MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8b5e14a549989e51f567b5a7be04f6187d7bd4067e957e66152ecbf73893a47. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f8b5e14a549989e51f567b5a7be04f6187d7bd4067e957e66152ecbf73893a47
SHA3-384 hash: 934285acd3488731182b8d889033e5545fc063ee9cef71fe24649b2f72500d4f0a62a017cad4b7fc8216617b2bf476f0
SHA1 hash: c87d534728d266847e4a7665d82c4a9553c60ccc
MD5 hash: 1749cf9fe03ca7ee146bf316831f01b2
humanhash: five-texas-montana-uniform
File name:MC International Trading - products list.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'097'728 bytes
First seen:2021-01-18 08:01:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:07cLjt1bp6dJxAIseMyy1nJzz3OCiRxy57b4Vf:072jt1YdJxAIHM/YW57b4V
Threatray 83 similar samples on MalwareBazaar
TLSH 56358C1053CCDF20E3BC97F8A910926067E9A546F654E778F9BDA0C25F62DA448DFB80
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: pro24.emailserver.vn
Sending IP: 103.15.48.244
From: MC International Trading <huong.do@duchuynhcrane.com>
Subject: MC International Trading Co., Ltd - Request for Quotation
Attachment: MC International Trading - products list.rar (contains "MC International Trading - products list.exe")

RemcosRAT C2:
185.136.171.240:4044

Intelligence

File Origin
# of uploads :
1
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MC International Trading - products list.exe
Verdict:
Malicious activity
Analysis date:
2021-01-18 08:14:57 UTC
Tags:
trojan rat remcos
Link:
https://app.any.run/tasks/17910827-5896-48a5-bbd8-f7604d36c750

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/112440/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/583452
Signature
.NET source code contains potential unpacker
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Detected Remcos RAT
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f8b5e14a549989e51f567b5a7be04f6187d7bd4067e957e66152ecbf73893a47/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-01-18 06:20:45 UTC
AV detection:
3 of 46 (6.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7c26cssutge6kh2wpnnhxycpmgd5ppkam7uvpztbklwl644jhjdq._file
Verdict:
unknown
Similar samples:
07c764029bc53a23ecde50473f42e72e44b1eed4001cff0566366b19340fec5f
RemcosRAT
5e31a4916e479c18347d59e0a98dc12738efb5acbad3ba3e677fb24fd87e7adc
RemcosRAT
61248c209119bd790c6ad906dd9d12e7a03455c2b2f6e4b7d1432aed6ae92439
RemcosRAT
6b090efc032911140a9b027ae65b205eb4b6aef2ab0dec995e473470f6706240
RemcosRAT
7326dddf5871d9ea2a91b0698527b830bb819e899f3eeabf9d46bb4d1c6d0af9
RemcosRAT
9972434ebdd96cf98cbc8849f08d6ca3120e5cf2553b3416bc0fccc5396c74b5
RemcosRAT
99d0abe691cea3ff0e8462f7cca0649a52507a03387bda27e95a20bd72a6b37b
RemcosRAT
a9bb3e9f775ca73baaac71ef7e7b4a5d7c467aef99d3b8f34856f16dbb3afe26
RemcosRAT
cdcc8531c42e3ede33c0ecbcb82f7a6e5445e959eee3796475258df830a18813
RemcosRAT
f3dd0364478f5e8db5e914033bf34cd7e0a1cc3a66698883a3798ef35f61a36c
RemcosRAT
+ 73 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos rat
Link:
https://tria.ge/reports/210118-5plechzzg2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Remcos
Malware Config
C2 Extraction:
185.136.171.240:4044
Unpacked files
SH256 hash:
1d6ecf546163882d34d4bb2b7afa3889506ca3036ed536c4ed972ed89bdf5035
MD5 hash:
fb169513679d349cb2a7e4121bacfd4a
SHA1 hash:
26619d7ce0a175b9fc4fbfd7f4b105050562924f
Link:
https://www.unpac.me/results/72c4bd62-9392-454e-b2ca-32dd6985557f/
SH256 hash:
f8b5e14a549989e51f567b5a7be04f6187d7bd4067e957e66152ecbf73893a47
MD5 hash:
1749cf9fe03ca7ee146bf316831f01b2
SHA1 hash:
c87d534728d266847e4a7665d82c4a9553c60ccc
Link:
https://www.unpac.me/results/72c4bd62-9392-454e-b2ca-32dd6985557f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f8b5e14a549989e51f567b5a7be04f6187d7bd4067e957e66152ecbf73893a47

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

rar 4d6e15472927b90d55138c03d9ba4764c1a2ee7c8019a4bcbb39773581e4b4c1

RemcosRAT

Executable exe f8b5e14a549989e51f567b5a7be04f6187d7bd4067e957e66152ecbf73893a47

(this sample)

  
Dropped by
MD5 2d338fa2849aa1407036b8c3af991fc9
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/112440/
  
Dropped by
SHA256 4d6e15472927b90d55138c03d9ba4764c1a2ee7c8019a4bcbb39773581e4b4c1

Comments