MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 05bcd7e7ff6fe673b2238b5b62e08c01ff5cc5fd4da38aaa97279d2889a1149b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 6 File information Comments

SHA256 hash:	05bcd7e7ff6fe673b2238b5b62e08c01ff5cc5fd4da38aaa97279d2889a1149b
SHA3-384 hash:	3aa7d65b3a3393f1d072d43c7dbf63cbe1e60aabc47da86ef043f6a2036ca9a0f4174979acc47c3c7acd61ed35b09521
SHA1 hash:	e6d5c8d20b6dfd5242eb68b96c0c0927eb013594
MD5 hash:	6ee732fbe50579c69cb54118c1c26250
humanhash:	mirror-foxtrot-golf-ohio
File name:	6ee732fbe50579c69cb54118c1c26250.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	820'224 bytes
First seen:	2021-11-06 22:26:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:MB5A1yjchxz7s8AaWP3lDr9KfzbKsZOCd5tfc1iUH+2zRSkJ:MAOYAVlDR4yWlUHxSkJ
Threatray	844 similar samples on MalwareBazaar
TLSH	T19105CF16B71B850AD5246BB8CEF3F7205370FDB11E6353039AA1B96E943A2EA3DC0715
File icon (PE):
dhash icon	f8fceee4f0e0e8e2 (1 x RemcosRAT)
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

abuse_ch

RemcosRAT C2:
45.144.225.213:24133

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
45.144.225.213:24133	https://threatfox.abuse.ch/ioc/244779/

Intelligence

File Origin

# of uploads :

# of downloads :

149

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/202968/

Detection(s):

Win.Dropper.Generic-7113183-0

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/6187013843a4f7480911a53b/reports/83b74999-e36f-4f41-83e5-3eaf4c6cb410/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/06bf370a-e3d7-4d30-ba2a-669d6de2bfb5

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/884610

Signature

.NET source code contains potential unpacker

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Creates an undocumented autostart registry key

Delayed program exit found

Detected Remcos RAT

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Writes to foreign memory regions

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/05bcd7e7ff6fe673b2238b5b62e08c01ff5cc5fd4da38aaa97279d2889a1149b/

Threat name:

ByteCode-MSIL.Downloader.Seraph

Status:

Malicious

First seen:

2021-11-02 07:13:22 UTC

AV detection:

19 of 44 (43.18%)

Threat level:

3/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=aw6npz77n7thhmrdrnnwfyemah7vzrp5jwryvkuxe6osrcnbcsnq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

623bf7759de8303bc15901ee832dccb2febb294b84d3c5304022fb7be0b9c1f3

RemcosRAT

7eb677c1c5c60d34da90cab2b4ea019c500b5c3db6964cc14849dbe2f9f5fa30

RemcosRAT

91e8ea3e431c0ad9faf6dfe01eb29e4834940054379deb8b657d9cbe23e91682

RemcosRAT

a3faa214333ce59ed895410e011c4cbd44fe51b26ed5bf2a0ed54e225616f893

RemcosRAT

a6ebeec300be5fbf0da778e99ab91f2af1470c5863784212a520cf5d378426e3

RemcosRAT

bd0baa9f0e69f70c827e05b8bae5a4b34f04b21be971c39e3831d584140d08d3

RemcosRAT

c348a860fa571902a6226ba5b5153b5b5937e3181103ed895f4a78d0454451f8

RemcosRAT

d0be19c0b5adf0b25e4eab364d23035d375cdceb14835a5d40642400a82e15f7

RemcosRAT

d9e92535d5c9c9dd3a2879f6f87940c80a7c80820298ad369922783130dfcb6d

RemcosRAT

+ 834 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:reed rat suricata

Link:

https://tria.ge/reports/211106-2c3hdsdddk/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

Remcos

suricata: ET MALWARE Remocs 3.x Unencrypted Checkin

suricata: ET MALWARE Remocs 3.x Unencrypted Server Response

Malware Config

C2 Extraction:

ezfax2021.home-webserver.de:24133

Unpacked files

SH256 hash:

33934fd6ee4a8d8eb1588fe1d5246673e459510935040e6654aa637701f70a89

MD5 hash:

4c882d89e33327f8c0886b4d497800b6

SHA1 hash:

b6e4ba43a57f7ea013beaf6fafffbc7e95a40004

Link:

https://www.unpac.me/results/b1ccf231-6ff3-49e2-b01f-7f7a8a5ebad2/

SH256 hash:

3c1185e454a0335688d17b7e3107d3d4136b1b9cee6436ac2a4c5e36f4937e02

MD5 hash:

6b293cc2f35977417a1e6fa1ce276239

SHA1 hash:

594c8ead8b2a617fcadd2cd77f719fceb6f1fc23

Link:

https://www.unpac.me/results/b1ccf231-6ff3-49e2-b01f-7f7a8a5ebad2/

SH256 hash:

2a31a746124c66e5959e23a4a2adc389f3b815ff7af87172272ce23a28616243

MD5 hash:

e3107d5bcdfa213a7480d5f439e5bd00

SHA1 hash:

4a9c19c03d5c3cfd08c9e7f3b528b9e115f09c74

Detections:

win_remcos_g0

Link:

https://www.unpac.me/results/b1ccf231-6ff3-49e2-b01f-7f7a8a5ebad2/

Parent samples :

4860f15c7870ac1d09c5aad7e6754eb34afd4b0f6341fd452049257513951ffe
978567f9e1c96845ed398ae0a75445a68cea415395c1df41cfeb673bf4ca57a6
05bcd7e7ff6fe673b2238b5b62e08c01ff5cc5fd4da38aaa97279d2889a1149b

SH256 hash:

05bcd7e7ff6fe673b2238b5b62e08c01ff5cc5fd4da38aaa97279d2889a1149b

MD5 hash:

6ee732fbe50579c69cb54118c1c26250

SHA1 hash:

e6d5c8d20b6dfd5242eb68b96c0c0927eb013594

Link:

https://www.unpac.me/results/b1ccf231-6ff3-49e2-b01f-7f7a8a5ebad2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/05bcd7e7ff6fe673b2238b5b62e08c01ff5cc5fd4da38aaa97279d2889a1149b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Typical_Malware_String_Transforms Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

Rule name:	Typical_Malware_String_Transforms_RID3473 Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/202968/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample