MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fccbf385c83dc8e754969e064852fab5fcaab99c564f6679a22a944ef76e20b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fccbf385c83dc8e754969e064852fab5fcaab99c564f6679a22a944ef76e20b0
SHA3-384 hash: 98dd64f826753b7ea927afda05f2cd1bbe257719d8d5c26bb907f0c590053393f586cf810cd13fe2268156bedd67e75d
SHA1 hash: 3ef2055618f1658b8be18f8008848a4b947a4d65
MD5 hash: 6c7da71731552e3180748e4396791a97
humanhash: nine-avocado-lake-hawaii
File name:QuotationCVXpo00029392.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'765'888 bytes
First seen:2021-02-01 08:09:43 UTC
Last seen:2021-02-01 09:45:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'819 x AgentTesla, 19'743 x Formbook, 12'286 x SnakeKeylogger)
ssdeep 1536:S+Pq4i6fIVmUrqLLDp6dktw983co6msvw0QXFRKXo3DiiJw8Zh0rE4cSfCJaHkLw:S+xgV9rIF60O20S20/JXNW
Threatray 230 similar samples on MalwareBazaar
TLSH CC851B026F935941BB60A172DECFE0CEEB4C17797A4E78697CBD1205A1A3025C363EB5
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
greatglass.servebeer.com:1961

Intelligence

File Origin
# of uploads :
2
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
QuotationCVXpo00029392.exe
Verdict:
Malicious activity
Analysis date:
2021-02-01 08:14:35 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/19b08c3c-aac9-4ce6-adb5-11cde61da569

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/114421/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Running batch commands
Sending a UDP request
Unauthorized injection to a recently created process
Adding an access-denied ACE
Creating a file
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Adding exclusions to Windows Defender
Enabling autorun
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/595047
Signature
Adds a directory exclusion to Windows Defender
Connects to a pastebin service (likely for C&C)
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Country aware sample found (crashes after keyboard check)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Detected Remcos RAT
Drops PE files to the startup folder
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell adding suspicious path to exclusion list
Sigma detected: Remcos
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 346558 Sample: QuotationCVXpo00029392.exe Startdate: 01/02/2021 Architecture: WINDOWS Score: 100 62 pastebin.com 2->62 64 greatglass.servebeer.com 2->64 74 Malicious sample detected (through community Yara rule) 2->74 76 Multi AV Scanner detection for dropped file 2->76 78 Sigma detected: Powershell adding suspicious path to exclusion list 2->78 80 10 other signatures 2->80 8 QuotationCVXpo00029392.exe 24 6 2->8         started        13 QuotationCVXpo00029392.exe 2->13         started        15 QuotationCVXpo00029392.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 68 pastebin.com 104.23.98.190, 443, 49716, 49751 CLOUDFLARENETUS United States 8->68 56 C:\Users\user\...\QuotationCVXpo00029392.exe, PE32 8->56 dropped 58 QuotationCVXpo0002...exe:Zone.Identifier, ASCII 8->58 dropped 82 Creates an undocumented autostart registry key 8->82 84 Contains functionality to steal Chrome passwords or cookies 8->84 86 Contains functionality to capture and log keystrokes 8->86 98 3 other signatures 8->98 19 QuotationCVXpo00029392.exe 2 8->19         started        22 cmd.exe 1 8->22         started        24 powershell.exe 8 8->24         started        34 4 other processes 8->34 88 Adds a directory exclusion to Windows Defender 13->88 90 Hides threads from debuggers 13->90 92 Injects a PE file into a foreign processes 13->92 26 powershell.exe 13->26         started        28 powershell.exe 13->28         started        30 powershell.exe 13->30         started        36 2 other processes 13->36 60 C:\Users\...\QuotationCVXpo00029392.exe.log, ASCII 15->60 dropped 32 powershell.exe 15->32         started        70 104.23.99.190, 443, 49788 CLOUDFLARENETUS United States 17->70 72 192.168.2.1 unknown unknown 17->72 94 Creates autostart registry keys with suspicious names 17->94 96 Creates multiple autostart registry keys 17->96 file6 signatures7 process8 dnsIp9 66 greatglass.servebeer.com 194.5.97.248, 1961, 49720, 49722 DANILENKODE Netherlands 19->66 52 2 other processes 22->52 38 conhost.exe 24->38         started        40 conhost.exe 26->40         started        42 conhost.exe 28->42         started        44 conhost.exe 30->44         started        46 conhost.exe 34->46         started        48 conhost.exe 34->48         started        50 conhost.exe 34->50         started        54 2 other processes 36->54 process10
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fccbf385c83dc8e754969e064852fab5fcaab99c564f6679a22a944ef76e20b0/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-02-01 02:38:54 UTC
AV detection:
8 of 46 (17.39%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7tf7hboihxeoovewtydequx2wx6kvom4kzhwm6ncfkke553oecya._file
Verdict:
unknown
Similar samples:
034117e2215690c209ed3a796a816b6f033db21760157de584fa1481f13fe666
RemcosRAT
118b4580958427b7e9f75bb2e42ff0e786bd63d5ce2d2f1dbdeb8babe98177d2
RemcosRAT
376c1ec21453b475c3639cb11d2e1e4db88b8da7a3a100f2dfbd90c93dc543f0
RemcosRAT
6c595ae0af40886a5d0e907120894e72fadef005a527230b5c28a3e2767789f1
RemcosRAT
71539d77a4c2e58f492d16f513f49d2ac3c9f002ceb1dda0ca70a63e8e33fd88
RemcosRAT
8daa3b16b15dd52ffb99eb0644b52712d889fe9528f8633dd16b4b405b017130
RemcosRAT
98cf9b180f49331bc9c5a5eae9257f083e7b9601819191e9414dc7a76321592f
RemcosRAT
a7686157bc950dfe9b30e3ac09f1138107d28dc071b5345561dead285b685c97
RemcosRAT
ab4c72ecc967d89c5a3dddbecd20e325e622788de5e6e99defb6b582c67b2738
RemcosRAT
bd600300188d8cb735f9e4afcc580398a2842126c9a5e884259fd2d46ac103af
RemcosRAT
+ 220 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos evasion persistence ransomware rat trojan
Link:
https://tria.ge/reports/210201-c8c34d4qdn/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Drops startup file
Windows security modification
Modifies WinLogon for persistence
Modifies Windows Defender Real-time Protection settings
Remcos
Turns off Windows Defender SpyNet reporting
Windows security bypass
Malware Config
C2 Extraction:
greatglass.servebeer.com:1961
Unpacked files
SH256 hash:
54ed29ab9fa8c1ec7ba89b80b0155531d2a01e0564538f1a5659be22198f8d4e
MD5 hash:
0d91df0e503aff927dd7046de21473da
SHA1 hash:
de9a79ea202677856d7c579065d1f1ba851c1713
Link:
https://www.unpac.me/results/71e99727-fbf3-4402-b433-ba4072cfcac7/
SH256 hash:
78777d4da7d1d5acf333bbb301823a35206b4cc40a2cc0a4041113ce09ff0939
MD5 hash:
3797ba7d0fe05eadf8c3f9453d948a64
SHA1 hash:
ce0a59667cd027ce2bd3a5e4c3e1088413df8669
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/71e99727-fbf3-4402-b433-ba4072cfcac7/
SH256 hash:
fccbf385c83dc8e754969e064852fab5fcaab99c564f6679a22a944ef76e20b0
MD5 hash:
6c7da71731552e3180748e4396791a97
SHA1 hash:
3ef2055618f1658b8be18f8008848a4b947a4d65
Link:
https://www.unpac.me/results/71e99727-fbf3-4402-b433-ba4072cfcac7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fccbf385c83dc8e754969e064852fab5fcaab99c564f6679a22a944ef76e20b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe fccbf385c83dc8e754969e064852fab5fcaab99c564f6679a22a944ef76e20b0

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/114421/

Comments