MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ad1cbf24005ff5f0e634bf2e5642d37ca1cd6d9fe7001cd5b91eeb84506068b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 7

Intelligence 7 IOCs YARA 8 File information Comments

SHA256 hash:	2ad1cbf24005ff5f0e634bf2e5642d37ca1cd6d9fe7001cd5b91eeb84506068b
SHA3-384 hash:	3d0e3cea4ec6ad2398e0bc78f1638d4245148b590ada1e5fb543214fe1bf84ff76372e5e0c81bf8bb2ef1ada2b265cc8
SHA1 hash:	8e9cae5f5c15e196296bdda0f551c63914eb10b7
MD5 hash:	ee1adf1a5898d0b8748bfee729854f38
humanhash:	coffee-freddie-nine-gee
File name:	2ad1cbf24005ff5f0e634bf2e5642d37ca1cd6d9fe7001cd5b91eeb84506068b
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	263'680 bytes
First seen:	2020-11-10 11:40:00 UTC
Last seen:	2024-07-24 12:34:10 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	34078771387d6e214745d63ecc346d59 (3 x RemcosRAT, 2 x Tofsee, 2 x CoinMiner)
ssdeep	3072:/xfCJBXPDShnqbDRBPSIp3HypzFs4YcTJJzMth86PlM45jTmjjjjjjj2:/oP2hgHKB7s4dT0l1
Threatray	1'066 similar samples on MalwareBazaar
TLSH	3E44BE1076F1C933C0A3473C0464D2D06637BC26E6B8C98777E83B5A6DBA6D15BB2396
Reporter	seifreed
Tags:	RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Packed.Generickdz-9784859-0

Win.Dropper.Tofsee-9785157-0

Win.Packed.Generickdz-9785340-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Launching the default Windows debugger (dwwin.exe)

DNS request

Creating a file in the %AppData% subdirectories

Setting a global event handler for the keyboard

Sending a TCP request to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/528621

Signature

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Country aware sample found (crashes after keyboard check)

Detected Remcos RAT

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Uses dynamic DNS services

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2ad1cbf24005ff5f0e634bf2e5642d37ca1cd6d9fe7001cd5b91eeb84506068b/

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2020-11-10 17:01:00 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fli4x4saax7v6dtdjpzokzbng7fbzvwz7zyadtk3shxlqriga2fq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

29e976622956314e13cff9fce7e829a27827214ddcfd41ccd33fc4faca45b566

RemcosRAT

308245e3b036eaa8e2b12c92852a64e5feedd6d952789d12da2ea5da9b7acced

RemcosRAT

570e5bb05a57a95438fe1f61a116ab1d0de2bb2b0703745adea8ff45780d4a57

RemcosRAT

6274c01dd6783517a68267d2c6c2af38143ed35074cfc2372d8bc385a7c5f4e9

RemcosRAT

6c882aeb918e424cefe1068a6d3fbff5526c31e185716bf3a0d5ae0295772f09

RemcosRAT

b1e43124a401714ce72691a059cfaf3182e0e63986ab8e165d8333bf11540568

RemcosRAT

c0b1ba178d886a9d71fb7ffd5b169bf023021e13c545e3cd8d15461221dd2006

RemcosRAT

fa5850a0ba8809631d4e3f5a3f8cafa133b3d6ae37088eeb934ec13d1bc9f368

RemcosRAT

fbefd8e13f38e815b0709336a96c2c24679fda1bb9498e052ff8ae4a7bccd318

RemcosRAT

+ 1'056 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/201110-drv7gal856/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample