MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 009a336f3bae013c379a21bcfdbbcd9642984cb613dbe59ccff8d2e7c50c32b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 12

Intelligence 12 IOCs YARA 9 File information Comments

SHA256 hash:	009a336f3bae013c379a21bcfdbbcd9642984cb613dbe59ccff8d2e7c50c32b3
SHA3-384 hash:	7bf235ca68a288440a5b8a03fa451e5a41dabc9969741dadd2a0a81b5145e48e2e47eabbd0b663d6d90df811c922ea80
SHA1 hash:	a02c470c8717ac22721b813e70608a791588987c
MD5 hash:	21a48450c02033c7ec5c7a689e5b5c63
humanhash:	jupiter-crazy-monkey-florida
File name:	Rules & Regulation (IRR)_pdf.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'068'115 bytes
First seen:	2021-06-29 13:24:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep	24576:kAOcZwVlS94lfTL1fTnBAuOJyqEkdbiG2K2fp2eV9:yYebL1fTnBvOJHdbcHfp/n
Threatray	616 similar samples on MalwareBazaar
TLSH	9F35CE0FA395E7BFEDFF0E30DB1227D82A26ED1419A5A17A57D4801C99E01F06B11A73
Reporter	Anonymous
Tags:	exe RemcosRAT

Anonymous

E-mail link >> .iso >> .exe

Intelligence

File Origin

# of uploads :

# of downloads :

177

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Rules & Regulation (IRR)_pdf.exe

Verdict:

Malicious activity

Analysis date:

2021-06-29 13:35:02 UTC

Tags:

rat remcos keylogger

Link:

https://app.any.run/tasks/bb3f0cbc-abe4-4aff-a636-eda106258246

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/168764/

Detection(s):

SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/704c2112-7893-45d8-9d24-b49c2402b86f

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/809402

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Detected Remcos RAT

Drops PE files with a suspicious file extension

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Writes to foreign memory regions

Yara detected AntiVM autoit script

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/009a336f3bae013c379a21bcfdbbcd9642984cb613dbe59ccff8d2e7c50c32b3/

Threat name:

Win32.Backdoor.NanoCore

Status:

Malicious

First seen:

2021-06-29 13:25:13 UTC

AV detection:

26 of 46 (56.52%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=acndg3z3vyatyn42eg6p3o6nszbjqtfwcpn6lhgp7djoprimgkzq._file

Verdict:

malicious

RemcosRAT

37e7b7329552ca9f6ab3233ebe1d8ab96c4385b941b31a21ea43c4c2b85fca61

RemcosRAT

6eb767d15a657e7d39c9534bbd4b24bcc9fb7d72b100b5456ac975a002ef93a9

RemcosRAT

7b6c1b2aaa6f7f89812ed6be3f275ff5de8827c61b14372242a617604baa0e8c

RemcosRAT

86c92d4b2244153a1f601168307d0c60f413631574d9c0ed3fe4c6fa890d6c26

RemcosRAT

8bc57dbd7aa1c3ac5b3e4f743eb616b93aec9bae6975ccdaa9ad596ada32275b

RemcosRAT

bf2250c3400a28a3063a4a4489a5fc3e54975d4bd4c97a429de0d3b1699224e9

RemcosRAT

d265fcb40a443162e0da3274ca4a0c81418c12756b929b29f34688abddae01b5

RemcosRAT

d2d355ef39f411f81c87e1c3e6feef02a0dccacf3cc37aa583e97ab9403e2ee8

RemcosRAT

fb0d1b0c62204ebfb2e04bcc607e562f398bf0cd40a275ace02ca34bed1d355d

RemcosRAT

+ 606 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:nanocore family:remcos botnet:newyear keylogger persistence rat spyware stealer trojan

Link:

https://tria.ge/reports/210629-edwrk1dyta/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Loads dropped DLL

Executes dropped EXE

NanoCore

Remcos

Malware Config

C2 Extraction:

cato.fingusti.club:6609

Unpacked files

SH256 hash:

f8ff8336b9c3036dd6d83cf065f2ecb649786af35dc2d0a2c8ccbf27901f7b6a

MD5 hash:

53d6622008bc5d9718732c4a8fccc4c6

SHA1 hash:

7d00569a7160255e9a144211fb3fac99a176bb1d

Detections:

win_remcos_g0

win_remcos_auto

Link:

https://www.unpac.me/results/7ac96ea0-f1aa-4cfd-8414-6732aadb8447/

Parent samples :

bf2250c3400a28a3063a4a4489a5fc3e54975d4bd4c97a429de0d3b1699224e9
63df29d3fa84705de35251b66c3cf555ba225d9a2b064edbd566ccd1b3c59e07
009a336f3bae013c379a21bcfdbbcd9642984cb613dbe59ccff8d2e7c50c32b3
db5d7098903a45bb318ee2f897baa8584d86071be755582e87d3fd7192f87c18
ac63e6a70d5a7b867b798cd4a22db827d66c95f2506d1efdb49d2b6bf6d73aa8
0b4ede6ce80824c7bf66ecf5b42e1032c1039dc8e8b6e462d91be333fe9572e4
64c32d82c0dd8612a93831055d36ba9b2767c213b2706212545fc80b34a4d900
a3f8ab3315bcd827a53bf5dfe1b55f550a21e40287d15e082e364b870d6a02f8

SH256 hash:

521761f16b21994b864a53dc1ebf37afa412a8f87200311050e906ac433d8c9e

MD5 hash:

85c9cb4b9f52c3d48bb462a6b80f4a35

SHA1 hash:

6c774da2a034420f80865915b504cfb4a203a3da

Link:

https://www.unpac.me/results/7ac96ea0-f1aa-4cfd-8414-6732aadb8447/

SH256 hash:

009a336f3bae013c379a21bcfdbbcd9642984cb613dbe59ccff8d2e7c50c32b3

MD5 hash:

21a48450c02033c7ec5c7a689e5b5c63

SHA1 hash:

a02c470c8717ac22721b813e70608a791588987c

Link:

https://www.unpac.me/results/7ac96ea0-f1aa-4cfd-8414-6732aadb8447/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/009a336f3bae013c379a21bcfdbbcd9642984cb613dbe59ccff8d2e7c50c32b3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Distributed via e-mail link

Cape

https://www.capesandbox.com/analysis/168764/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample