MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02650bdf290724edd38abc7e303ff74ca1fc7fba26f3f0dcead22cdce5b9b3fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 9

Intelligence 9 IOCs YARA 6 File information Comments

SHA256 hash:	02650bdf290724edd38abc7e303ff74ca1fc7fba26f3f0dcead22cdce5b9b3fa
SHA3-384 hash:	91b8b086feedb7573aeb36b79831fa2f09f4befc16500a609e4600a30769976ac513ba61ea1e97c8649c7db220cffe30
SHA1 hash:	bcde3f8d90c9b0d3ad79785f77a089003260fedc
MD5 hash:	9f7ef650ee32895e313edc085fbc29f9
humanhash:	glucose-dakota-idaho-texas
File name:	9f7ef650ee32895e313edc085fbc29f9.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	466'432 bytes
First seen:	2021-05-05 19:00:26 UTC
Last seen:	2021-05-05 20:03:29 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	409f5d6d64eccf1b9873a7c796c3f1ad (9 x RemcosRAT)
ssdeep	12288:chm96YXGL474/CQNqBrsX9RiT/Z8At/e:Z8GGL4U/KsX9KZm
TLSH	53A4AE12B592C032C17251701D29F7B59AFCBD202A7595BB73EA1D6BBF700C0B72A663
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Trojan.Remcos-9753190-0

Win.Trojan.Remcos-9841897-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% subdirectories

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a process with a hidden window

Creating a window

Deleting a recently created file

Running batch commands

Setting a keyboard event handler

Launching a process

DNS request

Sending a custom TCP request

Sending a UDP request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/02650bdf290724edd38abc7e303ff74ca1fc7fba26f3f0dcead22cdce5b9b3fa/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2021-05-05 17:19:00 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ajsqxxzja4so3u4kxr7dap7xjsq7y752e3z7bxhk2iwnzznzwp5a._file

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos persistence rat

Link:

https://tria.ge/reports/210505-1mpnk5vb46/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Loads dropped DLL

Executes dropped EXE

Remcos

Malware Config

C2 Extraction:

fieldsdegreenf.duckdns.org:6553
aaeeerbbbeee.duckdns.org:6553

Unpacked files

SH256 hash:

02650bdf290724edd38abc7e303ff74ca1fc7fba26f3f0dcead22cdce5b9b3fa

MD5 hash:

9f7ef650ee32895e313edc085fbc29f9

SHA1 hash:

bcde3f8d90c9b0d3ad79785f77a089003260fedc

Detections:

win_remcos_g0

Link:

https://www.unpac.me/results/2111f01b-b80b-4d11-9bdd-8edf27e2b4e3/

Parent samples :

974b3b9247ead5b640b495a96efba657ebee885fd25374e294ce55d7472ee402
93e3956f268d38726acd19958a181d02feaea3e166b7e7d24d7a0c908141a4b2
af0249150bee4fec74c124f89019cd260c9aacd7b7a7715192b5097f1948eb82
02650bdf290724edd38abc7e303ff74ca1fc7fba26f3f0dcead22cdce5b9b3fa

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Remcos

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/02650bdf290724edd38abc7e303ff74ca1fc7fba26f3f0dcead22cdce5b9b3fa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

exe 02650bdf290724edd38abc7e303ff74ca1fc7fba26f3f0dcead22cdce5b9b3fa

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1145250/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample