda79a0fd968138e6eb7bed4da519a44b4f24f30eceae26606bf73d5f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 9

Intelligence 9 IOCs YARA 9 File information Comments

SHA256 hash:	ec84a8bda79a0fd968138e6eb7bed4da519a44b4f24f30eceae26606bf73d5f0
SHA3-384 hash:	54204f8acf999eae4c8099abb92e1912b52f7bcc5e524ea62ee0ae1928a0f65c40e399b73c49330ec1d12041bae58e1c
SHA1 hash:	88d68c3dd045ec5245da41feb6130d49b62491f4
MD5 hash:	f8d1358d21f301908cd951fc887d606b
humanhash:	music-nineteen-harry-maine
File name:	Assigned Document.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	856'336 bytes
First seen:	2021-01-18 07:07:18 UTC
Last seen:	2021-01-18 08:49:49 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7dc63884fd11920a617a7dccbce258fe (3 x RemcosRAT, 1 x NetWire)
ssdeep	12288:Ps3/7rrM09fj4J5ybH/dGesLNDH+dFaqFV681o:PsnreJ5alkVk8So
Threatray	1'534 similar samples on MalwareBazaar
TLSH	E7056C22E5994773C1221ABD5C27E6696834BF4C7928540F37E43D088F762B2392DE6F
Reporter	abuse_ch
Tags:	exe nVpn RAT RemcosRAT

abuse_ch

Malspam distributing RemcosRAT:

HELO: box.dshuangyang.pw
Sending IP: 192.119.92.206
From: Lazarek <service@dshuangyang.pw>
Subject: New Order
Attachment: New Order.img (contains "Assigned Document.exe")

RemcosRAT C2:
remcos009s.duckdns.org:1980 (185.140.53.220)

Pointing to nVpn:

% Information related to '185.140.53.0 - 185.140.53.255'

% Abuse contact for '185.140.53.0 - 185.140.53.255' is 'abuse@privacyfirst.sh'

inetnum: 185.140.53.0 - 185.140.53.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2016-10-17T23:24:00Z
last-modified: 2020-11-06T23:02:44Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

114

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Assigned Document.exe

Verdict:

Malicious activity

Analysis date:

2021-01-18 07:08:16 UTC

Tags:

trojan rat remcos

Link:

https://app.any.run/tasks/5d1e49c5-f9fb-4742-87ba-2ea2a432c196

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/112399/

Detection(s):

PUA.Win.Trojan.Generic-6629274-0

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Creating a file

Searching for the window

DNS request

Sending a custom TCP request

Deleting a recently created file

Launching a process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process

Sending a TCP request to an infection source

Result

Threat name:

Remcos

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/583338

Signature

Allocates memory in foreign processes

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Creates a thread in another existing process (thread injection)

Detected Remcos RAT

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Sigma detected: Remcos

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ec84a8bda79a0fd968138e6eb7bed4da519a44b4f24f30eceae26606bf73d5f0/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2021-01-18 07:08:17 UTC

AV detection:

11 of 46 (23.91%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5sckrpnhtih5s2atrzxlppwu3jizurfu6jhtb3hk4jtanp3t2xya._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

069f3de8e79399dcc2a0811f2b560b34339c31eed7a465b9c759bd25d5aea17f

RemcosRAT

0d233d14dd5333614b0521a887e1917ab36649531c8aaaf96a3660e72ac8c463

RemcosRAT

1098c2e11043776815738d6f8abc818560c7516948d15f231a7018dfaeb279ed

RemcosRAT

21691425c52cf7a77c0e3a65cc1c0c59cb026d5b76e78160ebb8a553f9bbe50c

RemcosRAT

7ad833f9f06a7ebbad69a40515654c8a7a1b3346cf93214e2638e33901133409

RemcosRAT

7f53893a9ce40e497ef34ecfc9c4f493b9d5dd7f989b60ffa248cbf289a1505a

RemcosRAT

a1c561c21720c4f1c3626276db6afc2c12b1aae9304c78518763eb78454f84b8

RemcosRAT

a7bba5cba33b4320a78cd057e3cdd5169a86e90f6550e997772f4447549fd729

RemcosRAT

e98459447d40bb2a0917db99a3b9a99f22ee66234bfece9bba40f4fea3851201

RemcosRAT

+ 1'524 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:modiloader family:remcos persistence rat

Link:

https://tria.ge/reports/210118-s351deqqse/

Behaviour

Modifies Internet Explorer settings

Modifies system certificate store

Script User-Agent

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Adds Run key to start application

Remcos

Malware Config

C2 Extraction:

remcos009s.duckdns.org:1980

Unpacked files

SH256 hash:

ec84a8bda79a0fd968138e6eb7bed4da519a44b4f24f30eceae26606bf73d5f0

MD5 hash:

f8d1358d21f301908cd951fc887d606b

SHA1 hash:

88d68c3dd045ec5245da41feb6130d49b62491f4

Link:

https://www.unpac.me/results/cd02973a-dbef-4abe-8303-107eae04c422/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Remcos

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ec84a8bda79a0fd968138e6eb7bed4da519a44b4f24f30eceae26606bf73d5f0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator