MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa5850a0ba8809631d4e3f5a3f8cafa133b3d6ae37088eeb934ec13d1bc9f368. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 9

Intelligence 9 IOCs YARA 6 File information Comments

SHA256 hash:	fa5850a0ba8809631d4e3f5a3f8cafa133b3d6ae37088eeb934ec13d1bc9f368
SHA3-384 hash:	915490dbd44456084149b28835012f08bc3891b30658bd87277127a14bd33e336983946cecf8c61f7f7e657fb12e956c
SHA1 hash:	fce6a57c19494171756dea68633c22d4982d7cc0
MD5 hash:	0b8b539ff932ee7d37b7dfc04b3cb46e
humanhash:	artist-minnesota-ohio-item
File name:	1x40,MC, 910159447-MIRAI Signed.pdf.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	412'672 bytes
First seen:	2020-10-22 06:35:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'450 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	12288:Iz6vtq0It3hVhjvwEiEoXIW2p8v8zZe+U:aMpItRVhLwEzoYW2av8
Threatray	930 similar samples on MalwareBazaar
TLSH	E3940258E740CA6ACE29173C704192452A06AED5B535EB7E4B09B4FEA337FC510336AB
Reporter	abuse_ch
Tags:	exe nVpn RAT RemcosRAT

abuse_ch

Malspam distributing RemcosRAT:

HELO: vps.pantin-hoes.com
Sending IP: 45.95.169.163
From: Azumi.C <info@mirai-const.co.jp>
Subject: Re:Best Offer
Attachment: DOC1x40,MC, 910159447-MIRAI.r00 (contains "1x40,MC, 910159447-MIRAI Signed.pdf.exe")

RemcosRAT C2:
petroleum.sytes.net:3014 (185.244.30.10)

Pointing to nVpn:

% Information related to '185.244.30.0 - 185.244.30.255'

% Abuse contact for '185.244.30.0 - 185.244.30.255' is 'abuse@privacyfirst.sh'

inetnum: 185.244.30.0 - 185.244.30.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-HU
country: HU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-10-29T14:10:27Z
last-modified: 2020-10-07T21:39:48Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/74471/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %AppData% directory

Launching a process

DNS request

Creating a file

Connection attempt to an infection source

Enabling autorun by creating a file

Unauthorized injection to a system process

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/506665

Signature

Allocates memory in foreign processes

Antivirus detection for dropped file

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Detected Remcos RAT

Drops PE files to the startup folder

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Uses an obfuscated file name to hide its real file extension (double extension)

Writes to foreign memory regions

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fa5850a0ba8809631d4e3f5a3f8cafa133b3d6ae37088eeb934ec13d1bc9f368/

Threat name:

ByteCode-MSIL.Backdoor.Remcos

Status:

Malicious

First seen:

2020-10-21 23:36:34 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=7jmfbif2raewghkoh5nd7dfpuez3hvvog4ei524tj3at2g6j6nua._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

29e976622956314e13cff9fce7e829a27827214ddcfd41ccd33fc4faca45b566

RemcosRAT

308245e3b036eaa8e2b12c92852a64e5feedd6d952789d12da2ea5da9b7acced

RemcosRAT

4096056536154e1fa5a10e3495cd3ddadf7c01022b7b65b0c35a67b2eac2bc6b

RemcosRAT

4a024542511c7d0a40e8317486b7177eaf71ee355f1731f17bc632731ea814b0

RemcosRAT

5561d008620229638c19ba7e991d22edfd27eef99c5a038510b24950687befd3

RemcosRAT

5a418e084b49b740a94d307baf45d67ac25db462fdeb80065fb60ffeb197273f

RemcosRAT

6637c089017af9c448d8235e20db32603d8547f0611187341cf184dc66c170b4

RemcosRAT

e037b5ebac7b3ac81b3e268268dbd072784c73f178662e4a66e5e57d7e8a67c3

RemcosRAT

f412da03defe68cc6e1f264449adf519a4c5470c51e7b502854f7fbf358f8516

RemcosRAT

+ 920 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

rat family:remcos

Link:

https://tria.ge/reports/201022-c8tr3eer2s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Drops startup file

Remcos

Malware Config

C2 Extraction:

petroleum.sytes.net:3014

Unpacked files

SH256 hash:

fa5850a0ba8809631d4e3f5a3f8cafa133b3d6ae37088eeb934ec13d1bc9f368

MD5 hash:

0b8b539ff932ee7d37b7dfc04b3cb46e

SHA1 hash:

fce6a57c19494171756dea68633c22d4982d7cc0

Link:

https://www.unpac.me/results/f8897c7c-ea69-4be8-b362-6509a9f7fc77/

SH256 hash:

9ac1c8bd7c35605a167fd3e35684d4d9712d66168a00801f161b08bf066e03b5

MD5 hash:

0efac9b14565ac948cecb1136cdec03f

SHA1 hash:

2b3f9a985c75b034a8f75049735488f0c3c74e2f

Link:

https://www.unpac.me/results/f8897c7c-ea69-4be8-b362-6509a9f7fc77/

SH256 hash:

36e8f90b70d77646e5d9a70f5a8fdd0b2cefd2a97eaffc4699e36c0bfe0c63f0

MD5 hash:

8f2fa588bd5a0d5164bd077f6e44198c

SHA1 hash:

81901fd4df1559d17c3831618fe3699c1a82e135

Detections:

win_remcos_g0

win_remcos_auto

Link:

https://www.unpac.me/results/f8897c7c-ea69-4be8-b362-6509a9f7fc77/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator