MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 152f3260540ddacabf638628ec6a395fa0192a25a886a44c9bfee471c56932fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	152f3260540ddacabf638628ec6a395fa0192a25a886a44c9bfee471c56932fd
SHA3-384 hash:	a801904bb539dfe7077a464de35380b82435041d5b856564c5a30c4cbee9a91d142118a3744f4a3e878c29645f7cf3ca
SHA1 hash:	a2c429c3801d5920f6b40a99181a01c790dfb20d
MD5 hash:	1b52be9f8017e1b71b3fc7d503d4fcf9
humanhash:	carolina-montana-kentucky-moon
File name:	152f3260540ddacabf638628ec6a395fa0192a25a886a44c9bfee471c56932fd
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	321'280 bytes
First seen:	2020-07-06 07:05:01 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep	3072:QWUElmXkJr4Dul8kZyLA93qlUD2mvwV6bFcHSRoodGv8Z3WKvLMgNdAWcmgZbJSj:1ogNJHWeuKwv4U6L7Nrv
Threatray	791 similar samples on MalwareBazaar
TLSH	1F64E66D6DB4123BC83CC2B44A69D931E193AD776029591C2ECBBC57B6F39023B5312E
Reporter	JAMESWT_WT
Tags:	RemcosRAT

Intelligence

File Origin

# of uploads :

1

# of downloads :

69

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/21034/

Detection(s):

Win.Packed.Remcos-8401633-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Creating a file in the %temp% directory

Creating a process with a hidden window

Deleting a recently created file

DNS request

Creating a file in the %AppData% subdirectories

Setting a global event handler for the keyboard

Enabling autorun with Startup directory

Unauthorized injection to a system process

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/152f3260540ddacabf638628ec6a395fa0192a25a886a44c9bfee471c56932fd/

Threat name:

ByteCode-MSIL.Trojan.Remcos

Status:

Malicious

First seen:

2020-06-30 18:59:37 UTC

File Type:

PE (.Net Exe)

Extracted files:

4

AV detection:

21 of 23 (91.30%)

Threat level:

5/5

Verdict:

malicious

Label(s):

remcos

Similar samples:

010aed8661376e735e0128dbac1fcdd380daca80633318e29bbc164c5fc64152

0f307822855aabba644e0f79751eeb5f26e0575ae5ade7c6507c6d1ea7a64725

18aae95253ffa453609ef3e1150cf9c2b167a1b1c59ae1270e279f8d5e070c27

3b13ea61e91a0312f8c187096e435168cee2d2277c46373d01899497345bd0e9

4c5c201ddc74537db5e203d39f745acb5fd28c5fc1a8087c99226f2dc56a9e99

667d35d2cff2979ca84df0afe1eca6c164e1d919b989e16b97166c7a30c77a87

93c327b46d6354a91a9b20311a2f1e1873e132765816ec26443eb1971ccd2946

b8a03fd14b3a3695af8b6c781eb946214a98986279678c6b2a477f22ba1ac3cf

c0a656a2f73c254ed2f1e73630083849890b7c1e36161e89fe29d2fd014f9fff

f9441d3651d67748ec1a2fd325ea1aa9d914208c7fae0853e5b769e52e66ccb8

+ 781 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

evasion trojan rat family:remcos

Link:

https://tria.ge/reports/200706-44a9gg8mb6/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

Uses the VBS compiler for execution

Windows security modification

Remcos

Modifies Windows Defender Real-time Protection settings

Malware Config

C2 Extraction:

experience247.ddns.net:1965

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/21034/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample