MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 069f3de8e79399dcc2a0811f2b560b34339c31eed7a465b9c759bd25d5aea17f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 069f3de8e79399dcc2a0811f2b560b34339c31eed7a465b9c759bd25d5aea17f
SHA3-384 hash: 48fd500835e5dcf79c397518c32993b27493b0eab6d9089cf7490dfb09252cc3b88d7ab32a85de024ddac657dcfdfe7e
SHA1 hash: 64ee7fa442f22dc05c593055957ed2511bccce3b
MD5 hash: c4b7d4176ad5d348ae7456dc62ac8756
humanhash: louisiana-sad-three-oklahoma
File name:VNYI000314522.bin
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'396'928 bytes
First seen:2020-11-30 14:08:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ee13d52daaec6dc411f5861456050150 (2 x RemcosRAT)
ssdeep 24576:j6HfVuY8FoR6ScMtNvHoM0XCA1ItFvDgIFpc5MpfsvvHU:j6HV8FHM0XCA1ItFvDpFpc0fsX0
Threatray 1'494 similar samples on MalwareBazaar
TLSH 0A55BF73B350843ED57B12389C1BDAB9A9297E132D1CB9463BE47D0F0F36681B825A53
Reporter JAMESWT_WT
Tags:RemcosRAT

Code Signing Certificate

Organisation:Microsoft Time-Stamp Service
Issuer:Microsoft Time-Stamp PCA
Algorithm:sha1WithRSAEncryption
Valid from:Sep 7 17:58:55 2016 GMT
Valid to:Sep 7 17:58:55 2018 GMT
Serial number: 33000000CA7D32167C7EFD05030000000000CA
Intelligence: 6 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 375A80AE663EDF24E46C4F5F48863018C3E54EC04580E014F7A7B67B4A405A1D
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
163
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106048/
Detection(s):
SecuriteInfo.com.generic.ml.22005.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/550915
Signature
Allocates memory in foreign processes
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/069f3de8e79399dcc2a0811f2b560b34339c31eed7a465b9c759bd25d5aea17f/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2020-11-30 14:09:08 UTC
File Type:
PE (Exe)
Extracted files:
47
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a2pt32hhsom5zqvaqepswvqlgqzzympo26sgloohlg6slvnouf7q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
04f271742dac058c042af388562d7678536a47273846d692649926bad5dce1a0
RemcosRAT
0561429ee93b0bc545689257b6cda0d43025317f9c890acb219c51d0f6e721e8
RemcosRAT
0d233d14dd5333614b0521a887e1917ab36649531c8aaaf96a3660e72ac8c463
RemcosRAT
1098c2e11043776815738d6f8abc818560c7516948d15f231a7018dfaeb279ed
RemcosRAT
21691425c52cf7a77c0e3a65cc1c0c59cb026d5b76e78160ebb8a553f9bbe50c
RemcosRAT
7ad833f9f06a7ebbad69a40515654c8a7a1b3346cf93214e2638e33901133409
RemcosRAT
7f53893a9ce40e497ef34ecfc9c4f493b9d5dd7f989b60ffa248cbf289a1505a
RemcosRAT
a1c561c21720c4f1c3626276db6afc2c12b1aae9304c78518763eb78454f84b8
RemcosRAT
a7bba5cba33b4320a78cd057e3cdd5169a86e90f6550e997772f4447549fd729
RemcosRAT
e98459447d40bb2a0917db99a3b9a99f22ee66234bfece9bba40f4fea3851201
RemcosRAT
+ 1'484 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos persistence rat trojan
Link:
https://tria.ge/reports/201130-49x33pxm6a/
Behaviour
Modifies system certificate store
Suspicious use of WriteProcessMemory
Adds Run key to start application
ServiceHost packer
ModiLoader, DBatLoader
Remcos
Unpacked files
SH256 hash:
ba53516ec00b8f4967478c48299190b11666b030d46c91310c4f8aabecda21b2
MD5 hash:
ec9b32072be93556a5e5391018f908d8
SHA1 hash:
f2b1d652fb93a45d76874150e283b32cf4f26aad
Link:
https://www.unpac.me/results/045d926e-7de2-417e-9153-8f90241c9c26/
SH256 hash:
f3a016cfc02823e83ee046dad8fcd79507c7a55335bbce4ff5e08f527e5a011c
MD5 hash:
cb3bacc3016e51919e2574c51983a181
SHA1 hash:
8ce37ef0816ee1b7c8f6ab9b307ea90b321e5265
Link:
https://www.unpac.me/results/045d926e-7de2-417e-9153-8f90241c9c26/
SH256 hash:
069f3de8e79399dcc2a0811f2b560b34339c31eed7a465b9c759bd25d5aea17f
MD5 hash:
c4b7d4176ad5d348ae7456dc62ac8756
SHA1 hash:
64ee7fa442f22dc05c593055957ed2511bccce3b
Link:
https://www.unpac.me/results/045d926e-7de2-417e-9153-8f90241c9c26/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/069f3de8e79399dcc2a0811f2b560b34339c31eed7a465b9c759bd25d5aea17f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/whitehoodie4/status/1333412243673931779?s=20
Cape
Cape
https://www.capesandbox.com/analysis/106048/

Comments