MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0758013f642af55d429e3688886f60ed90633a19d87173c2488de6468599456c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 8

Intelligence 8 IOCs YARA 3 File information Comments

SHA256 hash:	0758013f642af55d429e3688886f60ed90633a19d87173c2488de6468599456c
SHA3-384 hash:	3e8329230b94b488ce3b12e8d5945c2b18480561e374968b5955a7c8e6b30b1ddadcfdea21f0cf0db9d948120cbd86a7
SHA1 hash:	14b90a4f02e878bf591e81e1d448d2a794c7009d
MD5 hash:	e3406cac93ca951f7cf696b7d8f37752
humanhash:	may-arizona-six-friend
File name:	0758013f642af55d429e3688886f60ed90633a19d87173c2488de6468599456c
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'450'968 bytes
First seen:	2021-03-23 08:08:20 UTC
Last seen:	2021-03-23 09:36:11 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d2368782aaf7cd739cb408af1fa77a90 (1 x RemcosRAT)
ssdeep	24576:ceCORDjea4blMO69s+6Sy2vEaGUX4ZuBO1kbonaThr/8wBAmFBdBWC:n9R+YTEFeBdpd//0C
Threatray	1'714 similar samples on MalwareBazaar
TLSH	CA658D22B2815837C0732B389D5F67A5AA3ABF003A34898B67F41D8C5F397517D252E7
Reporter	JAMESWT_WT
Tags:	RemcosRAT TORG-ALYANS LLC

Intelligence

File Origin

# of uploads :

# of downloads :

127

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

0758013f642af55d429e3688886f60ed90633a19d87173c2488de6468599456c

Verdict:

No threats detected

Analysis date:

2021-03-23 08:10:18 UTC

Tags:

installer

Link:

https://app.any.run/tasks/5874d380-3a7b-4cf0-bd34-aa90ef838fae

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/126462/

Detection(s):

PUA.Win.Packer.BorlandCpp-9

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/649520

Signature

Allocates memory in foreign processes

Hijacks the control flow in another process

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Uses nslookup.exe to query domains

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/0758013f642af55d429e3688886f60ed90633a19d87173c2488de6468599456c/

Threat name:

Win32.Trojan.Ulise

Status:

Malicious

First seen:

2020-12-08 20:36:33 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Verdict:

malicious

Label(s):

remcos

RemcosRAT

0fa5f308271acceabd13e15871b230e030550825e17bdd0b3b1e53724ca5abd6

RemcosRAT

17a87ce9f1b198eb1dacc4dde36af67169515d41b322d6bcbaf1861f2d812d39

RemcosRAT

446fdd51f5eb4359191e189e54a209bd96295c5495cabc1b0b07c8f11d1eb748

RemcosRAT

44eb61ad9603cc802e8a59f356dadedf4be9dc315862a9bb2eddec1bcc9288a8

RemcosRAT

46f9b3a73b2ef17c7ace714e6b69b02e444096fb395d85e3b3220ed13d060a48

RemcosRAT

7c5296a628df511b5a1cee6f32910c80afb607b2bc8412e6741f7feb2d93b0c5

RemcosRAT

8ef0ab64ef4a050f29808379fa8e9448bca73be60e4944f9d13a9a6880ba33f2

RemcosRAT

98d8bbdf43367821e74fd0c26f5bdda07fe9a750476cce1bb0df88c5aa18b745

RemcosRAT

d0fbaa4e5d7b512cdc4b3b63ddbed59d1cb741f3925381124ee91942ecfdf3a6

RemcosRAT

+ 1'704 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/210323-lvmkl7hgb2/

Unpacked files

SH256 hash:

c7fbdc61eb62c05e40295617e2db75877672931f751a770d2629e6eab6075f2c

MD5 hash:

abf6c724b20844d5b0073988a58faf1e

SHA1 hash:

7a8269d5b2ae623f8148ce9863f48f7e12ce036b

Link:

https://www.unpac.me/results/20853f45-d563-4875-b8bc-407fe3d55987/

SH256 hash:

0758013f642af55d429e3688886f60ed90633a19d87173c2488de6468599456c

MD5 hash:

e3406cac93ca951f7cf696b7d8f37752

SHA1 hash:

14b90a4f02e878bf591e81e1d448d2a794c7009d

Link:

https://www.unpac.me/results/20853f45-d563-4875-b8bc-407fe3d55987/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0758013f642af55d429e3688886f60ed90633a19d87173c2488de6468599456c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_win32_parallax_payload_1 Create hunting rule
Author:	@VK_Intel
Description:	Detects Parallax Injected Payload v1.01
Reference:	https://twitter.com/VK_Intel/status/1227976106227224578

Rule name:	crime_win32_rat_parralax_shell_bin Create hunting rule
Author:	@VK_Intel
Description:	Detects Parallax injected code
Reference:	https://twitter.com/VK_Intel/status/1257714191902937088

Rule name:	MAL_crime_win32_rat_parallax_shell_bin Create hunting rule
Author:	@VK_Intel
Description:	Detects Parallax injected code
Reference:	https://twitter.com/VK_Intel/status/1257714191902937088

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/126462/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample