MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 faf6463f13ccaac3980d0d71fdb44e4f56d4a519612e215e021af67140d7e855. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 9

Intelligence 9 IOCs YARA 7 File information Comments

SHA256 hash:	faf6463f13ccaac3980d0d71fdb44e4f56d4a519612e215e021af67140d7e855
SHA3-384 hash:	18809dcf5c6809e9055fdef31bc30994da1d2bc27c4934658f9d7ae6ca66bbf16e332e8d7fde151c46250bac10c40657
SHA1 hash:	ed6ce0c974fed32f365fd80dee6bc48178d8607b
MD5 hash:	ba3648caf900be0f932c920a9c5a2314
humanhash:	seventeen-october-autumn-quebec
File name:	DHL_21100000211781000.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'331'712 bytes
First seen:	2021-02-09 13:16:22 UTC
Last seen:	2021-02-09 15:00:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:ikQZ19yy656ZxAdDS69cAEMb8C5PA3Bb9ldG8/+hGZ5:lQgyQ6zAZSG5P4Bb9ldr/+hGZ5
Threatray	28 similar samples on MalwareBazaar
TLSH	CE556BA9324072EFC867CD328A682CB4E7617CBA970B9207A05732AD9D7D557CF114F2
Reporter	abuse_ch
Tags:	DHL exe RAT RemcosRAT

abuse_ch

Malspam distributing RemcosRAT:

HELO: mailgw.yahoowebhostinglight.jp
Sending IP: 210.229.252.40
From: DHL Courier Service<ogura@arccs.biz>
Subject: Your Parcel Arrived
Attachment: DHL_21100000211781000.IMG (contains "DHL_21100000211781000.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

133

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

DHL_21100000211781000.exe

Verdict:

Malicious activity

Analysis date:

2021-02-09 13:22:19 UTC

Tags:

rat remcos

Link:

https://app.any.run/tasks/09300adb-a199-4374-9b05-f13901d9ce4d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/116191/

Detection(s):

SecuriteInfo.com.CIL.HeapOverride.Heur.22145.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/602982

Signature

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Detected Remcos RAT

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Sigma detected: Remcos

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM_3

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/faf6463f13ccaac3980d0d71fdb44e4f56d4a519612e215e021af67140d7e855/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2021-02-09 13:17:10 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 29 (68.97%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7l3empytzsvmhganbvy73ncoj5lnjjizmexccxqcdl3hcqgx5bkq._file

Verdict:

unknown

RemcosRAT

1e5a328f760c35f905390fb4bcf0eefa75936c79a43e22ca7557da0e315c72ed

RemcosRAT

2f85c41ee13d69e68454d97153252e8ba9a3a0e85573427eac0600d41fa6824d

RemcosRAT

6cef436fd5577158e43bd7cc85ea84cdac90044d8e9f93c254ee7ed119fa7aed

RemcosRAT

719bb30fb8ff3d79fd0216bdbc9f9d1b377c1456a20c8d9a26f1a19e283352ba

RemcosRAT

926da3334135961ff0c19ecf4358201ba4734ab01186061c423deeb081ec1cff

RemcosRAT

a8889ff384c38b97b5a48ef4e9586df7c281f40e2719fe248b0d252832969521

RemcosRAT

aa9c1ce82c3c4c29355c38931c6cc6e1cd1414051c772de3fbf0cd9439c52965

RemcosRAT

d96b554a08cd2f503d6a1ffe5303b34f8bd6f91b369bd95e9d16642b4fece2cb

RemcosRAT

f631405eb61bdf6f6e34657e5b99273743e1e24854942166a16f38728e19f200

RemcosRAT

+ 18 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos ransomware rat

Link:

https://tria.ge/reports/210209-ykte5apx5e/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Remcos

Unpacked files

SH256 hash:

b24ded7395358c2f4faf154d57573b06922444f85b23df8cbec666382e02fc00

MD5 hash:

de5c8be3df3d0f4529c23413b4ef94e5

SHA1 hash:

d5c53367a3166a2d24bc0d048f7d9d6429f773eb

Link:

https://www.unpac.me/results/bc8a67fe-eb83-4bfe-8cde-686f1a90544c/

SH256 hash:

faf6463f13ccaac3980d0d71fdb44e4f56d4a519612e215e021af67140d7e855

MD5 hash:

ba3648caf900be0f932c920a9c5a2314

SHA1 hash:

ed6ce0c974fed32f365fd80dee6bc48178d8607b

Link:

https://www.unpac.me/results/bc8a67fe-eb83-4bfe-8cde-686f1a90544c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/faf6463f13ccaac3980d0d71fdb44e4f56d4a519612e215e021af67140d7e855

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

img a4e2ffce1966dac86d8055566d2e93537493452aed79b811f3c92f42a71124ea

RemcosRAT

exe faf6463f13ccaac3980d0d71fdb44e4f56d4a519612e215e021af67140d7e855

(this sample)

Dropped by

MD5 6d555b4e0fe93abe30751bec88415972

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/116191/

Dropped by

SHA256 a4e2ffce1966dac86d8055566d2e93537493452aed79b811f3c92f42a71124ea

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample