MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32f481a7c5c4c551ff62fed04373d59417592eec20592bfd748d894d5f04de02. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 12

Intelligence 12 IOCs YARA 8 File information Comments

SHA256 hash:	32f481a7c5c4c551ff62fed04373d59417592eec20592bfd748d894d5f04de02
SHA3-384 hash:	44b58a58b239e4d7413d27635a3528f86166ab9923ca2e5eb215a3bb8ff29aebf117db56488db8ef184e47feb093c7b0
SHA1 hash:	25e27cf2d9dc91f834bfde025bd262dd31796095
MD5 hash:	8d55c9fc0cc10ce90d018f0140b43d7d
humanhash:	lake-seven-cat-robert
File name:	8d55c9fc0cc10ce90d018f0140b43d7d.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	126'976 bytes
First seen:	2020-12-03 14:28:10 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5f0c90c109d16124e83cb7a25caef54f (28 x RemcosRAT, 1 x FormBook, 1 x NetWire)
ssdeep	3072:mpgk9sZwnSD9Pb0CR36oWdHZ8xyicFtsnal5OzqhPk9tn:igk9EySD9z0CjeHyxyicFtsnavOzqhP8
Threatray	1'195 similar samples on MalwareBazaar
TLSH	60C3E867F24B80A3D863027056507B72ADBCFC321A5D5157E7E8D8811DF588E902AAFF
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

135

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/106614/

Detection(s):

Win.Malware.Rescoms-6598304-0

Win.Trojan.Remcos-9753190-0

Win.Trojan.Remcos-9763891-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Remcos

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/554747

Signature

Antivirus / Scanner detection for submitted sample

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Detected Remcos RAT

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/32f481a7c5c4c551ff62fed04373d59417592eec20592bfd748d894d5f04de02/

Threat name:

Win32.Backdoor.Rescoms

Status:

Malicious

First seen:

2020-12-03 09:38:53 UTC

AV detection:

26 of 28 (92.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=gl2idj6fytcvd73c73ieg46vsqlvslxmebmsx7lurweu2xye3yba._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

28e5fa8a71a61c9a963340efa4179b8e1e966eca430c77f86c5795a28b66162a

RemcosRAT

3bdfaf82d5d56f2546be44b3355f8d72cc0508984586e0fba3d704a5adabf7d1

RemcosRAT

5623d23f830311afc91586eeae9824ede5dd4233d9b45a45a6bea4110514db48

RemcosRAT

84440675af619c4edf18154e689b89143bae8581ccdfd4ee0385c50886f8c006

RemcosRAT

8e99ebae5c7d8b8620f20ff54a24db4d15c817f24e2a3017525063a34308bf60

RemcosRAT

9a40f0300c23e940e1e6abdab04d0d52218ac9a28b96075238de1fb9acd88b77

RemcosRAT

c381d8cd8db61a6517450b92e3757d4eae36518580a3d2f4761522d0b7b3f4f0

RemcosRAT

c97b88ff9779d0ba8c1f0cd066bc87588cfb203cb2a922d6b52769622209e96d

RemcosRAT

dce0fd32e1a722b27a3d60dc55016edbbfe763d3ec5aa10de6a6455e062b1432

RemcosRAT

+ 1'185 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos rat

Link:

https://tria.ge/reports/201203-4mvh9hv2x6/

Behaviour

Remcos

Malware Config

C2 Extraction:

qnp.mooo.com:61514

Unpacked files

SH256 hash:

32f481a7c5c4c551ff62fed04373d59417592eec20592bfd748d894d5f04de02

MD5 hash:

8d55c9fc0cc10ce90d018f0140b43d7d

SHA1 hash:

25e27cf2d9dc91f834bfde025bd262dd31796095

Detections:

win_remcos_g0

win_remcos_auto

Link:

https://www.unpac.me/results/948e2fd8-c29e-4122-b2a1-39cab922b5ad/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Remcos

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/32f481a7c5c4c551ff62fed04373d59417592eec20592bfd748d894d5f04de02

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator