MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef842b61ba7b4de87f9c6ab12cdd68e23c97ee6100b3eabcde0078537af9feb8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef842b61ba7b4de87f9c6ab12cdd68e23c97ee6100b3eabcde0078537af9feb8
SHA3-384 hash: 2e2aa36865cc5a8d56fbfc4553a38d3ea54732d285ac3348ba4c6c93d836d49533510b58489d5af9a0f37d9f4cfa1afe
SHA1 hash: cc72a2194d43f226d8cd1cbfd79473a2647f7a95
MD5 hash: c5c7bf9b9eb6f04d6f674dbca8cba182
humanhash: finch-fifteen-september-december
File name:Attached FILE.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'096'192 bytes
First seen:2021-02-23 16:01:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b7d2d22d5303b7a3256c7306e3bf2245 (3 x RemcosRAT, 1 x Loki)
ssdeep 24576:T53qrkzqFJEtaWcYilxt+nSUyCjXb/PBO9Buz15z7:T56AglHWf
Threatray 1'614 similar samples on MalwareBazaar
TLSH 523518B2DB168FE2F41B093DFD5AE5B51601BD1D3A2E54A72EE43B098BAF78170101B1
Reporter abuse_ch
Tags:DHL exe RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: mail.orderissue.online
Sending IP: 207.244.226.94
From: Dhl Customer Support <help@orderissue.online>
Subject: Order Delivery Failed
Attachment: Attachment.iso (contains "Attached FILE.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/118702/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader36.43761.21093.9113.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Launching a process
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/615693
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ef842b61ba7b4de87f9c6ab12cdd68e23c97ee6100b3eabcde0078537af9feb8/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-02-23 16:02:12 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=56ccwyn2png6q744nkyszxli4i6jp3tbacz6vpg6ab4fg6xz724a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
17c742f29afb5c4352f3fb0079fbb0b2d72da1e65cfc59695f9a7259088b4615
RemcosRAT
1d61d1e99f05f85dbe885fc183a1b5fe81c0d47350868484186705d491a6577a
RemcosRAT
22fd2fb26af250c70cc8a88089d0feccbac2754fe7eed1d108e5891b8409f432
RemcosRAT
37d7dd5be37e03b4168ad2339f996d2b42a7552212e34fbc041f872838ab85e4
RemcosRAT
512f42f440c86ec0b776da00cb7be1aac494914af73a8d47ada5b6a4b5f208eb
RemcosRAT
52fa8487efeb8b203fb1f37501c366088b71de4ded620695ba2e34e8c0f446a2
RemcosRAT
b8226d8eecce8bfdf11e59092c4e1b24fe6c232e566bb2b665530834f3e2a12c
RemcosRAT
d67dde5621d6de76562bc2812f04f986b441601b088aa936d821c0504eb4f7aa
RemcosRAT
e65bff9943ab7ccc3713619a8d908f6caf5392c0c47defe3b66ca9009d2177ed
RemcosRAT
f4f0c2b0fcc641a850b0aaf356f5119f7d6568be3d4b5251a6c6dec1b3e7920f
RemcosRAT
+ 1'604 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat
Link:
https://tria.ge/reports/210223-dregd262v2/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
rem1.camdvr.org:2404
rem16.hopto.org:2404
rem1666.hopto.org:2404
rem16.camdvr.org:2404
remmusic.freeddns.org:2404
sunwap1.ddns.net:2404
Unpacked files
SH256 hash:
eb31101351e4d1ebe5f72a919b6d7b52e5fe9c2c34251ed13389b42d7b03c845
MD5 hash:
f5ac18ae0d6d5313a57885435772d0ed
SHA1 hash:
ec481b73a0bb46f53465315d00c67a389991e6bd
Link:
https://www.unpac.me/results/dbb7ed8d-ee18-435f-ac2b-fbd02bc3a7df/
SH256 hash:
706d20d3ed5a944ad7351b2b1e6510db719e150baf045713dfba5494879cd959
MD5 hash:
5e793005579e35e29886ecd8c19b78bb
SHA1 hash:
688b72e225d35b6a0caf21ccbac0fd580374d2d8
Link:
https://www.unpac.me/results/dbb7ed8d-ee18-435f-ac2b-fbd02bc3a7df/
SH256 hash:
ef842b61ba7b4de87f9c6ab12cdd68e23c97ee6100b3eabcde0078537af9feb8
MD5 hash:
c5c7bf9b9eb6f04d6f674dbca8cba182
SHA1 hash:
cc72a2194d43f226d8cd1cbfd79473a2647f7a95
Link:
https://www.unpac.me/results/dbb7ed8d-ee18-435f-ac2b-fbd02bc3a7df/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ef842b61ba7b4de87f9c6ab12cdd68e23c97ee6100b3eabcde0078537af9feb8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

iso 110796474a51b437ed29fa110f2b6fe5341c8218baaf3280414be0dc6a973a89

RemcosRAT

Executable exe ef842b61ba7b4de87f9c6ab12cdd68e23c97ee6100b3eabcde0078537af9feb8

(this sample)

  
Dropped by
MD5 2c930ec15db921cf07f0e2e201df5775
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/118702/
  
Dropped by
SHA256 110796474a51b437ed29fa110f2b6fe5341c8218baaf3280414be0dc6a973a89

Comments