MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1475079e680cf10d802747d44fe9855d1d4b2ca97e637ae32b68d8a7dca8c722. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1475079e680cf10d802747d44fe9855d1d4b2ca97e637ae32b68d8a7dca8c722
SHA3-384 hash: da565c2669af4c911c22891c4d3ac716eceb886328e1afe59455e8723fc2d748af293673eda27e0116449adf43243aea
SHA1 hash: e6969a7a1f0803f99f504a5ad99831669db6f0d5
MD5 hash: 3abe5aafbbb8dd32b4efe2c050b9b0b8
humanhash: hydrogen-florida-grey-pasta
File name:1475079e680cf10d802747d44fe9855d1d4b2ca97e637ae32b68d8a7dca8c722
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'019'056 bytes
First seen:2020-07-29 07:12:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:NAHnh+eWsN3skA4RV1Hom2KXMmHaYfltk5P:sh+ZkldoPK8YaClUP
Threatray 1'418 similar samples on MalwareBazaar
TLSH B9258D0273918025FFAE92735B55B24156BCE8253123CD3F12BA9F79AB701B11E2D26F
Reporter JAMESWT_WT
Tags:RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/34314/
Detection(s):
Win.Malware.Nymeria-6993200-0
Create hunting rule

Win.Malware.Nymeria-6993199-1
Create hunting rule

PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Enabling autorun with Startup directory
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/401460
Signature
AutoIt script contains suspicious strings
Binary is likely a compiled AutoIt script file
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Detected Remcos RAT
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Sleep loop found (likely to delay execution)
Uses dynamic DNS services
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 252967 Sample: 487tHzis9C Startdate: 29/07/2020 Architecture: WINDOWS Score: 100 34 rem-pounds.ddns.net 2->34 38 Malicious sample detected (through community Yara rule) 2->38 40 Detected Remcos RAT 2->40 42 Yara detected Remcos RAT 2->42 44 4 other signatures 2->44 10 487tHzis9C.exe 5 2->10         started        14 drvinst.exe.bat 2 1 2->14         started        16 wuapihost.exe 2->16         started        signatures3 process4 file5 32 C:\Users\user\AppData\...\drvinst.exe.bat, PE32 10->32 dropped 50 Contains functionalty to change the wallpaper 10->50 52 Contains functionality to steal Chrome passwords or cookies 10->52 54 Contains functionality to capture and log keystrokes 10->54 58 4 other signatures 10->58 18 487tHzis9C.exe 2 10->18         started        56 Binary is likely a compiled AutoIt script file 14->56 21 fodhelper.exe 1 15 14->21         started        23 fodhelper.exe 14->23         started        signatures6 process7 dnsIp8 36 rem-pounds.ddns.net 18->36 25 drvinst.exe.bat 21->25         started        process9 signatures10 46 Sleep loop found (likely to delay execution) 25->46 48 Injects a PE file into a foreign processes 25->48 28 drvinst.exe.bat 25->28         started        process11 process12 30 WerFault.exe 28->30         started       
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1475079e680cf10d802747d44fe9855d1d4b2ca97e637ae32b68d8a7dca8c722/
Threat name:
Win32.Trojan.Rescoms
Create hunting rule
Status:
Malicious
First seen:
2020-07-21 03:15:58 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cr2qphtibtyq3abhi7ke72mfluouwlfjpzrxvyzlndmkpxfiy4ra._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0b82d3d29091a908e27761d0869fcf5b77a66bb7c7f3975eec0565af0bf990af
RemcosRAT
43e3b82e88816ea1e7151d682956fecae812574d47c4c29f820f6a41d6595376
RemcosRAT
5bddffdbdadb3f5d1f08cb87b5227b914d7e844b2fb3b626d1fa42dda37f182d
RemcosRAT
5e920ea78df06e592a1dbda6e6422b359cf0eee4f81d016431cd5ccd8f820d9c
RemcosRAT
93692002c0d232acc30bac07e47393b8f23576956ed738bc0aa802b6ecc92c3c
RemcosRAT
aeaf83e513f357bf42bfe176f3706029604e3012b92a57fe4e7c83f5450175d9
RemcosRAT
bea9e2a9203714ee45ea07d53a3d3a2c645e95a037ec5f1442c117f5817d7715
RemcosRAT
c130572887aeccb97dc53750a4b5693c43fdf6eb17974fc993d79daf6068842b
RemcosRAT
e9144c78b9fe79a79c0dbfcbeecd3cd60024c3d866e8991d1fd3355679727761
RemcosRAT
f5e9c92a15746fdf49171ed78dbea3250cefe1beeffe6c6f706d8241d3f60739
RemcosRAT
+ 1'408 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
rat family:remcos
Link:
https://tria.ge/reports/200729-3n6j5dp94n/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetThreadContext
Drops startup file
Remcos
Malware Config
C2 Extraction:
rem-pounds.ddns.net:9970
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1475079e680cf10d802747d44fe9855d1d4b2ca97e637ae32b68d8a7dca8c722

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/34314/

Comments