MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04c93fd4c4b9ede9c3661f17dfed1ebc4ac3d09b4ad724b6c9e39dc189c1205e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 04c93fd4c4b9ede9c3661f17dfed1ebc4ac3d09b4ad724b6c9e39dc189c1205e
SHA3-384 hash: 01089f967a8baea4a899a479755edbf50b54a13f40ff9f81569eb95682212dd466ce30b801710241b3457f7ab0fbd171
SHA1 hash: 8731fb9683915331ccb77ca0ffc6821d635d85a8
MD5 hash: 960c0e89ff21f1f41604dc89cdf300c7
humanhash: hotel-eleven-sodium-equal
File name:960c0e89ff21f1f41604dc89cdf300c7.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:787'456 bytes
First seen:2021-02-14 12:55:08 UTC
Last seen:2021-02-14 14:55:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:VGxEFHhPv61ig2j78AmhnBllHJtJMjeYjzJ2zKRd9lZs:UgP+28AMDNJ0jegzgo
Threatray 55 similar samples on MalwareBazaar
TLSH 84F4E1312318AF68E53ED3BF8026815197F1E977F321CA1A7DEC01EA496BF414A72752
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
176.111.174.14:2804

Intelligence

File Origin
# of uploads :
2
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
960c0e89ff21f1f41604dc89cdf300c7.exe
Verdict:
Malicious activity
Analysis date:
2021-02-14 12:58:26 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/b7124dd9-9b82-4a16-af64-45ccf565f839

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/117072/
Detection(s):
SecuriteInfo.com.Artemis960C0E89FF21.28223.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/607564
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM_3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/04c93fd4c4b9ede9c3661f17dfed1ebc4ac3d09b4ad724b6c9e39dc189c1205e/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2021-02-14 12:56:07 UTC
AV detection:
13 of 29 (44.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=atet7vgexhw6tq3gd4l573i6xrfmhue3jllsjnwj4oo4dcobebpa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
035cba8ea6bbe0336a0221e86b571e530764939150df17f636fd23ad30db3f27
RemcosRAT
08c85e93e63fba43e25a3e7bf4e3d9b47783a8acf74a75be9eceffdc68d46cf4
RemcosRAT
0d03646fdaee92061ac0ffa4ba7c737d0ef101858b30bd7432148f7e9faf279a
RemcosRAT
20fe5347a7254b7f5d75c7fce2542b88abdb8d1939afe621544c61d35e45bdee
RemcosRAT
2a344d464465069aa8739a45ecba1b6de4ef4ba4cc2b8128af5a54112c507058
RemcosRAT
357ab6a0cf97d36af99606bce098c476c4a24085f4d972038b11b3570486d620
RemcosRAT
7372fe2e6401cdbca755f752e7e8407a8a5fbaf81ca5e692705a9819977dc447
RemcosRAT
aa9c1ce82c3c4c29355c38931c6cc6e1cd1414051c772de3fbf0cd9439c52965
RemcosRAT
c062b4a790666b338f7955ea792605bf0244a8d36cb1050c602727ff6d654e36
RemcosRAT
f629e12080a80c0dda61f5c8a6e119465e6cc3e938d5983af7f454f507e74ad3
RemcosRAT
+ 45 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos rat upx
Link:
https://tria.ge/reports/210214-amtnzqy7hn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
UPX packed file
Remcos
Unpacked files
SH256 hash:
b2499a2af35b550fbe7f541a14ff1225e1202324f351eecf85de6c8e9fc7c27c
MD5 hash:
5e732e4265622675313195dead01047e
SHA1 hash:
359c710a93c2f58cdc2a45de8dd48a6884a70645
Link:
https://www.unpac.me/results/3e4db0a1-74a1-4487-a375-c259dd1042f8/
SH256 hash:
04c93fd4c4b9ede9c3661f17dfed1ebc4ac3d09b4ad724b6c9e39dc189c1205e
MD5 hash:
960c0e89ff21f1f41604dc89cdf300c7
SHA1 hash:
8731fb9683915331ccb77ca0ffc6821d635d85a8
Link:
https://www.unpac.me/results/3e4db0a1-74a1-4487-a375-c259dd1042f8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.75
Link:
https://yomi.yoroi.company/submissions/04c93fd4c4b9ede9c3661f17dfed1ebc4ac3d09b4ad724b6c9e39dc189c1205e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 04c93fd4c4b9ede9c3661f17dfed1ebc4ac3d09b4ad724b6c9e39dc189c1205e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1002465/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/117072/

Comments