MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d6dd5c115751ed0ea878212ba749c8f3d2ff159679196383f08f7e476c711b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d6dd5c115751ed0ea878212ba749c8f3d2ff159679196383f08f7e476c711b2
SHA3-384 hash: 180d7168eb7fc4763016c53b97b01d58e51db09d602c90e9751f8201064f9c9f40e6e02f74b3a1b6aa56afd359ba7058
SHA1 hash: aada8a4f90f6818f5e6dafc6068f46541c61402b
MD5 hash: 87984edbd9718aee1e15ee61c5e802a3
humanhash: skylark-cardinal-twelve-early
File name:87984edbd9718aee1e15ee61c5e802a3.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:486'912 bytes
First seen:2021-07-03 14:19:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:loED5f0pANlaIr9Yy3ePOR07Vf60uPAAwZaNPB:lr7Xzr9YU6ViCZ
TLSH 72A42334D3241B3FE81345B05C5D0A4E60B59605F276BB24FACF630FA7909A2A2F7E65
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
242
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
87984edbd9718aee1e15ee61c5e802a3.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-03 14:23:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/16aa48d7-6889-453a-b62e-561725ef2564

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Razy-7334624-0
Create hunting rule

ditekSHen.INDICATOR.Packed.NyanXCAT-CSharpLoader.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7a446f1f-02bf-41b4-a8a0-6ae61610c47a
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/811437
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Process Start Without DLL
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 443848 Sample: ytGn2Uc1ZL.exe Startdate: 03/07/2021 Architecture: WINDOWS Score: 100 33 Multi AV Scanner detection for domain / URL 2->33 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 8 other signatures 2->39 7 ytGn2Uc1ZL.exe 5 2->7         started        11 Update.exe 3 2->11         started        process3 file4 27 C:\Users\user\AppData\Roaming\...\Update.exe, PE32 7->27 dropped 29 C:\Users\user\AppData\...\ytGn2Uc1ZL.exe.log, ASCII 7->29 dropped 41 Uses schtasks.exe or at.exe to add and modify task schedules 7->41 13 RegAsm.exe 2 2 7->13         started        17 schtasks.exe 1 7->17         started        43 Antivirus detection for dropped file 11->43 45 Multi AV Scanner detection for dropped file 11->45 47 Machine Learning detection for dropped file 11->47 19 schtasks.exe 1 11->19         started        21 RegAsm.exe 11->21         started        signatures5 process6 dnsIp7 31 sadasdasd.re 31.7.63.14, 48294, 49709 PLI-ASCH Switzerland 13->31 49 Contains functionalty to change the wallpaper 13->49 51 Contains functionality to steal Chrome passwords or cookies 13->51 53 Contains functionality to inject code into remote processes 13->53 55 3 other signatures 13->55 23 conhost.exe 17->23         started        25 conhost.exe 19->25         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1d6dd5c115751ed0ea878212ba749c8f3d2ff159679196383f08f7e476c711b2/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-07-03 14:20:16 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dvw5lqivoupnb2uhqijlu5e4r46s74kzm6izmob7bd36i5whcgza._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210703-jyq3pnkgnj/
Unpacked files
SH256 hash:
630f58cb9adb701b179294d8178cb3bc1c17f79d7cbee3bde6e9b6d406e8e9c9
MD5 hash:
11c9f3cffaf8645604c6a119426d06d6
SHA1 hash:
3dd70d4cd7b58401e5b3ad9812f891b30a59c37c
Link:
https://www.unpac.me/results/dc582a1d-9d85-4cb1-810f-8e6b1ac7fcc2/
SH256 hash:
1d6dd5c115751ed0ea878212ba749c8f3d2ff159679196383f08f7e476c711b2
MD5 hash:
87984edbd9718aee1e15ee61c5e802a3
SHA1 hash:
aada8a4f90f6818f5e6dafc6068f46541c61402b
Link:
https://www.unpac.me/results/dc582a1d-9d85-4cb1-810f-8e6b1ac7fcc2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1d6dd5c115751ed0ea878212ba749c8f3d2ff159679196383f08f7e476c711b2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_EXE_Packed_NyanXCat_CSharpLoader
Create hunting rule
Author:ditekSHen
Description:Detects .NET executables utilizing NyanX-CAT C# Loader
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:pe_imphash
Create hunting rule
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 1d6dd5c115751ed0ea878212ba749c8f3d2ff159679196383f08f7e476c711b2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1393808/
  
Delivery method
Distributed via web download

Comments