MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1653e9cde12c6ff18d24b0980a7c480b4f73f0796e33b904c51242197a17c9f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1653e9cde12c6ff18d24b0980a7c480b4f73f0796e33b904c51242197a17c9f6
SHA3-384 hash: 186081853d21fbb5b8ca22f0898d3f389b914c1093374c42b5bdc0061b598d844988576b9fe20ec485b9bd10dcc53cdd
SHA1 hash: f31c0a9351f7bad2add8bb8a6bb84d33f7a4d9b8
MD5 hash: deeb93011ebf42a8671cd4ae4b91e1ac
humanhash: delta-purple-golf-thirteen
File name:ms.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:219'648 bytes
First seen:2020-05-28 05:58:00 UTC
Last seen:2020-05-28 08:22:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 3072:pIpc6GUH6ViTYAkZJZ7ozNJPpTbghJBBR4qe7zppk8pE:Sfz0n4vPZbg3BBR4Vppk8
Threatray 1'096 similar samples on MalwareBazaar
TLSH 7B24291D1EA80653D5A9D375CEDCC83B65A4A11320F2FE795CC503A84B87A43BED227E
Reporter abuse_ch
Tags:exe JPMorganChase nVpn RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT payload URL:
http://185.205.209.166/cxwv/ms.exe

RemcosRAT C2:
eastsidepapi.myq-see.com:6996 (79.134.225.98)

Pointing to nVpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.GenKryptik.EKOW.1704.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Dothetuk
Create hunting rule
Status:
Malicious
First seen:
2020-05-28 06:34:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
23 of 48 (47.92%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
emotet
Create hunting rule
remcos
Create hunting rule
gozi
Create hunting rule
Similar samples:
1cc4b7a9c9d0d8de1ab96f11189104912af60a594c7e4a0c70d7cc236fdbb6ec
RemcosRAT
1ed676d7b5902ae99362fbbbd80e7dd2b9cb9c479d9b9a8736f30829e7fe4176
RemcosRAT
3484fffe14e6d045c8a5c568187f686d4479693dadb3fc4631b7d307000b5148
RemcosRAT
654dcb8cbaca77d6679523c36f44ea656e39a97ce7e4d6f91b089fe8d54f9787
RemcosRAT
82421fe6bfd0fa95f4bc1813c1dbaf3ce1fc505f2e04dafefc653316e0f1f547
RemcosRAT
b4d2f2e28311317f4e568f4245c251cb0eb314e391223b2077d183e3d0de5738
RemcosRAT
c87a719713c51891fa7b0def4b093441934d9f60ef8bd52951e2efb9a030f59c
RemcosRAT
d35aeec2558b2fbbfddb761ecdef94c1c6b085af83d6905ab7851af1217c1543
RemcosRAT
d74d145a490143aa9b5088044bd31e46042dde2522600d119948e7914f1c4a10
RemcosRAT
ec4b8a8c2223163d74c1c9b97e26889074e995beea8e9a78ba3a8a430fde7bd0
RemcosRAT
+ 1'086 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos rat rezer0
Link:
https://tria.ge/reports/201109-69tar3d6xe/
Behaviour
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
rezer0
Remcos
Malware Config
C2 Extraction:
eastsidepapi.myq-see.com:6996
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_remcos_g0
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann<at>fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Excel file xlsm 98d537ff72c396e14be6da957765adafcc878bbb9cf9c06aae31495a05e584a8

RemcosRAT

Executable exe 1653e9cde12c6ff18d24b0980a7c480b4f73f0796e33b904c51242197a17c9f6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/370327/
  
Dropped by
MD5 5e8f2b0d0890da4c7e7cdccd63e95894
  
Dropped by
SHA256 98d537ff72c396e14be6da957765adafcc878bbb9cf9c06aae31495a05e584a8
  
Delivery method
Distributed via web download

Comments