MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a049a6f200348e229ebaa13728cd0d19de4839c741d4faec3dd64207860153d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	0a049a6f200348e229ebaa13728cd0d19de4839c741d4faec3dd64207860153d
SHA3-384 hash:	1b6d2e7abfce2108c05b0de99a5eac9fd06688ae1c3b0f9018a78126cb132d02e4a567055230b81a63bead0912f221fd
SHA1 hash:	b1c514708b9611056cce378a8c7d8f2b12e4e8df
MD5 hash:	c4cd874423d9026b16b370d5fa812471
humanhash:	king-mars-video-jig
File name:	c4cd874423d9026b16b370d5fa812471.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	652'432 bytes
First seen:	2021-04-08 08:09:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	af52f63bf30089caa8a0bd17b5f786c5 (3 x RemcosRAT, 1 x AveMariaRAT, 1 x ModiLoader)
ssdeep	12288:23e7vWhDoA/ytg+9qfAsVfbv3APQU/OyVg:2O7HA/jfzb4oUDVg
Threatray	152 similar samples on MalwareBazaar
TLSH	08D49E32B6F14833D1B71E3DADABB62D5C267E113AF4988967E41C0D5F38750782A392
Reporter	abuse_ch
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

135

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

c4cd874423d9026b16b370d5fa812471.exe

Verdict:

Malicious activity

Analysis date:

2021-04-08 08:20:03 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/fa0c56dd-416f-4ed6-970a-f1c66fd605fc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/133099/

Detection(s):

PUA.Win.Packer.PrivateEXEProtector4-6192998-2

PUA.Win.Adware.Slugin-6840354-0

SecuriteInfo.com.Mal.Generic-S.10000.16163.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

DNS request

Sending a custom TCP request

Creating a file

Deleting a recently created file

Launching a process

Creating a file in the %AppData% subdirectories

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/669752

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Creates a thread in another existing process (thread injection)

Delayed program exit found

Detected Remcos RAT

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/0a049a6f200348e229ebaa13728cd0d19de4839c741d4faec3dd64207860153d/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2021-04-07 19:22:14 UTC

AV detection:

19 of 29 (65.52%)

Threat level:

5/5

Verdict:

malicious

Label(s):

remcos

RemcosRAT

29c65d4ad00f4134b8f56f3b19a5880b1e81e24a037cb431efad92eda57d2b26

RemcosRAT

375b5d8e986b228149dbe2f4cd9df92e697491052531a094fb7172ad0d25bd82

RemcosRAT

4a74ac9210751c192d84ad49d567de4cc5f7d005f62767b59a6a7901051a5304

RemcosRAT

5d20ab723dbc30184582ccec3877af8fbb8fc78f90d09fd680bf784325951ca3

RemcosRAT

604bc26afab3f25d1c4d98e45872e798eef3061cc8720be0db28d900bddb277c

RemcosRAT

896d2dc1eab72419ab524333d3fba88c8ddf92b087f1c9af5d6ea402b0c77d89

RemcosRAT

8acdca153a4e16a5ff668a0a5ad8c274d2307a88cda385575ee4fbb8374d2254

RemcosRAT

cbf5b54d5d1c70086efefea16f38b80a329cb96bb5a59e709b0ab2304acb157c

RemcosRAT

fee06f1a31cdd93b91bf8d0a5991023b2bf6d0ed2957c3bc0f40f05609eb689b

RemcosRAT

+ 142 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:modiloader family:remcos persistence rat trojan

Link:

https://tria.ge/reports/210408-qrg4cyz2h6/

Behaviour

Suspicious use of WriteProcessMemory

Adds Run key to start application

ModiLoader, DBatLoader

Remcos

Malware Config

C2 Extraction:

alukoren.duckdns.org:9144

Unpacked files

SH256 hash:

31ffb1d8050b158b4c432cbb831f9da9b918443b7ed3ecca7e3d7a18a531e3f9

MD5 hash:

406f0b9cc6dacbdd1b715c557b941343

SHA1 hash:

77387463c87215e20a8592430665820cbb146660

Link:

https://www.unpac.me/results/c9a6e0e1-3ed9-40e7-bf0f-ee1c23b80a84/

SH256 hash:

0a049a6f200348e229ebaa13728cd0d19de4839c741d4faec3dd64207860153d

MD5 hash:

c4cd874423d9026b16b370d5fa812471

SHA1 hash:

b1c514708b9611056cce378a8c7d8f2b12e4e8df

Link:

https://www.unpac.me/results/c9a6e0e1-3ed9-40e7-bf0f-ee1c23b80a84/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0a049a6f200348e229ebaa13728cd0d19de4839c741d4faec3dd64207860153d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_KB_CERT_56f008e69a7c4c3feb389c66eaf58259 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates