MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4f0c2b0fcc641a850b0aaf356f5119f7d6568be3d4b5251a6c6dec1b3e7920f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4f0c2b0fcc641a850b0aaf356f5119f7d6568be3d4b5251a6c6dec1b3e7920f
SHA3-384 hash: d5079f089cd983c7e8d6c1001106dadb26bef8fdbbdf069107f5e08f94e675fedc6dc93f77f92d572c69b6583efffa8b
SHA1 hash: 3950344a29ec2e1a76546b091646da14ac2b4efd
MD5 hash: 3ff9ec45f1f698b89d457ef6f7419829
humanhash: orange-mountain-robin-queen
File name:DHL_409011 documento de recibo,pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:765'184 bytes
First seen:2021-02-05 18:43:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3006b9ec633343c82818c9662a67f7ee (3 x RemcosRAT)
ssdeep 12288:j9VGYp+A0bI8LK1cofUCje+OTDD+1TW+n/nodEtsCz:jHiA0MWnOUCjl2DuTW+vomxz
Threatray 1'547 similar samples on MalwareBazaar
TLSH B5F47CE562800831E03916B98C4BA364CD277DC3265C732D97E5FDCE6A313583A9B97B
Reporter abuse_ch
Tags:DHL exe RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: mail1.tri--sure.com
Sending IP: 161.35.230.137
From: DHL Support<support@dhl.com>
Subject: Re: Notificación de envío de DHL
Attachment: DHL_409011 documento de recibo,pdf.iso (contains "DHL_409011 documento de recibo,pdf.exe")

RemcosRAT C2:
insidelife1.ddns.net

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL_409011 documento de recibo,pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-02-05 18:48:56 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/78a60146-9638-49f2-86c7-0cddcf8a31bc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/115791/
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

Win.Malware.Delf-9828784-0
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/600625
Signature
Allocates memory in foreign processes
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Sigma detected: Remcos
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f4f0c2b0fcc641a850b0aaf356f5119f7d6568be3d4b5251a6c6dec1b3e7920f/
Threat name:
Win32.Infostealer.BestaFera
Create hunting rule
Status:
Malicious
First seen:
2021-02-05 18:44:08 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6tymfmh4yza2qufqvlzvn5irt56wk2f6hvfveungy3pmdm7hsihq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
138fa2cd5e89767fd71e4e32719550f54910e3ecc3f81fea5341321cc1b5d429
RemcosRAT
3c335659038cb7bda99cc8839385bbfebeaa9deb3f6a3702b5076460c4353a55
RemcosRAT
5178316a133ee4ce629f5b31ddc2fdb8fd6ff8a581174c0a21f41d44ebfcd88d
RemcosRAT
56fec820ce36b3b5f155dba31e5ba880078fc7bcc6420fc2fb4ca5af6ac5725b
RemcosRAT
585b90e0edb07e66ab99c6a2fdbd7190cb0cac755d8b1197ed8eb08fa82b359d
RemcosRAT
785790e2814af826f66cf31460fdcf7ce48513c6f451fca29fa52f101dd65b00
RemcosRAT
92f26df2b8881b2971127cc9bd67d17924b895e4124092d49fdc6ebe4d362620
RemcosRAT
abee232f81ca94abbdb0d1c0d236b0ee49b421b32e0a6b8812e278a248b6b46a
RemcosRAT
b512225b90f7fe3650ef72a79a88229aab31e5907102d2bc962c88db390f168b
RemcosRAT
b67361c9d7c2bcbe7e94b698f4d5abd1e6ffd96429d2c66dcfd92a573303e4f0
RemcosRAT
+ 1'537 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat
Link:
https://tria.ge/reports/210205-agdwmzpvg6/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
Remcos
Unpacked files
SH256 hash:
38919c96274afe44c440fa298fc363e1217dfa355da38dd4de2ef213808870c2
MD5 hash:
c3d226b590a22cb9f1aa308748ff47dd
SHA1 hash:
64504ed945df46476fc3ac19dd42972966206e52
Link:
https://www.unpac.me/results/2513ddc6-f732-46d2-becd-fc9ea7a90ec1/
SH256 hash:
f4f0c2b0fcc641a850b0aaf356f5119f7d6568be3d4b5251a6c6dec1b3e7920f
MD5 hash:
3ff9ec45f1f698b89d457ef6f7419829
SHA1 hash:
3950344a29ec2e1a76546b091646da14ac2b4efd
Link:
https://www.unpac.me/results/2513ddc6-f732-46d2-becd-fc9ea7a90ec1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f4f0c2b0fcc641a850b0aaf356f5119f7d6568be3d4b5251a6c6dec1b3e7920f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

iso 4707d6464c81e6f320d1a7d55fe223577d0d7d92b32faa5a733a8a807203e5ae

RemcosRAT

Executable exe f4f0c2b0fcc641a850b0aaf356f5119f7d6568be3d4b5251a6c6dec1b3e7920f

(this sample)

  
Dropped by
MD5 438081c4c441233d1d75555998f8d8c6
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/115791/
  
Dropped by
SHA256 4707d6464c81e6f320d1a7d55fe223577d0d7d92b32faa5a733a8a807203e5ae

Comments