MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2782cd8a1b4f5152d56ae47c4af233a6d4ecb08f7fb23918467fbe5019c8a44d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2782cd8a1b4f5152d56ae47c4af233a6d4ecb08f7fb23918467fbe5019c8a44d
SHA3-384 hash: 9ac04aa2cfaa369811793538a66c04741f4bd723defe7cf5cb3e9d05ad09be4a8a54432f7ac3f25a8b050cb75b18d000
SHA1 hash: cadca89c62746fd87c4aeb5e81c01bc134fd546f
MD5 hash: 81c4bae78cce64b29f116bad10c3076a
humanhash: quebec-artist-venus-violet
File name:FRIEGHT PAYMENT 41,634.20 USD..exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:666'112 bytes
First seen:2021-04-30 09:05:31 UTC
Last seen:2021-04-30 10:02:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:SiX4sz3Di+R66SRBqoWzdlyQSCOCJV8NdYEQT8lzZL:Skzzi+kadlKCOAIdK0R
Threatray 1'738 similar samples on MalwareBazaar
TLSH E3E4AF057294E311D6E566B1DE11D2B00BB36D6AF601D10B78FC3E9FBF9D9038216E2A
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
45.137.22.107:5888

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.137.22.107:5888 https://threatfox.abuse.ch/ioc/26639/

Intelligence

File Origin
# of uploads :
2
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/147338/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.688-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/704385
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Detected Remcos RAT
DLL reload attack detected
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2782cd8a1b4f5152d56ae47c4af233a6d4ecb08f7fb23918467fbe5019c8a44d/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-04-30 09:06:18 UTC
AV detection:
8 of 47 (17.02%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=e6bm3cq3j5ivfvlk4r6ev4rtu3kozmepp6zdsgcgp67fagoiurgq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0bb0f23c8514ae2365efb46535f08b01f04cfbadd97baeaa860cca5d634f32e0
RemcosRAT
126b33c2868dde525221c47721ba9860b9c172d7c8ab74238a8d3f28f04bbb68
RemcosRAT
19c85373616be5338b379799fa36c19e4ff5d5e7f67fa820ea9040ab5427d516
RemcosRAT
1b059ab1c0eca910c2882e26ac6f2e8ab795f0749294dfff4af528cb788d2d47
RemcosRAT
1fb565cee813ca5e1dcb040cda9f988a4138a33bea61115f48d7d64e6c28da69
RemcosRAT
210560d23e3c023c90bd24ed0d76c68732dc267277fc6adcc3c991cb611bb06a
RemcosRAT
321e405f4fc6391af017fce9e6964419f05942c84380480e44c20ab9f707dd31
RemcosRAT
96e975e9e509e40c6b069f4fe4ef338ddaa76472a30e3115374d5ae3b25c7616
RemcosRAT
a5b12e2ac3b1a01783989acfe7e00c29dd53fa953f88963b9207b38a3f5b4547
RemcosRAT
b8059fc344b91a7b02e6a15a94551fcb3450f1109ad59bd6f3a22e0342ad9ff5
RemcosRAT
+ 1'728 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos evasion rat
Link:
https://tria.ge/reports/210430-54g7a8azzj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Remcos
Unpacked files
SH256 hash:
11cf5a51e593c007ff4f91294cf505ffd5e425e56387c60d81e6479cc284cc3b
MD5 hash:
73cc3f7e7700e6a54cb5f291dffe5aa1
SHA1 hash:
09174f9fa55c9bac0540efb7a8c682878a32d02d
Link:
https://www.unpac.me/results/34da4765-1d7b-4b8b-8a93-9fcaf69c24e1/
SH256 hash:
2782cd8a1b4f5152d56ae47c4af233a6d4ecb08f7fb23918467fbe5019c8a44d
MD5 hash:
81c4bae78cce64b29f116bad10c3076a
SHA1 hash:
cadca89c62746fd87c4aeb5e81c01bc134fd546f
Link:
https://www.unpac.me/results/34da4765-1d7b-4b8b-8a93-9fcaf69c24e1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2782cd8a1b4f5152d56ae47c4af233a6d4ecb08f7fb23918467fbe5019c8a44d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/147338/

Comments