MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a6b4d008994bb06574688d817089831fc7404e5e458c38e7a1464d072a8fd7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a6b4d008994bb06574688d817089831fc7404e5e458c38e7a1464d072a8fd7a
SHA3-384 hash: 64661ef7c366a8a88c11c2450ce4c4f8807bb4d01d24ef3a1f7f43cd693ea12d289bba93409b45329f58f18dbedbd0d1
SHA1 hash: dd46ac624c420a0df7b8a4fdf3aa57dcaf85465e
MD5 hash: 23d5f75391136c6e3fafc24f60c257c1
humanhash: mirror-winter-neptune-may
File name:file
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:637'760 bytes
First seen:2022-10-27 23:19:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:kGOUQfnuznoZApJmYDB1+ClalshgWpfPivzv2Ci/1m:kGOUQfn4o+/mYDdLGWpfPirv2NU
Threatray 2'286 similar samples on MalwareBazaar
TLSH T191D4F133E6C1D453F3880D39C6C29AF702ED4F0E67A571B3549C198908A92D9A35BBB7
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 550959654d651945 (37 x Formbook, 28 x AgentTesla, 14 x RemcosRAT)
Reporter jstrosch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
299
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-10-28 01:16:02 UTC
Tags:
rat remcos stealer
Link:
https://app.any.run/tasks/b9bedf63-8c33-48b9-b1ca-0f6cc5796ea2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/325272/
Detection(s):
SecuriteInfo.com.UntrustedCertificate.Aichost.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the system32 subdirectories
Creating a file
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Launching a process
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Reading critical registry keys
Creating a file in the %temp% directory
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/adeab580-d291-4e40-8a66-f529939f15c4
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1099921
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0a6b4d008994bb06574688d817089831fc7404e5e458c38e7a1464d072a8fd7a/
Threat name:
ByteCode-MSIL.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-10-26 19:49:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bjvu2aejss5qmv2grdmboceygh6hibhf4rmmhdt2crsna4vi7v5a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
04a15b34b627794caf34f7277c8663ea7a75d32576f6484dc85ba2bfcbe39bfd
RemcosRAT
0773f517b40992fd3e6291eb906558588f1de9e3887bb2433f95bb4ea9f5904a
RemcosRAT
2cf1525cdb58ec9e5d47e5c66619b9cf2966155ece68a66e9bf935369971ccdc
RemcosRAT
3e0bcdfffded9aaede7644824841490767cf472e2dafebdc04b090870853d8ac
RemcosRAT
788a6a0d67e10a4235043d0f12cc5841ab77bac0518842aea964e720318f674d
RemcosRAT
ce4085be9c0cea2fdaa6145e86166b051222fcc96eac12e1668d803a6b97ebfe
RemcosRAT
da780e7f18a59bf4184769099656b951986ff9915e684a7d9c063f471f4f6876
RemcosRAT
f63f0aec05acdc4b6427334d073ead70d53709f1b47970bc04329b10f941cca1
RemcosRAT
+ 2'276 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost collection rat
Link:
https://tria.ge/reports/221027-3bewdaeaa2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Drops startup file
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
top.thekillforabuse1.xyz:55988
Unpacked files
SH256 hash:
fd56a07f2da75c84337cbf94e0acafc09fb909cfb187a0ae214827ce2c4708bb
MD5 hash:
d93c5f59ddc41313bf36f106a2f1fe17
SHA1 hash:
97c5cd9d0689c1cd74685bc979122a13eba3fcc9
Link:
https://www.unpac.me/results/2bf3c4af-97d1-4711-97dc-83ab14d28cd3/
SH256 hash:
825c4d62d9e732d061e25885660f81e1fe907aadde48049f3d1bf301760e9e6a
MD5 hash:
756b70e6f4bde1fd086b3190c2a60146
SHA1 hash:
4753d81616ca9d26d904a68bfb75c1a6d4d2eddb
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/2bf3c4af-97d1-4711-97dc-83ab14d28cd3/
Parent samples :
777eb848bf3c905f08cf9037ab3587523807806e604bb57e7da21a6a81a930ed
1a238550d2ebef5de175ac81976c00504f74f935edc10903a3a0b23075c8e77b
f63f0aec05acdc4b6427334d073ead70d53709f1b47970bc04329b10f941cca1
0a6b4d008994bb06574688d817089831fc7404e5e458c38e7a1464d072a8fd7a
b05858be9cfce1e5405b340dd3f80eed01ee77058b9c7af49ca7dd4108f771d1
94dd721db7f8f975f2b8cac62518c42889e86f1b29d47d1400b53bbba950b8ec
0b369a736f1f26563fde964ce5a3e43e6ef527a274ba336b701a7c8c34957541
SH256 hash:
0a6b4d008994bb06574688d817089831fc7404e5e458c38e7a1464d072a8fd7a
MD5 hash:
23d5f75391136c6e3fafc24f60c257c1
SHA1 hash:
dd46ac624c420a0df7b8a4fdf3aa57dcaf85465e
Link:
https://www.unpac.me/results/2bf3c4af-97d1-4711-97dc-83ab14d28cd3/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0a6b4d008994/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0a6b4d008994bb06574688d817089831fc7404e5e458c38e7a1464d072a8fd7a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 0a6b4d008994bb06574688d817089831fc7404e5e458c38e7a1464d072a8fd7a

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/325272/
  
URLhaus
https://urlhaus.abuse.ch/url/2389274/

Comments