MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f54187c724636062fdf6287ad5b83c5c198e44577158b30b15d1144c287f4c17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f54187c724636062fdf6287ad5b83c5c198e44577158b30b15d1144c287f4c17
SHA3-384 hash: 5f52a36184484692d4f06bfbee9e2355d9c15381da87ea7202185ed891339c91d54fcacf8c084553bfd4feac7b7c120b
SHA1 hash: 5c8fb4aed388b93205cd36ec991be2cc16f16676
MD5 hash: 4d3b3cbfc7fda510d8b98543745c74f1
humanhash: pluto-glucose-beryllium-mockingbird
File name:Offer & Request Document,pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:651'264 bytes
First seen:2020-08-19 06:54:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1d3807efc70a0a5a6d2ab497250e9cb5 (4 x RemcosRAT, 1 x AZORult, 1 x AveMariaRAT)
ssdeep 12288:Jm/ZNPa2c/PWwuUDKcoEwWLC2W2nKjdkOdqY55w/dPXjlBeh06sD:Jm/TyzPWwuUDpoEwECcKpkON/Uno0
Threatray 257 similar samples on MalwareBazaar
TLSH 00D49E62E6804837C1631578AC0B9FE9D937AF103B98AC476BF62E0C5F397D17929097
Reporter abuse_ch
Tags:exe RemcosRAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: rcloud01.siamdataidc.com
Sending IP: 43.229.149.15
From: info@td-bkh.ru
Subject: Offer Request 6100003768
Attachment: Offer Request Document,pdf.iso (contains "Offer & Request Document,pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
67
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/48248/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Launching a process
Setting a single autorun event
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/437062
Signature
Allocates memory in foreign processes
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 270992 Sample: Offer & Request Document,pdf.exe Startdate: 19/08/2020 Architecture: WINDOWS Score: 100 32 jackyjian1965.hopto.org 2->32 42 Malicious sample detected (through community Yara rule) 2->42 44 Detected Remcos RAT 2->44 46 Yara detected Remcos RAT 2->46 48 6 other signatures 2->48 7 Offer & Request Document,pdf.exe 1 16 2->7         started        12 Prossec.exe 13 2->12         started        14 Prossec.exe 14 2->14         started        signatures3 process4 dnsIp5 34 cdn.discordapp.com 162.159.134.233, 443, 49746, 49769 CLOUDFLARENETUS United States 7->34 36 discord.com 162.159.136.232, 443, 49745, 49762 CLOUDFLARENETUS United States 7->36 26 C:\Users\user\AppData\Local\Prossec.exe, PE32 7->26 dropped 50 Writes to foreign memory regions 7->50 52 Allocates memory in foreign processes 7->52 54 Creates a thread in another existing process (thread injection) 7->54 16 ieinstal.exe 2 3 7->16         started        38 162.159.138.232, 443, 49768 CLOUDFLARENETUS United States 12->38 56 Injects a PE file into a foreign processes 12->56 20 ieinstal.exe 12->20         started        40 162.159.135.233, 443, 49763 CLOUDFLARENETUS United States 14->40 22 ieinstal.exe 14->22         started        file6 signatures7 process8 dnsIp9 28 jackyjian1965.hopto.org 185.244.30.181, 1965, 49752, 49753 DAVID_CRAIGGG Netherlands 16->28 30 192.168.2.1 unknown unknown 16->30 24 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 16->24 dropped file10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f54187c724636062fdf6287ad5b83c5c198e44577158b30b15d1144c287f4c17/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-08-19 06:56:12 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6vayprzemnqgf7pwfb5nlob4lqmy4rcxofmlgcyv2ekeykd7jqlq._file
Verdict:
suspicious
Similar samples:
0755d371e5549b67564d6dfa29600f76226a3dae42acaa8a6d0a82402e57bf86
RemcosRAT
1c517ddebb6f5893d52918c51a70e56f68b50dd65e0460a673cce3625a0f8a2b
RemcosRAT
3f937c7dddcdc31780807b68e4b93eea42d4146195b9c45d671bf6ed2f52a5bc
RemcosRAT
51966d322a39d2b7c08c85a58e19b558ab678862385be75ab90e69b84fde583f
RemcosRAT
51c81d6e49ad27baa52a1d1047fe0a5c61c209d39110b81ab07cd2aa30a221ab
RemcosRAT
5ef2d70f9e7fa30c9fea637c8b0c60276ca69505640ffb417a27a320575f3807
RemcosRAT
9a20134812ee99ea27f90c22c55eff2020df0bbad574809d9a03ff1cad3a4f43
RemcosRAT
b44646b530b067dadca8a6b31582efa9b9738c068a209af3b1bb4d403bd574fc
RemcosRAT
bdf0628de7c3965db41f88705c2b900a19fc12499435fd77f6eabc172c397861
RemcosRAT
c8dda41b34e9b16da333bfa30653a6f46be67c657158ecfd2c0463903b01e54d
RemcosRAT
+ 247 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
persistence rat family:remcos
Link:
https://tria.ge/reports/200819-nwjh87mt96/
Behaviour
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
Remcos
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Cryptor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f54187c724636062fdf6287ad5b83c5c198e44577158b30b15d1144c287f4c17

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

iso 792dc5561690f4811d6820f9277085fc74c4d8571cfa7b212bdb10972265fe2c

RemcosRAT

Executable exe f54187c724636062fdf6287ad5b83c5c198e44577158b30b15d1144c287f4c17

(this sample)

  
Dropped by
MD5 4c079880fc5f9eb8f13134a569b13980
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 792dc5561690f4811d6820f9277085fc74c4d8571cfa7b212bdb10972265fe2c
Cape
Cape
https://www.capesandbox.com/analysis/48248/

Comments