MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 023946cb10325407c30c9ec45ecd241d5e0e3f9ebaeffe2ab12f8cd5f0646013. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 023946cb10325407c30c9ec45ecd241d5e0e3f9ebaeffe2ab12f8cd5f0646013
SHA3-384 hash: e4f8cba95e46147df8f382fa4cd344d26dc540060ae83e45b6210348c12bfe939a2c028fca421685cc0dacfa286ec8b5
SHA1 hash: 81871004ce6a05faba69d8c9c7700fd9e44f5c01
MD5 hash: 2de62524e1c62d1ab96e312abb7a1123
humanhash: sink-enemy-kentucky-cardinal
File name:SecuriteInfo.com.Trojan.PWS.Stealer.28244.30658.30345
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:652'288 bytes
First seen:2020-03-19 18:03:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8b1b9f2ca3f41de15e2eca21dcd5626a (1 x Loki, 1 x RemcosRAT, 1 x AgentTesla)
ssdeep 12288:8iunN97o8XfCPcLh7wAB49nF4rZ319W7VOCusS9HCv0mD:81N9JXTaEIuZ319yOCl0sD
TLSH 0DD4AF26E2E048F3FC77267D9C1BAF54ACE6BD512D3855462BE81C0CCF3969134262A7
Reporter SecuriteInfoCom
Tags:RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Trojan.PWS.Stealer.28244.1644.17560.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-03-20 01:40:36 UTC
AV detection:
27 of 31 (87.10%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/023946cb10325407c30c9ec45ecd241d5e0e3f9ebaeffe2ab12f8cd5f0646013

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 023946cb10325407c30c9ec45ecd241d5e0e3f9ebaeffe2ab12f8cd5f0646013

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/326968/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_APICan Play Multimediawinmm.dll::mciGetErrorStringA
winmm.dll::mciSendCommandA
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::FindFirstFileA
kernel32.dll::GetTempPathA
version.dll::GetFileVersionInfoSizeA
version.dll::GetFileVersionInfoA
WIN_BASE_USER_APIRetrieves Account Informationkernel32.dll::GetComputerNameA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments