MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 1620114c000809b11104adbadb3df7ac989d9c7bc5e7da5acb0ffc9c5cb05c14. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
RemcosRAT
Vendor detections: 4
| SHA256 hash: | 1620114c000809b11104adbadb3df7ac989d9c7bc5e7da5acb0ffc9c5cb05c14 |
|---|---|
| SHA3-384 hash: | 2d5043e7def3851239b1ece0b9049bcfff9d89140a2f2b26e060906cf4575e2f70f8fa620035a0ea607d9c104755802a |
| SHA1 hash: | 1cf2e5e4693719b11c038103c53219e5c72de6cd |
| MD5 hash: | c825668b23247f7fcbe58dd77fc41c7b |
| humanhash: | tennessee-salami-equal-ack |
| File name: | 1620114c000809b11104adbadb3df7ac989d9c7bc5e7da5acb0ffc9c5cb05c14 |
| Download: | download sample |
| Signature | RemcosRAT |
| File size: | 932'163 bytes |
| First seen: | 2020-03-31 21:51:23 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla) |
| ssdeep | 24576:RXhZgPlsrroLaOOiQTZMgoQpV0vTwhuaqcu:pICsaIUSTouaxu |
| Threatray | 1'004 similar samples on MalwareBazaar |
| TLSH | 61151242B7D285B2D63219361A39A720697CBE305F30CF5EB3E42D5EDA315D0A634B63 |
| Reporter |  nbd33 |
| Tags: | COVID-19 exe remcos RemcosRAT |
Intelligence
File Origin
# of uploads :
1
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
Win32.Trojan.Remcos
Status:
Malicious
First seen:
2020-03-24 11:38:58 UTC
File Type:
PE (Exe)
Extracted files:
61
AV detection:
26 of 31 (83.87%)
Threat level:
2/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
remcos
Similar samples:
+ 994 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (HIGH_ENTROPY_VA) | high |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| GDI_PLUS_API | Interfaces with Graphics | gdiplus.dll::GdiplusStartup gdiplus.dll::GdiplusShutdown gdiplus.dll::GdipAlloc |
| WIN32_PROCESS_API | Can Create Process and Threads | KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread |
| WIN_BASE_API | Uses Win Base API | KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryExA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetSystemInfo KERNEL32.dll::GetStartupInfoW |
| WIN_BASE_EXEC_API | Can Execute other programs | KERNEL32.dll::AllocConsole KERNEL32.dll::AttachConsole KERNEL32.dll::WriteConsoleW KERNEL32.dll::FreeConsole KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleCP |
| WIN_BASE_IO_API | Can Create Files | KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateHardLinkW KERNEL32.dll::CreateFileW KERNEL32.dll::CreateFileMappingW KERNEL32.dll::DeleteFileW KERNEL32.dll::MoveFileW KERNEL32.dll::MoveFileExW |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.