MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 21691425c52cf7a77c0e3a65cc1c0c59cb026d5b76e78160ebb8a553f9bbe50c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
RemcosRAT
Vendor detections: 5
| SHA256 hash: | 21691425c52cf7a77c0e3a65cc1c0c59cb026d5b76e78160ebb8a553f9bbe50c |
|---|---|
| SHA3-384 hash: | 8a0f9dc265e239a32fbb7d5058147461feb8067c8fa6c6b05786d90ec0c94e66987acec3bb74622f62273d8ddef46242 |
| SHA1 hash: | 8df0f533589d16d3f59a920cf429a941f6cff6fb |
| MD5 hash: | adb4b946a725aac2a00e4c6ed6243deb |
| humanhash: | saturn-oscar-mobile-autumn |
| File name: | 21691425c52cf7a77c0e3a65cc1c0c59cb026d5b76e78160ebb8a553f9bbe50c |
| Download: | download sample |
| Signature | RemcosRAT |
| File size: | 1'174'384 bytes |
| First seen: | 2020-11-11 11:10:09 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | a87d544438fee28f423c4b1fdfe9c7ef (5 x ModiLoader, 3 x RemcosRAT) |
| ssdeep | 12288:qS+r3BYXHak1PbYBdsuHdLhuqQYmwVrOz+/M9cNGYrFPq1885rwcz1zlCT:q1rUaC0/3tQeROzx9cNGqi8wjCT |
| Threatray | 1'070 similar samples on MalwareBazaar |
| TLSH | CB45AFE2A2405532C963397D8C1F6BB768317F2D2E6459262AF56C4CBE367C03425F8B |
| Reporter |  seifreed |
| Tags: | RemcosRAT |
Intelligence
File Origin
# of uploads :
1
# of downloads :
62
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:
Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Threat name:
Win32.Trojan.Remcos
Status:
Malicious
First seen:
2020-11-11 11:11:34 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
5/5
Verdict:
malicious
Label(s):
remcos
Similar samples:
+ 1'060 additional samples on MalwareBazaar
Result
Malware family:
remcos
Score:
10/10
Tags:
family:modiloader family:remcos persistence rat trojan
Behaviour
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader First Stage
ModiLoader Second Stage
ServiceHost packer
ModiLoader, DBatLoader
Remcos
Unpacked files
SH256 hash:
21691425c52cf7a77c0e3a65cc1c0c59cb026d5b76e78160ebb8a553f9bbe50c
MD5 hash:
adb4b946a725aac2a00e4c6ed6243deb
SHA1 hash:
8df0f533589d16d3f59a920cf429a941f6cff6fb
SH256 hash:
7d41dc7946704863fd154dc0ad3be2d5451b30add8e2ae5444911a3ea980b07c
MD5 hash:
83a3bff791c880dee89754e30de2b9ab
SHA1 hash:
2254501fab965ce3ea4f85afbcb45d637ccd4308
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Delivery method
Other
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.