MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0840ac6a8ee445eed007f29220dad3dd03e59cf161524623c831596673c7e8d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 12

Intelligence 12 IOCs YARA 6 File information Comments

SHA256 hash:	0840ac6a8ee445eed007f29220dad3dd03e59cf161524623c831596673c7e8d0
SHA3-384 hash:	0172084bc11b1b8da34b89a1989307580b44f304a8c7337a1cf0e88f19fdb88136c87848161beb41acc954b267ec46d5
SHA1 hash:	1ef579145a5bbdbfe9c62a5270dbddd458da66b2
MD5 hash:	9cd198582f958cc0485b648d2acc6f58
humanhash:	freddie-fifteen-texas-florida
File name:	AWB 803269098.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	831'488 bytes
First seen:	2021-09-16 13:52:27 UTC
Last seen:	2021-09-16 14:59:46 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ff0bb68e944131943365efbe4d5b9737 (4 x RemcosRAT, 1 x AveMariaRAT, 1 x OskiStealer)
ssdeep	24576:DMvnUyU3fec2QPesToGIZHrIzvlZwXI7Dyj3SaH+MJF:DqUjes
Threatray	693 similar samples on MalwareBazaar
TLSH	T1A5052852E6902F32D02F2AB8AC1BDAD9D4577C847D19EFF419B89D363234B81296D04F
dhash icon	0cb23272b98ce6d1 (6 x RemcosRAT, 5 x Formbook, 2 x DBatLoader)
Reporter	James_inthe_box
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

220

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

AWB 803269098.exe

Verdict:

Malicious activity

Analysis date:

2021-09-16 13:54:05 UTC

Tags:

installer

Link:

https://app.any.run/tasks/85eeb72c-4b9e-457d-8def-83d75476fbf7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/188445/

Detection(s):

SecuriteInfo.com.W32.Injector.TUO.5823.2773.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Modifying an executable file

Launching the default Windows debugger (dwwin.exe)

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

greyware keylogger

Link:

https://www.filescan.io/uploads/61752309a9d585e6d5371132/reports/25bf0bd9-9f31-442d-b532-69f54f77c522/overview

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d1c95303-cbde-475c-a57b-3668f164b9b5

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/852108

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Creates a thread in another existing process (thread injection)

Delayed program exit found

Detected Remcos RAT

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0840ac6a8ee445eed007f29220dad3dd03e59cf161524623c831596673c7e8d0/

Threat name:

Win32.Trojan.Delf

Status:

Malicious

First seen:

2021-09-16 13:51:25 UTC

AV detection:

15 of 28 (53.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bbaky2uo4rc65uah6kjcbwwt3ub6lhhrmfjemi6igfmwm46h5dia._file

Verdict:

malicious

RemcosRAT

5d0970ca455fd58945e13f996aaf77a66a7468d0927a3cfd41cbd22b20d13cdc

RemcosRAT

6780919c60b1e4b3f1ef9cfb03bdd492f51ebc505ccddbd47be023d66d429eaf

RemcosRAT

6b637314dc7b63dfce69d3efe9b792d8fb2fbb0d9f19ea70aa0ff83ae8dbd495

RemcosRAT

a4e0f53f95a9c758592dfd652c6c7bdc3535d45b7f4ab2c2bb6a7e2f3b215526

RemcosRAT

bb63c61554ccc2caa79eec3705c3e4ce41626e88f375a8a1bc5b514e489b0f04

RemcosRAT

c6efb11667620971bfa2b783b75762c69c1bf3fe2cee9bd4ddc51164e8ba8563

RemcosRAT

d79ba47a55b5dcb4cf6e76ac13bd3179e1523d5904483232d9ce9d39915dbc69

RemcosRAT

e2293ae17fbdeb8e626efa388175c1144d82f12efe55990aa658f1c21445c47f

RemcosRAT

e3d62ea202f60dcb69703dcba7c59b2bf552c5ce2e951dfab0f1808af9e096a2

RemcosRAT

+ 683 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:starjoyce persistence rat

Link:

https://tria.ge/reports/210916-q6zstadef5/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Adds Run key to start application

Remcos

Malware Config

C2 Extraction:

ruffella1122.myddns.me:4949

Unpacked files

SH256 hash:

519197f521aa39b7a7ab34b4500a304a7329d967115c2e48fe1b6eb201e39af1

MD5 hash:

3da921c9355d01d335cf03159a950030

SHA1 hash:

3be3f4ea8f289a123dcd1f6ac97c6f34a503c9cf

Link:

https://www.unpac.me/results/f19cf760-cb8c-41a4-bccf-9a5ad8829545/

SH256 hash:

0840ac6a8ee445eed007f29220dad3dd03e59cf161524623c831596673c7e8d0

MD5 hash:

9cd198582f958cc0485b648d2acc6f58

SHA1 hash:

1ef579145a5bbdbfe9c62a5270dbddd458da66b2

Link:

https://www.unpac.me/results/f19cf760-cb8c-41a4-bccf-9a5ad8829545/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/0840ac6a8ee4/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.64

Link:

https://yomi.yoroi.company/submissions/0840ac6a8ee445eed007f29220dad3dd03e59cf161524623c831596673c7e8d0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/188445/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample