MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f555b62bf0009296fac351876b799bce9c56ff50412639a7c465f5e542f5fef3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f555b62bf0009296fac351876b799bce9c56ff50412639a7c465f5e542f5fef3
SHA3-384 hash: e88501ae1f7c6450e4fad976187202a88b17d1a99511ca304f806d315b512b73184cba528825ddc1d935ed6635fce3cd
SHA1 hash: 3e3297148c0a26d58b32b830479a6482e75b9086
MD5 hash: 5bbd841e1c53b96289116be04d0c1df8
humanhash: sixteen-oscar-nineteen-asparagus
File name:TVVOP-MIOO Sidenor ,pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:650'240 bytes
First seen:2021-08-04 05:59:39 UTC
Last seen:2021-08-04 07:21:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 93f93c19958ee392fd5405cbaa49996b (3 x RemcosRAT)
ssdeep 12288:xeOX6MRF7wJLbjAXZCvdQ9GCUNzi8tYrfFyQgkf:k2lF7SHjAJCvdbhNzi8tYrtN
Threatray 715 similar samples on MalwareBazaar
TLSH T142D47C7155DAA0FFF4B61AB46D063B69042FB9040C642C0FAEED2B05ED29B556031FAF
dhash icon 484a4c66d32e2e8a (11 x RemcosRAT, 2 x Formbook, 2 x BitRAT)
Reporter GovCERT_CH
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TVVOP-MIOO Sidenor ,pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-08-04 06:02:15 UTC
Tags:
trojan rat remcos
Link:
https://app.any.run/tasks/4f477622-115b-43da-b1e6-48a0e334978e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/176228/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader40.61599.1324.8890.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Deleting a recently created file
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c6343b4e-6b43-4fba-a09f-06f8f8d9296f
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/826646
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 459073 Sample: TVVOP-MIOO Sidenor ,pdf.exe Startdate: 04/08/2021 Architecture: WINDOWS Score: 100 59 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->59 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 5 other signatures 2->65 7 TVVOP-MIOO Sidenor ,pdf.exe 1 19 2->7         started        12 Satvqfa.exe 16 2->12         started        14 Satvqfa.exe 16 2->14         started        process3 dnsIp4 37 onedrive.live.com 7->37 39 dm-files.fe.1drv.com 7->39 41 cm0cqa.dm.files.1drv.com 7->41 33 C:\Users\Public\Libraries\...\Satvqfa.exe, PE32 7->33 dropped 69 Writes to foreign memory regions 7->69 71 Allocates memory in foreign processes 7->71 73 Creates a thread in another existing process (thread injection) 7->73 16 mobsync.exe 2 7->16         started        43 onedrive.live.com 12->43 47 2 other IPs or domains 12->47 75 Multi AV Scanner detection for dropped file 12->75 77 Injects a PE file into a foreign processes 12->77 20 DpiScaling.exe 12->20         started        45 onedrive.live.com 14->45 49 2 other IPs or domains 14->49 22 mobsync.exe 14->22         started        file5 signatures6 process7 dnsIp8 35 zion6.ddns.net 185.140.53.129, 2815, 49742, 49749 DAVID_CRAIGGG Sweden 16->35 51 Contains functionality to steal Chrome passwords or cookies 16->51 53 Contains functionality to inject code into remote processes 16->53 55 Contains functionality to steal Firefox passwords or cookies 16->55 57 2 other signatures 16->57 24 mobsync.exe 13 16->24         started        27 mobsync.exe 13 16->27         started        29 mobsync.exe 1 16->29         started        31 3 other processes 16->31 signatures9 process10 signatures11 67 Tries to harvest and steal browser information (history, passwords, etc) 24->67
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f555b62bf0009296fac351876b799bce9c56ff50412639a7c465f5e542f5fef3/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-08-03 19:37:08 UTC
File Type:
PE (Exe)
Extracted files:
25
AV detection:
21 of 46 (45.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6vk3mk7qacjjn6wdkgdww6m3z2ofn72qietdtj6emx26kqxv73zq._file
Verdict:
malicious
Similar samples:
1c33eed32ee64e2abbc1b66486b46f93b5ca61d42e384d3dd49810c73f48147f
RemcosRAT
43749e8d0c848f2143447b979748f3605e7773abe0550da6ec111473003247c3
RemcosRAT
4c0c348d5fe6d35084087f5df83a5d5f15aa75a30b1dc37204f701383a7685eb
RemcosRAT
5d888bc6d0a7f5da0c94a55113d93a3f8b894472c4d42af88c7cf7cb885d95ad
RemcosRAT
a2f8c191b7fb47cf9266a986aa47e6897d6615889b76a0050450fb68afc279f6
RemcosRAT
d8d1848fcde25e0975a524cb62ef2d622997caacbee10038cb4b49b23b76d484
RemcosRAT
+ 705 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:ok man persistence rat suricata trojan
Link:
https://tria.ge/reports/210804-z4xkd1hrv2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
ModiLoader, DBatLoader
Remcos
suricata: ET MALWARE Remocs 3.x Unencrypted Checkin
suricata: ET MALWARE Remocs 3.x Unencrypted Server Response
Malware Config
C2 Extraction:
zion6.ddns.net:2815
Unpacked files
SH256 hash:
c873bd224bbf6f82aa169f079016ebdf7690b40a7db5dd8cfefd26404a9d50ca
MD5 hash:
d328f4ade4dd3cd77b3c055c6a7a7937
SHA1 hash:
5d2437502c20efaadd44d27bd5f2f748bdb48512
Link:
https://www.unpac.me/results/c969d392-fea2-4a2c-bc44-c7afb7496d8e/
SH256 hash:
a6c6947ce9db7dd1a6a6f7338bf9fcf3b226adb17a98fea3f1673e08d29a507b
MD5 hash:
8d92713900ebbb880b1104ccee11c7a3
SHA1 hash:
0c004a2e372a30c95d5add8e477a4ab11803df04
Link:
https://www.unpac.me/results/c969d392-fea2-4a2c-bc44-c7afb7496d8e/
SH256 hash:
f555b62bf0009296fac351876b799bce9c56ff50412639a7c465f5e542f5fef3
MD5 hash:
5bbd841e1c53b96289116be04d0c1df8
SHA1 hash:
3e3297148c0a26d58b32b830479a6482e75b9086
Link:
https://www.unpac.me/results/c969d392-fea2-4a2c-bc44-c7afb7496d8e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f555b62bf0009296fac351876b799bce9c56ff50412639a7c465f5e542f5fef3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe f555b62bf0009296fac351876b799bce9c56ff50412639a7c465f5e542f5fef3

(this sample)

  
Dropped by
RemcosRAT
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/176228/

Comments