MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed4da8ec00d25e1207ddca04f696c887744dac5acf31cf8883663f430d7d47bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ed4da8ec00d25e1207ddca04f696c887744dac5acf31cf8883663f430d7d47bf
SHA3-384 hash: e1b1762bd5846c745dd59eac696b6277bdcc3ee2ff27f018fa8fa19c876121b9f4084ced3c39ae3bbca8c71f29cda239
SHA1 hash: 1e89940269ad73d7887e1bb05868b88075535e45
MD5 hash: a60d226f5f28a7faea06456b83037cf3
humanhash: lion-eight-lamp-bakerloo
File name:Transferwise beneficiary detailspdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:498'176 bytes
First seen:2021-04-02 09:38:42 UTC
Last seen:2021-04-02 11:18:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:h7zS8lRxpJPK5h5pmI+wH4mluBNQP24Zl58YQ/:h7NlzPK5tmI+C4euBNs24ZDQ/
Threatray 8 similar samples on MalwareBazaar
TLSH 35B4DF18E3AC5B5DE17E47FB40B072343FFDA1819252FE89EEE110ED29626818552B1F
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
79.134.225.22:9763

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
79.134.225.22:9763 https://threatfox.abuse.ch/ioc/6485/

Intelligence

File Origin
# of uploads :
2
# of downloads :
150
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Transferwise beneficiary detailspdf.exe
Verdict:
Malicious activity
Analysis date:
2021-04-02 09:50:13 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/8c160199-cac7-4673-928a-0af45ceaa142

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/131662/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.623.28201.24586.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4c30e49c-cc30-48a2-8e56-7cbd0b0411a5
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/663579
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 380720 Sample: Transferwise beneficiary de... Startdate: 02/04/2021 Architecture: WINDOWS Score: 100 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for dropped file 2->43 45 16 other signatures 2->45 7 Transferwise beneficiary detailspdf.exe 7 2->7         started        process3 dnsIp4 35 192.168.2.1 unknown unknown 7->35 29 C:\Users\user\AppData\...\tlqEGTwznp.exe, PE32 7->29 dropped 31 C:\Users\user\AppData\Local\...\tmp27AA.tmp, XML 7->31 dropped 33 Transferwise benef... detailspdf.exe.log, ASCII 7->33 dropped 47 Adds a directory exclusion to Windows Defender 7->47 49 Injects a PE file into a foreign processes 7->49 12 Transferwise beneficiary detailspdf.exe 7->12         started        15 powershell.exe 24 7->15         started        17 powershell.exe 25 7->17         started        19 2 other processes 7->19 file5 signatures6 process7 dnsIp8 37 79.134.225.22, 49730, 9763 FINK-TELECOM-SERVICESCH Switzerland 12->37 21 conhost.exe 15->21         started        23 conhost.exe 17->23         started        25 conhost.exe 19->25         started        27 conhost.exe 19->27         started        process9
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ed4da8ec00d25e1207ddca04f696c887744dac5acf31cf8883663f430d7d47bf/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5vg2r3aa2jpbeb65zicpnfwiq52e3lc2z4y47cedmy7ugdl5i67q._file
Verdict:
unknown
Similar samples:
077b6aa67ba5bc965c44f862ee4d13368e9758681ec4295086c1bf9b8dd68f80
RemcosRAT
1085d37245912faccfa2fb20359b5560032988719e277a0b98ac2ef9da1476a2
RemcosRAT
27f47dda959af174fb8d5dceb4d1abc99fa1f7c28160ee217a98f57bb03144be
RemcosRAT
47cc8b8e840dacef064487cb2d9712c5b6ed52bd05b67ea9fb8058131ca8b41c
RemcosRAT
7bbca5aa0688510e1d000f7a3b4fa3e1153d2e005a14a5b38c0092bbe07a2731
RemcosRAT
7c6a987b9a63992f13adc130b38aee07d79d8786178c9cf339915112a28a7a6f
RemcosRAT
acf30aabe0138a2fd83f455da4a9a3cb10c374e33b2ed7d4570a799f58e91028
RemcosRAT
d44e3701a7ef81adda35e011eb833d146cf703753314d04488603317f22b7fdb
RemcosRAT
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos rat
Link:
https://tria.ge/reports/210402-84hpb46492/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Remcos
Malware Config
C2 Extraction:
79.134.225.22:9763
Unpacked files
SH256 hash:
6590b9ec4fa84e44c372fda26f47d6d58859d74869621c6bdd4086e6ae411379
MD5 hash:
95dfa1a9015a17a1d49b4faa3f3d999d
SHA1 hash:
427b72727b28436554d0443d797f19b2ea37cc16
Link:
https://www.unpac.me/results/fbbebccd-174f-4b04-80be-52c2f7aefa40/
SH256 hash:
ed4da8ec00d25e1207ddca04f696c887744dac5acf31cf8883663f430d7d47bf
MD5 hash:
a60d226f5f28a7faea06456b83037cf3
SHA1 hash:
1e89940269ad73d7887e1bb05868b88075535e45
Link:
https://www.unpac.me/results/fbbebccd-174f-4b04-80be-52c2f7aefa40/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.40
Link:
https://yomi.yoroi.company/submissions/ed4da8ec00d25e1207ddca04f696c887744dac5acf31cf8883663f430d7d47bf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_remcos_g0
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann<at>fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/131662/

Comments