MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f073972759773e60fab92a992c398123df087c9cda7cb8284c70aea71f417611. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f073972759773e60fab92a992c398123df087c9cda7cb8284c70aea71f417611
SHA3-384 hash: edb3c007310aa8975cebfd12a701760abd814fc2e5f596d28a7baa760a7f1a426cf1575fbaa30b86edd6baa3c3134990
SHA1 hash: cba3b8c0dd322463d0467cdf0f27824970f6e655
MD5 hash: 27f07b01653396d6ef9221fb81faba81
humanhash: fifteen-five-alabama-aspen
File name:New Order# 11009947810.scr
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'339'895 bytes
First seen:2021-07-05 22:14:58 UTC
Last seen:2021-07-06 13:17:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:BAOcZpJPhn0i9tLsMCWmCSCUpAsHFicIO9d7+tdZ7QyJr3J0:boN0i9tLs0YHAcrd7+5QyJr3J0
Threatray 931 similar samples on MalwareBazaar
TLSH 71552341B6C248B1D57329325E39BB246D7EBD201F285B5FA3D00C7C9FB1581AA25FA3
Reporter Anonymous
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New Order# 11009947810.scr
Verdict:
Malicious activity
Analysis date:
2021-07-05 22:16:24 UTC
Tags:
rat remcos keylogger stealer
Link:
https://app.any.run/tasks/e57acadb-99c2-42c4-a076-74a0f799cc75

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/169809/
Detection(s):
Win.Malware.Lisk-9868843-0
Create hunting rule

Win.Malware.Lisk-9874836-0
Create hunting rule

Win.Malware.Lisk-9875299-0
Create hunting rule

Win.Malware.Qshell-9875653-0
Create hunting rule

SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/949efe30-b44d-4f15-bc53-9ace1b4c21bf
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/811983
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected Remcos RAT
Drops PE files with a suspicious file extension
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Process Start Without DLL
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AntiVM autoit script
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 444400 Sample: New Order# 11009947810.scr Startdate: 06/07/2021 Architecture: WINDOWS Score: 100 39 rebekauk.duckdns.org 2->39 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 8 other signatures 2->49 8 New Order# 11009947810.exe 32 2->8         started        11 xgltfvpuft.pif 2->11         started        signatures3 process4 file5 35 C:\Users\user\12926486\xgltfvpuft.pif, PE32 8->35 dropped 13 xgltfvpuft.pif 1 3 8->13         started        17 mshta.exe 11->17         started        19 mshta.exe 11->19         started        21 mshta.exe 11->21         started        23 5 other processes 11->23 process6 file7 37 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 13->37 dropped 59 Multi AV Scanner detection for dropped file 13->59 61 Writes to foreign memory regions 13->61 63 Allocates memory in foreign processes 13->63 65 Injects a PE file into a foreign processes 13->65 25 RegSvcs.exe 2 3 13->25         started        29 mshta.exe 13->29         started        31 mshta.exe 13->31         started        33 5 other processes 13->33 signatures8 process9 dnsIp10 41 rebekauk.duckdns.org 185.140.53.216, 3814 DAVID_CRAIGGG Sweden 25->41 51 Contains functionality to steal Chrome passwords or cookies 25->51 53 Contains functionality to inject code into remote processes 25->53 55 Contains functionality to steal Firefox passwords or cookies 25->55 57 2 other signatures 25->57 signatures11
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f073972759773e60fab92a992c398123df087c9cda7cb8284c70aea71f417611/
Threat name:
Win32.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2021-07-05 21:44:00 UTC
AV detection:
24 of 46 (52.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6bzzoj2zo47gb6vzfkmsyombeppqq7e43j6lqkcmocxkoh2boyiq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1678611ad4996f718c0a8998ce194dfe117bf47529c4ccad51a6816ecf4f1bb4
RemcosRAT
49ba5c62d711962e856fd4fd3d1a39d349adff92cdc28bb60ec36e398884a953
RemcosRAT
5843b2cf0911e1e3ee1ad03e232c2d9f44a0c48806ff62eb0af25ade8695b3b9
RemcosRAT
5c5e4e31bde29168e03fa8cce36bab9b577568137edab59f68f8968616546ed9
RemcosRAT
65d246d802665601ae63bd52d49d3208bdad035aa193378fc349df3ed0777a44
RemcosRAT
67ad9e8efba0a4c87098f6dfa675de65232d3458c98157642d7301b795771ece
RemcosRAT
a259ab9f2ce1c874205cd31ac2f4ff924955caf2a81396b400dceb2438ff8921
RemcosRAT
bee17c10f6ae2b3d19cc7cdd1e54f11a9aac44cda0b5d6f41c0dbdce69b79ad5
RemcosRAT
c0503b9a911b674579a25005f552760d37b15e9246a8ccdae53d1e6001413611
RemcosRAT
dc8b1aa91228f69edb8b71fafd9231f6d6d55d50ea17e3a845a3014e419cdb60
RemcosRAT
+ 921 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:nanocore family:remcos botnet:remotehost keylogger persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/210705-cma7v6q8gn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
NanoCore
Remcos
Malware Config
C2 Extraction:
rebekauk.duckdns.org:3814
Unpacked files
SH256 hash:
0d8c54d4ad49d3a18c077af8e2db92b668bbf7a2a0ed5ffcc426e4cf94bcf616
MD5 hash:
afce7e8ae3a43e8523765214102d3276
SHA1 hash:
cf4e56b93b6cb6d70ccad40a18a6fd159164029b
Link:
https://www.unpac.me/results/09b3f8e1-d2b9-4c2f-8d99-3a66d9f6b8f2/
SH256 hash:
799965672f72c6c38a0c15f4ff8b88c6c254dc05572add89c02f0407badc2b31
MD5 hash:
77ee239407c834a179079c2044edb6d0
SHA1 hash:
5949a7406677101b1a13e35f535426957b63db32
Detections:
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/09b3f8e1-d2b9-4c2f-8d99-3a66d9f6b8f2/
SH256 hash:
f073972759773e60fab92a992c398123df087c9cda7cb8284c70aea71f417611
MD5 hash:
27f07b01653396d6ef9221fb81faba81
SHA1 hash:
cba3b8c0dd322463d0467cdf0f27824970f6e655
Link:
https://www.unpac.me/results/09b3f8e1-d2b9-4c2f-8d99-3a66d9f6b8f2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f073972759773e60fab92a992c398123df087c9cda7cb8284c70aea71f417611

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/169809/

Comments