MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 efb8a01422e4878a75c28f13b9607184285834d20e5301c870b373db744d7c0b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: efb8a01422e4878a75c28f13b9607184285834d20e5301c870b373db744d7c0b
SHA3-384 hash: a70d507dfe79295740763fc3f90c8013c9823967f33f23a19f979bcfe090a4f1bfc2bec097e191f7620b2c30d0d324a3
SHA1 hash: c83c19fb58b79f7297c138a9a4af00923c5940a0
MD5 hash: 1a1fcdd8d3bc67b2513d2bec6ada5b8b
humanhash: cola-april-alanine-charlie
File name:AD Order Confirmation-7645,pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:674'304 bytes
First seen:2021-08-27 07:44:47 UTC
Last seen:2021-08-27 09:26:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7f96272d7334ea5c5b0f297a4213e926 (2 x RemcosRAT, 1 x Neshta)
ssdeep 12288:R+i5kuKF/CFs3c7WaNipAfofysLefr8jdv:cEKF/P3c7rMAfo6s6frg9
Threatray 503 similar samples on MalwareBazaar
TLSH T14FE44BB675500D3DD52B1F7AED8FBA684525BD013C10FE8BAED43D4A16BC2A4321A387
dhash icon 4835f31886713986 (2 x RemcosRAT)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AD Order Confirmation-7645,pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-08-27 07:45:27 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/441e548e-897d-4bf0-8922-eb0d32ce5ac1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/182820/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.8868.28153.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a file
Deleting a recently created file
Launching a process
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Connection attempt to an infection source
Creating a window
Unauthorized injection to a recently created process
Sending a UDP request
DNS request
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Unauthorized injection to a system process
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1b7a503d-0390-4843-a852-54516475c62d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/840237
Signature
Contains functionality to inject threads in other processes
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/efb8a01422e4878a75c28f13b9607184285834d20e5301c870b373db744d7c0b/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-08-27 07:45:06 UTC
AV detection:
11 of 37 (29.73%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=564kafbc4sdyu5ocr4j3sydrqqufqngsbzjqdsdqwnz5w5cnpqfq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
864081d9870b1b81cb2c750b630a828b191f7c664790c54115a8033351f50ea1
RemcosRAT
8d076437949873b971f9534e630ebe26a8437f50786c430eaeb46c71d53a88e5
RemcosRAT
8dd453814cc59ecb7918da706244b3e8aacc66146b9ff80bcad195e066464139
RemcosRAT
af8ee88bf85615f2c305ce230560485be949dbb7355640e0498bf93f154df714
RemcosRAT
bf0cc4fd655e77d8b634ad0f7de607e8bda88034910511e120dafc86d96fd8df
RemcosRAT
e156425f76efbe5cdf1494564b1328f13b2284791e591961077d387329b024e1
RemcosRAT
+ 493 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:new era persistence rat
Link:
https://tria.ge/reports/210827-8lh49f6vkn/
Behaviour
Modifies registry key
Suspicious use of WriteProcessMemory
Adds Run key to start application
Blocklisted process makes network request
Remcos
Malware Config
C2 Extraction:
thankyoulord4real.ddns.net:3030
Unpacked files
SH256 hash:
4e1202f3e7e04b0b3ca1df164bf5381f24063c142317e774d4e5d88b2b3ac744
MD5 hash:
aa23dee2c34813d67fe9c67ec784782a
SHA1 hash:
10b2e7af7cb9d6f852e6d607875a8c9613538930
Link:
https://www.unpac.me/results/32228330-64f7-494d-b273-684a93945dae/
SH256 hash:
efb8a01422e4878a75c28f13b9607184285834d20e5301c870b373db744d7c0b
MD5 hash:
1a1fcdd8d3bc67b2513d2bec6ada5b8b
SHA1 hash:
c83c19fb58b79f7297c138a9a4af00923c5940a0
Link:
https://www.unpac.me/results/32228330-64f7-494d-b273-684a93945dae/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/efb8a01422e4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.20
Link:
https://yomi.yoroi.company/submissions/efb8a01422e4878a75c28f13b9607184285834d20e5301c870b373db744d7c0b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EnvVarScheduledTasks
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC (ab)using Environment Variables in Scheduled Tasks
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe efb8a01422e4878a75c28f13b9607184285834d20e5301c870b373db744d7c0b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/182820/

Comments