MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a1dced1428208836f04f4ec0654f13786b2fb5244891eaffc48da37c87af8ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a1dced1428208836f04f4ec0654f13786b2fb5244891eaffc48da37c87af8ec
SHA3-384 hash: 7fe8343281d68aad9b5c40cc6f503aab67f9997b542a0d7be44277e0a8645b34332240aa89b5f394b90aa27bbd27f39a
SHA1 hash: ec11f28d152e0f195e7d8ee7e78a0e5b46d8d3c3
MD5 hash: f31c9401bbc47b28ae638e00787fe0d2
humanhash: georgia-uniform-triple-zulu
File name:RFQ-#09503.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:897'488 bytes
First seen:2021-02-22 07:31:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 123e9c36cc1595f744449f97bcf23cbf (6 x RemcosRAT, 1 x Loki, 1 x Formbook)
ssdeep 24576:RYUkRHVFnyXv1qhqu7ANT8QNE1C5h7bmhNK:RY9b0Uhquhc
Threatray 85 similar samples on MalwareBazaar
TLSH D5154DB1AB4A4F12F05B013DCD4AE6FA0712BC44372B59B71E98F7478AA2780B5E5077
Reporter abuse_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DLAgent07
Create hunting rule
Link:
https://www.capesandbox.com/analysis/118252/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/613742
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 355882 Sample: RFQ-#09503.exe Startdate: 22/02/2021 Architecture: WINDOWS Score: 100 44 Multi AV Scanner detection for domain / URL 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 6 other signatures 2->50 7 RFQ-#09503.exe 1 18 2->7         started        12 Kneapest.exe 2->12         started        14 Kneapest.exe 2->14         started        process3 dnsIp4 32 cdn.discordapp.com 162.159.134.233, 443, 49730 CLOUDFLARENETUS United States 7->32 28 C:\Users\Public\Libraries\Kneapest.exe, PE32 7->28 dropped 52 Writes to foreign memory regions 7->52 54 Allocates memory in foreign processes 7->54 56 Injects a PE file into a foreign processes 7->56 16 svchost.exe 5 5 7->16         started        58 Multi AV Scanner detection for dropped file 12->58 60 Machine Learning detection for dropped file 12->60 20 svchost.exe 2 3 12->20         started        22 svchost.exe 14->22         started        file5 signatures6 process7 dnsIp8 30 style.ptbagasps.co.id 37.139.64.106, 42024, 49732, 49744 THINKSYSTEMSUK-ASNGB European Union 16->30 34 Contains functionalty to change the wallpaper 16->34 36 Contains functionality to steal Chrome passwords or cookies 16->36 38 Contains functionality to capture and log keystrokes 16->38 42 3 other signatures 16->42 24 wscript.exe 16->24         started        40 System process connects to network (likely due to code injection or exploit) 20->40 26 wscript.exe 20->26         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1a1dced1428208836f04f4ec0654f13786b2fb5244891eaffc48da37c87af8ec/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-02-22 06:41:36 UTC
AV detection:
14 of 47 (29.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dio45ukcqieig3ye6twamvhrg6dlf62siser5l74jdndpsd27dwa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1e5a328f760c35f905390fb4bcf0eefa75936c79a43e22ca7557da0e315c72ed
RemcosRAT
22ac80592400a2e2ed64392413d1bc5ecbbb09f10a811d3243c7212252f75a2c
RemcosRAT
2a344d464465069aa8739a45ecba1b6de4ef4ba4cc2b8128af5a54112c507058
RemcosRAT
558791ef8ee4a269644ecce15552270a2e8f287603308069084793370ba9451d
RemcosRAT
71f60a985d2cc9fc47c6845a88eea4da19303a96a2ff69daae70276f70dcdae0
RemcosRAT
7372fe2e6401cdbca755f752e7e8407a8a5fbaf81ca5e692705a9819977dc447
RemcosRAT
926da3334135961ff0c19ecf4358201ba4734ab01186061c423deeb081ec1cff
RemcosRAT
9f2fc689de26cd7461adc91dad9e369d3250df1819466f565ff0623e3c874755
RemcosRAT
b6e24ae319f72f87dbf9d5e6fc2394737b938f7eb391a39c5043114458f31733
RemcosRAT
f436b8e7b214f3f56d0c62326e37653f87184760b406ab4f6eae79a5c34297b1
RemcosRAT
+ 75 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:remcos family:xmrig miner persistence rat
Link:
https://tria.ge/reports/210222-8828eqzj3n/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Remcos
xmrig
Malware Config
C2 Extraction:
style.ptbagasps.co.id:42024
Unpacked files
SH256 hash:
0e7586027be2b00d10dcc585232de1b4fe8f23be8298dad1f3bc86475946b5c9
MD5 hash:
ee5230700e4a146fed27eab5f8d9caa6
SHA1 hash:
809225fca3c38e5cd30eb35b9b667393becfb516
Link:
https://www.unpac.me/results/fc47c9fd-8be5-45d1-94c0-4b38e31e143b/
SH256 hash:
1a1dced1428208836f04f4ec0654f13786b2fb5244891eaffc48da37c87af8ec
MD5 hash:
f31c9401bbc47b28ae638e00787fe0d2
SHA1 hash:
ec11f28d152e0f195e7d8ee7e78a0e5b46d8d3c3
Link:
https://www.unpac.me/results/fc47c9fd-8be5-45d1-94c0-4b38e31e143b/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 1a1dced1428208836f04f4ec0654f13786b2fb5244891eaffc48da37c87af8ec

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/118252/

Comments