MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32560ccc4af2d37c587bbc551e1dd8127b8efaafb199f74c18ec111a812a7f30. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 14 File information Comments

SHA256 hash:	32560ccc4af2d37c587bbc551e1dd8127b8efaafb199f74c18ec111a812a7f30
SHA3-384 hash:	94b57ccf595a384769cc5008fcc83c5c7380020b984c8ebe12cb7102346afcbea2c0e2178ceace1f82d763d69586381b
SHA1 hash:	8efc45dfa94301be70e623e9bf50d5fe3e4dafb2
MD5 hash:	fc1b3067306a863caf88690b9001c2d6
humanhash:	princess-alaska-diet-bulldog
File name:	32560ccc4af2d37c587bbc551e1dd8127b8efaafb199f.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	4'286'464 bytes
First seen:	2021-03-30 04:06:03 UTC
Last seen:	2021-03-30 04:44:31 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f8a12be64b382e27cf5c35f26bac329b (1 x RemcosRAT)
ssdeep	49152:N64wHqj3fVbShW+Nwl32KoJ+6/i8QA9IPUh6IqsT0J48U:NhwHqj3f29J2A9IPUh6Iq08
Threatray	2'121 similar samples on MalwareBazaar
TLSH	3A168D227280553FC05B0B39187FAA75993EBB713A13D85767F09D8C8F716813A2A397
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

abuse_ch

RemcosRAT C2:
181.141.10.122:2225

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
181.141.10.122:2225	https://threatfox.abuse.ch/ioc/5959/

Intelligence

File Origin

# of uploads :

# of downloads :

132

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

32560ccc4af2d37c587bbc551e1dd8127b8efaafb199f.exe

Verdict:

Malicious activity

Analysis date:

2021-03-30 04:08:47 UTC

Tags:

trojan rat remcos

Link:

https://app.any.run/tasks/387ef066-993c-408e-a369-33f3215026a8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/127873/

Detection(s):

SecuriteInfo.com.Trojan.Siggen12.44402.7238.26937.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Sending a UDP request

Transferring files using the Background Intelligent Transfer Service (BITS)

DNS request

Sending a custom TCP request

Creating a file in the %temp% directory

Enabling the 'hidden' option for files in the %temp% directory

Moving a file to the %temp% directory

Launching cmd.exe command interpreter

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for recently created files

Moving a file to the %AppData% subdirectory

Creating a file

Unauthorized injection to a system process

Setting a global event handler for the keyboard

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/671655f4-df67-482d-8489-42d06f98460d

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/657909

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Detected Remcos RAT

Found malware configuration

Hijacks the control flow in another process

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/32560ccc4af2d37c587bbc551e1dd8127b8efaafb199f74c18ec111a812a7f30/

Threat name:

Win32.Backdoor.DarkComet

Status:

Malicious

First seen:

2021-03-22 19:33:00 UTC

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=gjlaztck6ljxywd3xrkr4hoycj5y56vpwgm7otay5qirvajkp4ya._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

0953e54968ca9407a172c0a35a00d8b30ec603770809bbd2901a070e1b83b7f8

RemcosRAT

11f06223417d6045acaa15cf7f5515d9afdfc23590c9cd021c2ae90a736bb6cd

RemcosRAT

411e56b415d4c23a741958c3f1ada72b3e958c078d27c339678bb690b7a895c3

RemcosRAT

50a189fe28198ad7f41cfefd5fef208b25ec79be1bdddb540f1c9fef45e4f393

RemcosRAT

67b662f28ef6c6a148443ebece272e63e7eeb9d366032b4366fe459b7c5c41f8

RemcosRAT

6c131f342e8226706ba1b39cc955852b022130c14ea12bd3b3cf340bbea25bf6

RemcosRAT

8ef0ab64ef4a050f29808379fa8e9448bca73be60e4944f9d13a9a6880ba33f2

RemcosRAT

aa9692c1769e25297176b847f4274570c56c4d74f4577608bd036e72d82d5bdb

RemcosRAT

e3670bfc1db6fb7223bb6b231ef4c3afd9d34de1d8f87b7a8e7a4cb27cfaa37d

RemcosRAT

+ 2'111 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos rat

Link:

https://tria.ge/reports/210330-qmgkphssv2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Blocklisted process makes network request

Remcos

Malware Config

C2 Extraction:

jgwmxykzoty0e22ronzlahhrlzd8om139wn9xf5q.duckdns.org:2225
181.58.154.181:2224

Unpacked files

SH256 hash:

c7fbdc61eb62c05e40295617e2db75877672931f751a770d2629e6eab6075f2c

MD5 hash:

abf6c724b20844d5b0073988a58faf1e

SHA1 hash:

7a8269d5b2ae623f8148ce9863f48f7e12ce036b

Link:

https://www.unpac.me/results/8adb10a3-0f7f-4146-9c8a-a4e9aed176fb/

SH256 hash:

32560ccc4af2d37c587bbc551e1dd8127b8efaafb199f74c18ec111a812a7f30

MD5 hash:

fc1b3067306a863caf88690b9001c2d6

SHA1 hash:

8efc45dfa94301be70e623e9bf50d5fe3e4dafb2

Link:

https://www.unpac.me/results/8adb10a3-0f7f-4146-9c8a-a4e9aed176fb/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Cryptor

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/32560ccc4af2d37c587bbc551e1dd8127b8efaafb199f74c18ec111a812a7f30

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Adsterra_Adware_DOM Create hunting rule
Author:	IlluminatiFish
Description:	Detects Adsterra adware script being loaded without the user's consent

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	crime_win32_parallax_payload_1 Create hunting rule
Author:	@VK_Intel
Description:	Detects Parallax Injected Payload v1.01
Reference:	https://twitter.com/VK_Intel/status/1227976106227224578

Rule name:	crime_win32_rat_parralax_shell_bin Create hunting rule
Author:	@VK_Intel
Description:	Detects Parallax injected code
Reference:	https://twitter.com/VK_Intel/status/1257714191902937088

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	MAL_crime_win32_rat_parallax_shell_bin Create hunting rule
Author:	@VK_Intel
Description:	Detects Parallax injected code
Reference:	https://twitter.com/VK_Intel/status/1257714191902937088

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Ping_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/127873/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample