MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ecf35c263f07ed5edff0da4bd10a3840df35cc52b9300dbd1ab3de0170d9e9cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ecf35c263f07ed5edff0da4bd10a3840df35cc52b9300dbd1ab3de0170d9e9cc
SHA3-384 hash: beadf7a9ca522f2f3749489834f4577160123e171a2ee959bd37a05544772e1b5ed8a72fa650a9e1be59594f4569cdf9
SHA1 hash: ab459f0a02896016ee1279789a114e14a219bc9c
MD5 hash: b2679764fa6fff4ddcfb7ce4d616bdbf
humanhash: video-butter-fourteen-wyoming
File name:09-11-2020.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:341'003 bytes
First seen:2020-11-09 19:31:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7c2c71dfce9a27650634dc8b1ca03bf0 (160 x Loki, 58 x Formbook, 55 x Adware.Generic)
ssdeep 6144:jPCganNItA0hQpRAPP2rjBdJfo/NTAaoK5PhJYo72y+GT/gMC/7FnYgh/dC:RanStVKpRAPPijBCMNK5pe5qgbhnYkk
Threatray 339 similar samples on MalwareBazaar
TLSH 9E742240B761DCB3C49620B018761D27F7959AD4E5652AC79B807AE6F42F360DE0E0E7
Reporter abuse_ch
Tags:exe Outlook RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: NAM04-BN3-obe.outbound.protection.outlook.com
Sending IP: 40.92.9.66
From: Olga Sepulveda Roballo <olga_sepulveda817@hotmail.com>
Subject: DOCUMENTOS PARA REVISAR
Attachment: 09-11-2020.UU (contains "09-11-2020.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

PUA.Win.Adware.Browserio-6725861-0
Create hunting rule

SecuriteInfo.com.Artemis162931E90DCF.4593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Launching a process
Transferring files using the Background Intelligent Transfer Service (BITS)
Enabling the 'hidden' option for recently created files
Moving a file to the %AppData% subdirectory
DNS request
Sending a custom TCP request
Unauthorized injection to a system process
Forced shutdown of a system process
Setting a global event handler for the keyboard
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/527079
Signature
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Detected Remcos RAT
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Remcos
Uses bootcfg to modify the Windows boot settings
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 312631 Sample: 09-11-2020.exe Startdate: 09/11/2020 Architecture: WINDOWS Score: 100 40 ruthy.qdp6fj1uji.xyz 2->40 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for dropped file 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 4 other signatures 2->50 10 09-11-2020.exe 37 2->10         started        12 bootcfg.exe 15 2->12         started        signatures3 process4 file5 15 rundll32.exe 10->15         started        32 C:\Users\user\AppData\Local\...\Rhodolite.dll, PE32 12->32 dropped 34 C:\Users\user\AppData\Roaming\...\vslogui.dll, PE32 12->34 dropped 36 C:\Users\...\MicrosoftVisualStudioVSHelp.dll, PE32 12->36 dropped 38 11 other files (none is malicious) 12->38 dropped 18 rundll32.exe 12->18         started        process6 signatures7 60 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 15->60 62 Hijacks the control flow in another process 15->62 64 Maps a DLL or memory area into another process 15->64 20 cmd.exe 3 2 15->20         started        23 cmd.exe 3 18->23         started        26 cmd.exe 18->26         started        process8 dnsIp9 52 Detected Remcos RAT 20->52 54 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 20->54 56 Contains functionality to steal Chrome passwords or cookies 20->56 58 5 other signatures 20->58 28 iexplore.exe 1 20->28         started        42 ruthy.qdp6fj1uji.xyz 177.255.11.162, 2047, 49727, 49733 ColombiaMovilCO Colombia 23->42 signatures10 process11 process12 30 conhost.exe 28->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ecf35c263f07ed5edff0da4bd10a3840df35cc52b9300dbd1ab3de0170d9e9cc/
Threat name:
Win32.Worm.AutoRun
Create hunting rule
Status:
Malicious
First seen:
2020-11-09 18:51:37 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5tzvyjr7a7wv5x7q3jf5ccryidptltcsxeya3pi2wppac4gz5hga._file
Verdict:
unknown
Similar samples:
0280e86983483d8d328abb0d591cd888813657ab4ea4c96310ed17deb08abb68
RemcosRAT
0629a3a3d21356319e1ecbfe9c23556957d42c273fe6a82c286f9996cd98ebd1
RemcosRAT
0724bc0b4abf5e1ae32a9fb01f6a9e18b6d5f086f8b19c3d41cd172fbf57e6bc
RemcosRAT
20c3e4781ccd8ac11551b0eae31eeffec03bcfac4067d35caa5057c62efb057d
RemcosRAT
77ea7d45c9f0360888ab6caa445c2702b7b36d5998bd3b719e120af818b0e2fd
RemcosRAT
a2b745b8a979a49f8f7361caff58117a45e9da4149042299b96f68e3ff3998b1
RemcosRAT
aff1db5008848b7d3e33a0de956e63b74969d95e1332ec0dd2d9a353fd74cc1f
RemcosRAT
bc36c8d0ca400dd8e12f7d5af0569c24f549305697b46804fa700edf573884fb
RemcosRAT
dcb0ebc1f45c4de45babb921e77c6f9d3e62c9071fd5713f6ecc064f6784fe6e
RemcosRAT
df43c3de9ccc3d956cc5b275e9be8bf7c7dfb62bc24f4f4925e9b147b57af324
RemcosRAT
+ 329 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos rat
Link:
https://tria.ge/reports/201109-h4mrthdx8a/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetThreadContext
Loads dropped DLL
Remcos
Malware Config
C2 Extraction:
ruthy.qdp6fj1uji.xyz:2047
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ecf35c263f07ed5edff0da4bd10a3840df35cc52b9300dbd1ab3de0170d9e9cc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

bc8a3ad01f5e8eb7926d2d99fc86cfd4

RemcosRAT

Executable exe ecf35c263f07ed5edff0da4bd10a3840df35cc52b9300dbd1ab3de0170d9e9cc

(this sample)

  
Dropped by
MD5 bc8a3ad01f5e8eb7926d2d99fc86cfd4
  
Delivery method
Distributed via e-mail attachment

Comments