MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f43a96ccf1d23d7dda1abbc2bea16ecbb2fb43b2f05e4015ff69c02e2c144ab2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 9 File information Comments

SHA256 hash:	f43a96ccf1d23d7dda1abbc2bea16ecbb2fb43b2f05e4015ff69c02e2c144ab2
SHA3-384 hash:	d1780a12263456b667edf9386124d56fac3a1f5bc1cff1d2e09426bc8b6d535fdf541419168fba334d5191c50568c3a6
SHA1 hash:	f94ccaa90b94649826d7a77956fc55f98b4b64f4
MD5 hash:	5e26a36151f74845b48241366ffe6741
humanhash:	winter-alaska-fifteen-red
File name:	Factura Serfinanza_05031367918_64895_9293161158346_010435_561583349364384812929954_657811397647994_pdf.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	3'310'720 bytes
First seen:	2020-12-10 11:09:16 UTC
Last seen:	2020-12-10 12:31:44 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	98304:QUFt+kCCJgqRtyU5y7qvuX0r5SNZDFJ1b4UZ:vq3T
Threatray	1'221 similar samples on MalwareBazaar
TLSH	89E5C1883C03381F35A542B89AC722F4A0AE70191974173A6D6718BDF61CE677DDF9B2
Reporter	abuse_ch
Tags:	ESP exe geo Outlook RAT RemcosRAT

abuse_ch

Malspam distributing RemcosRAT:

HELO: NAM04-CO1-obe.outbound.protection.outlook.com
Sending IP: 40.92.10.31
From: patricia garcia montoya <patriciagarciaconta@hotmail.com>
Subject: FACTURA EN MORA SERFINANZA.
Attachment: Factura Serfinanza_05031367918_64895_9293161158346_010435_561583349364384812929954_657811397647994.t (contains "Factura Serfinanza_05031367918_64895_9293161158346_010435_561583349364384812929954_657811397647994_pdf.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

206

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

09079a9c-15a1-467c-9ee5-afad545d6e9c

Verdict:

Malicious activity

Analysis date:

2020-12-10 11:11:44 UTC

Tags:

rat remcos keylogger

Link:

https://app.any.run/tasks/b1fe6cc3-df03-4fca-8234-d30f03c7a065

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/107680/

Detection(s):

SecuriteInfo.com.Generic.mg.5e26a36151f74845.1765.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Adding an access-denied ACE

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for recently created files

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a process with a hidden window

Launching the default Windows debugger (dwwin.exe)

Creating a window

Deleting a recently created file

Running batch commands

DNS request

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process by context flags manipulation

Setting a global event handler for the keyboard

Connection attempt to an infection source

Result

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f43a96ccf1d23d7dda1abbc2bea16ecbb2fb43b2f05e4015ff69c02e2c144ab2/

Threat name:

ByteCode-MSIL.Backdoor.Remcos

Status:

Malicious

First seen:

2020-12-10 02:04:30 UTC

AV detection:

19 of 28 (67.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6q5jnthr2i6x3wq2xpbl5ilozozpwq5s6bpeafp7nhac4laujkza._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

3ad976b10711565d40a43e17baa86f178a22066c982363d711db1f7edbff3ff2

RemcosRAT

4096056536154e1fa5a10e3495cd3ddadf7c01022b7b65b0c35a67b2eac2bc6b

RemcosRAT

54c9967a2b3467f1a5961630d0bd429400e781de19866a383267c40e0f9acf2f

RemcosRAT

5b10f4a23880b51923a0df3e9e3c37f40eb0d3cc93de7b463da62f936a501385

RemcosRAT

65228df6e85371a2b4b1e5340f11e36cdc94f8b39bda216c0ed143eaac36912b

RemcosRAT

6c489ebc2d7b407a9058479ee3e54b83949ef2a58ce749528cea74b4f0b5db0e

RemcosRAT

82027bdaf86e2d0da1c45ede5efd820a1cbaace1b1b8f7675b8115d82db75f26

RemcosRAT

d34e588c8bef9cef39708c52f7f372bcd4b5fc39e4eaf0b9193aa586a10d7cc2

RemcosRAT

e1865abf21c3b8f3b3d15e6c6e477468941f9e65700ceaaa0f4cb269d967c83e

RemcosRAT

+ 1'211 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos persistence rat

Link:

https://tria.ge/reports/201210-frc16gjvws/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Adds Run key to start application

Executes dropped EXE

ServiceHost packer

Remcos

Malware Config

C2 Extraction:

databasepropersonombrecomercialideasearchwords.services:7580

Unpacked files

SH256 hash:

3cd4c689a4780feda9b9d5b51d586556bbff54572f47e34f40d63638f5078b9d

MD5 hash:

82020f486da092d440d9fb45089ed463

SHA1 hash:

30c7a140f1748d933e39121fe8ebcdddbb72ebce

Link:

https://www.unpac.me/results/38fd67dd-1cea-46c8-8f3d-7b4dc33c848b/

SH256 hash:

9c0252c43e61ec5a6b01f048dbc929f3b466d27d28c2ef76fdade33340fe8f25

MD5 hash:

0ca10c623ab6c5a5c62579772986fe65

SHA1 hash:

1f56eec02f58cf694600a03bd63cc163a38b3259

Detections:

win_remcos_g0

win_remcos_auto

Link:

https://www.unpac.me/results/38fd67dd-1cea-46c8-8f3d-7b4dc33c848b/

SH256 hash:

f43a96ccf1d23d7dda1abbc2bea16ecbb2fb43b2f05e4015ff69c02e2c144ab2

MD5 hash:

5e26a36151f74845b48241366ffe6741

SHA1 hash:

f94ccaa90b94649826d7a77956fc55f98b4b64f4

Link:

https://www.unpac.me/results/38fd67dd-1cea-46c8-8f3d-7b4dc33c848b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.79

Link:

https://yomi.yoroi.company/submissions/f43a96ccf1d23d7dda1abbc2bea16ecbb2fb43b2f05e4015ff69c02e2c144ab2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator