MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1009dfd8b0678ec363efae43da9bb4eac2f44ae77a7f7f89ccc120a592f20a78. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1009dfd8b0678ec363efae43da9bb4eac2f44ae77a7f7f89ccc120a592f20a78
SHA3-384 hash: 3e57bb8856d908610cd07f6d9dc775d9cd195fe800c3b38d3d22a13bdb8eaa953e0252d54586c23409c361346cecca1a
SHA1 hash: 8ee5104375cd908aa0cf90bea82f93c7ebbcfa73
MD5 hash: 4ac117a87c9b139485cc58ec23d991d8
humanhash: mars-low-item-nevada
File name:1009dfd8b0678ec363efae43da9bb4eac2f44ae77a7f7f89ccc120a592f20a78
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:829'440 bytes
First seen:2021-02-28 07:22:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:YX1Nar/EvNZOa1zz2bIEQrG9PXOHFRXLooa8Fp835wgmh0ZlFkI5g/E9vx+:34VZOUzlEbGHzooa885wLykI5g8W
Threatray 105 similar samples on MalwareBazaar
TLSH CD05E128665D6F1DE03E67BB9464104FE3FA6807C723D6AB3DE920CB1D52F80972161B
Reporter JAMESWT_WT
Tags:RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
349
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1009dfd8b0678ec363efae43da9bb4eac2f44ae77a7f7f89ccc120a592f20a78
Verdict:
Malicious activity
Analysis date:
2021-02-28 08:58:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dd492c49-39cc-40a1-a4e6-13952e27299c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/119927/
Detection(s):
Win.Packed.Pwsx-9835419-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/620898
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 359441 Sample: odW62S0306 Startdate: 28/02/2021 Architecture: WINDOWS Score: 100 74 Found malware configuration 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 Multi AV Scanner detection for dropped file 2->78 80 11 other signatures 2->80 11 odW62S0306.exe 7 2->11         started        15 update2021.exe 4 2->15         started        17 update2021.exe 2->17         started        process3 file4 60 C:\Users\user\AppData\...\CqqZjnebjj.exe, PE32 11->60 dropped 62 C:\Users\...\CqqZjnebjj.exe:Zone.Identifier, ASCII 11->62 dropped 64 C:\Users\user\AppData\Local\...\tmp7439.tmp, XML 11->64 dropped 66 C:\Users\user\AppData\...\odW62S0306.exe.log, ASCII 11->66 dropped 84 Contains functionality to steal Chrome passwords or cookies 11->84 86 Contains functionality to capture and log keystrokes 11->86 88 Contains functionality to inject code into remote processes 11->88 90 2 other signatures 11->90 19 odW62S0306.exe 4 5 11->19         started        23 schtasks.exe 1 11->23         started        25 schtasks.exe 15->25         started        27 update2021.exe 15->27         started        29 schtasks.exe 17->29         started        31 update2021.exe 17->31         started        signatures5 process6 file7 56 C:\Users\user\AppData\...\update2021.exe, PE32 19->56 dropped 58 C:\Users\...\update2021.exe:Zone.Identifier, ASCII 19->58 dropped 82 Creates autostart registry keys with suspicious names 19->82 33 wscript.exe 1 19->33         started        35 conhost.exe 23->35         started        37 conhost.exe 25->37         started        39 conhost.exe 29->39         started        signatures8 process9 process10 41 cmd.exe 1 33->41         started        process11 43 update2021.exe 5 41->43         started        47 conhost.exe 41->47         started        file12 68 C:\Users\user\AppData\...\update2021.exe.log, ASCII 43->68 dropped 92 Multi AV Scanner detection for dropped file 43->92 94 Contains functionalty to change the wallpaper 43->94 96 Machine Learning detection for dropped file 43->96 98 4 other signatures 43->98 49 update2021.exe 43->49         started        52 schtasks.exe 43->52         started        signatures13 process14 dnsIp15 70 megamoney2021.duckdns.org 105.112.153.209, 26500 VNL1-ASNG Nigeria 49->70 72 185.244.26.204, 26500, 49718, 49724 VAMU-ASIP-TRANSITVAMURU Netherlands 49->72 54 conhost.exe 52->54         started        process16
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1009dfd8b0678ec363efae43da9bb4eac2f44ae77a7f7f89ccc120a592f20a78/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-27 02:32:37 UTC
AV detection:
32 of 48 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cae57wfqm6hmgy7pvzb5vg5u5lbpisxhpj7x7comyeqklexsbj4a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
42ef2a340b9b5ec88d5ab83584f07ecc76e7b3842640aecd328ad9d85ad745e8
RemcosRAT
46131c5f93779a7547011c983be113cbf561fee1f4cba59ce8dd8f0bfb4a48f7
RemcosRAT
49a4c95599f7bfe481ed85792ded20eae37d7a3889d43f81c349314cf87e6219
RemcosRAT
4a74ac9210751c192d84ad49d567de4cc5f7d005f62767b59a6a7901051a5304
RemcosRAT
610aec487270d875f4c6a5fb4f128d636f817a36e40dc4db55c52505258d785f
RemcosRAT
736c1c3ed4301b2f069ba84d5bcdf3919e88d5412fa13080d2eed53fe98c0ac4
RemcosRAT
941d7828d89da175afca52906a1e519707a09685f30332937917505fa8999f87
RemcosRAT
e418958dc7d42216f8f151aef40df718df0a6a20d7d70c9954f7bd82953707a7
RemcosRAT
f1e9d6eb71a715e5f47a5c6fa5d03e9c3b871a0e88c91c709ff67ab9311caf4e
RemcosRAT
f8d06c20dc2af83af29551f384bbde4e5380911d8db0f9e56ca549bb5995d413
RemcosRAT
+ 95 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat
Link:
https://tria.ge/reports/210228-pmhy7z2z8j/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
185.244.26.204:26500
megamoney2021.duckdns.org:26500
Unpacked files
SH256 hash:
e624003658c4f8b349f567c82229fd15d1e63d3d20fe6f7b4388403038cd2a44
MD5 hash:
b6ce7c1d81b9271eab825ea63de154c3
SHA1 hash:
0e7b89555314f8908c1098b652c9bf50e5ecc27b
Link:
https://www.unpac.me/results/c39e8d99-67e6-446f-a642-19ab1446b06e/
SH256 hash:
1009dfd8b0678ec363efae43da9bb4eac2f44ae77a7f7f89ccc120a592f20a78
MD5 hash:
4ac117a87c9b139485cc58ec23d991d8
SHA1 hash:
8ee5104375cd908aa0cf90bea82f93c7ebbcfa73
Link:
https://www.unpac.me/results/c39e8d99-67e6-446f-a642-19ab1446b06e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
MassLogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1009dfd8b0678ec363efae43da9bb4eac2f44ae77a7f7f89ccc120a592f20a78

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/119927/

Comments