MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f540cc413a46d1c64542c9935d831de6e9908c1bd86e490ed66d47afb8f742f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f540cc413a46d1c64542c9935d831de6e9908c1bd86e490ed66d47afb8f742f8
SHA3-384 hash: 5960009ca7504fc74ce4a4ff2f3fc546e5d31823b624c0ebd0b9950c6f7cbc181c393e861ea76c1e8ee913e7e46c9678
SHA1 hash: c808220bb23632c399afb688a752f26b2b6056b0
MD5 hash: 923a6bfbacc542ea646c55a2e644c605
humanhash: georgia-leopard-carbon-oranges
File name:PO#83922009122.pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:919'552 bytes
First seen:2021-01-14 07:00:14 UTC
Last seen:2021-01-14 08:52:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:QVcgY1tR/BYrvrEs2nQ9AnWlkVRIIxQYs0uYMHUHelcd:QVYtRGrvrtV9K6kIIaV0r
Threatray 1'595 similar samples on MalwareBazaar
TLSH 1B157C499B919713C7AC32FE400D166116A1D7BC76E5E739FC8070A7BE6279800FE2A7
Reporter abuse_ch
Tags:exe nVpn RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: server.elmasgrafik.com
Sending IP: 185.48.182.122
From: Subhabrata Mahanti <agency@osc.com.tr>
Subject: RE: Quote_45893216_33661100
Attachment: PO83922009122.pdf.7z (contains "PO#83922009122.pdf.exe")

RemcosRAT C2:
194.5.97.174:1990

Intelligence

File Origin
# of uploads :
2
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO#83922009122.pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-01-14 07:32:51 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/8d67a469-a9f2-4706-a07c-6836f06f3516

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/111954/
Detection(s):
SecuriteInfo.com.Artemis.2360.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Running batch commands
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/581166
Signature
Allocates memory in foreign processes
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Detected Remcos RAT
Detected unpacking (creates a PE file in dynamic memory)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 339617 Sample: PO#83922009122.pdf.exe Startdate: 14/01/2021 Architecture: WINDOWS Score: 100 79 avatars3.githubusercontent.com 2->79 81 avatars1.githubusercontent.com 2->81 83 2 other IPs or domains 2->83 103 Malicious sample detected (through community Yara rule) 2->103 105 Multi AV Scanner detection for dropped file 2->105 107 Sigma detected: Scheduled temp file as task from temp location 2->107 109 11 other signatures 2->109 14 PO#83922009122.pdf.exe 7 2->14         started        signatures3 process4 file5 73 C:\Users\user\AppData\Roaming\Vodgtv.exe, PE32 14->73 dropped 75 C:\Users\user\AppData\Local\...\tmpB26F.tmp, XML 14->75 dropped 77 C:\Users\user\...\PO#83922009122.pdf.exe.log, ASCII 14->77 dropped 125 Contains functionalty to change the wallpaper 14->125 127 Contains functionality to steal Chrome passwords or cookies 14->127 129 Contains functionality to capture and log keystrokes 14->129 131 2 other signatures 14->131 18 PO#83922009122.pdf.exe 3 5 14->18         started        22 schtasks.exe 1 14->22         started        24 PO#83922009122.pdf.exe 14->24         started        26 PO#83922009122.pdf.exe 14->26         started        signatures6 process7 dnsIp8 85 192.168.2.1 unknown unknown 18->85 69 C:\Users\user\AppData\Roaming\...\system.exe, PE32 18->69 dropped 71 C:\Users\user\...\system.exe:Zone.Identifier, ASCII 18->71 dropped 28 wscript.exe 1 18->28         started        30 conhost.exe 22->30         started        file9 process10 process11 32 cmd.exe 1 28->32         started        process12 34 system.exe 5 32->34         started        38 conhost.exe 32->38         started        file13 67 C:\Users\user\AppData\...\system.exe.log, ASCII 34->67 dropped 111 Multi AV Scanner detection for dropped file 34->111 113 Detected unpacking (creates a PE file in dynamic memory) 34->113 115 Contains functionalty to change the wallpaper 34->115 117 3 other signatures 34->117 40 system.exe 3 1 34->40         started        44 schtasks.exe 1 34->44         started        signatures14 process15 dnsIp16 87 194.5.97.174, 1990, 49734 DANILENKODE Netherlands 40->87 119 Writes to foreign memory regions 40->119 121 Allocates memory in foreign processes 40->121 123 Injects a PE file into a foreign processes 40->123 46 svchost.exe 2 12 40->46         started        48 svchost.exe 40->48         started        50 svchost.exe 40->50         started        52 svchost.exe 40->52         started        54 conhost.exe 44->54         started        signatures17 process18 process19 56 iexplore.exe 46->56         started        process20 58 iexplore.exe 56->58         started        61 iexplore.exe 56->61         started        63 iexplore.exe 56->63         started        65 2 other processes 56->65 dnsIp21 89 avatars3.githubusercontent.com 58->89 99 3 other IPs or domains 58->99 91 avatars3.githubusercontent.com 61->91 93 avatars1.githubusercontent.com 61->93 95 avatars3.githubusercontent.com 63->95 97 avatars1.githubusercontent.com 63->97 101 4 other IPs or domains 65->101
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f540cc413a46d1c64542c9935d831de6e9908c1bd86e490ed66d47afb8f742f8/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-01-14 07:01:17 UTC
AV detection:
5 of 46 (10.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6vamyqj2i3i4mrkczgjv3ay543uzbda33bxesdwwnvd27ohxil4a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1a1924da9d272ea46f8a0a62d7e2ecf01746e9a7621c8b1c36950788c3a3bd8c
RemcosRAT
1dc21d30d3202d5885c58439163601b1cde9a0a094129dd8e39f0ed8b7f10953
RemcosRAT
4ca67f02ee334674afe88b3a4329449ecbfb8d9f83ceccc9198c5edecdafa96b
RemcosRAT
71d7c76b658053e46f6dff1e25fc4ed32bdbe2afd879ce510ce79d327c34bc31
RemcosRAT
8698337edbeaff1bcd719babffa69ff876d5ee74349886e5cba349b7cae7e19f
RemcosRAT
9da23f9a781b72621d3e787154ff0fc50c89cb33070467c7fd0fa0b24f07108c
RemcosRAT
a7154f13f8a8a66f47afafe4099e6e760aef60af8eb8d66de0d8ee83cfe1ef8b
RemcosRAT
bd4ef5e45ec6e18bc4fc2225588ea4d01151f8f82aeb073a75868bdbcfc66b5a
RemcosRAT
be83ef519ed5e3e444b10b4dd8a77515cda4993c6ce69f565405c9c2bd0901bc
RemcosRAT
c032e316eefbacca4b3ddfe7fc2ee9ac5f86daea767232d2322f7fdfe4b18993
RemcosRAT
+ 1'585 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos rat
Link:
https://tria.ge/reports/210114-f6cnayylf2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
194.5.97.174:1990
Unpacked files
SH256 hash:
f540cc413a46d1c64542c9935d831de6e9908c1bd86e490ed66d47afb8f742f8
MD5 hash:
923a6bfbacc542ea646c55a2e644c605
SHA1 hash:
c808220bb23632c399afb688a752f26b2b6056b0
Link:
https://www.unpac.me/results/6a7a9ed6-fb21-47ea-8561-094301bb64dc/
SH256 hash:
296620e9308a1069ca98d27c426f25f5c1f87d9240bb371c657571034b0261b5
MD5 hash:
4cf24d41a7882216740280e3294cb853
SHA1 hash:
6bcb31d3dc0a7d71da1067a628168664202769a4
Link:
https://www.unpac.me/results/6a7a9ed6-fb21-47ea-8561-094301bb64dc/
SH256 hash:
ffc44ddb0102434912280f4bc74ff3f27fdbb6b8681d194baf8a5d0bcd73078e
MD5 hash:
495c50718f2e2ba9ab5881e0d0be97a6
SHA1 hash:
9194735112068edaba63d3d7dcf35551c1b52964
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/6a7a9ed6-fb21-47ea-8561-094301bb64dc/
Parent samples :
f540cc413a46d1c64542c9935d831de6e9908c1bd86e490ed66d47afb8f742f8
83e2e475905c185d7114012d68a15aecf822c14a1e1bda9bf55441062a01fba1
SH256 hash:
9bc39c74e17755cf58562aa7b0e93371143f7243730a08f2f4fcfb24ab34275b
MD5 hash:
8016360fb35a8dca6887f005e76e7ec1
SHA1 hash:
c9482cd65ff62b18dde351b7b2359a5a572d0645
Link:
https://www.unpac.me/results/6a7a9ed6-fb21-47ea-8561-094301bb64dc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f540cc413a46d1c64542c9935d831de6e9908c1bd86e490ed66d47afb8f742f8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

7z 26c3d5d9faae143b4400659ad79b9232e9d909e67c838de95263ba1be1e0b623

RemcosRAT

Executable exe f540cc413a46d1c64542c9935d831de6e9908c1bd86e490ed66d47afb8f742f8

(this sample)

  
Dropped by
MD5 7f2996c932368d0a2a2f0bd5e6f7abd8
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/111954/
  
Dropped by
SHA256 26c3d5d9faae143b4400659ad79b9232e9d909e67c838de95263ba1be1e0b623

Comments