MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3418e1333e9001927ecc9000abf19f6dfd97a2a48399c9769182a132df8b39dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3418e1333e9001927ecc9000abf19f6dfd97a2a48399c9769182a132df8b39dc
SHA3-384 hash: 21dd096cfc370a4631509a2b5c562fd0e21e8459e2da4bd50fb761129750236078553d1d955bbfc9dd961e9c974f8f4d
SHA1 hash: 6486bee5805be89084fc6286a43af065a93af310
MD5 hash: e1d12a9c20844533f411f44a11c8ebd7
humanhash: seventeen-mike-sixteen-delaware
File name:e1d12a9c20844533f411f44a11c8ebd7.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'159'666 bytes
First seen:2021-04-30 18:01:46 UTC
Last seen:2021-04-30 19:02:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3b55998301bfa58c425fb4920f1bf5d1 (1 x RemcosRAT, 1 x Formbook)
ssdeep 24576:Tny7bq4xOMVzeSxTqWgmsTws461lsv0yUya97cad6/xd6QWzhfOefD6HLRUD/kt4:Tmo4fjhs4Q97cad6/xd6QWzbfxktFvDe
Threatray 292 similar samples on MalwareBazaar
TLSH AB35BE9273C0403EC56E5670AC27B1601629FD779ACCA14D37F8BA876FF66812C29E53
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
178
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/147714/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.30056.4363.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Unauthorized injection to a recently created process
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Creating a process from a recently created file
Launching a process
Deleting a recently created file
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/705393
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the user root directory
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: APT29
Sigma detected: Covenant Launcher Indicators
Sigma detected: Disable of ETW Trace
Sigma detected: Execution from Suspicious Folder
Sigma detected: Exploiting SetupComplete.cmd CVE-2019-1378
Sigma detected: Koadic Execution
Sigma detected: Mustang Panda Dropper
Sigma detected: PowerShell DownloadFile
Sigma detected: Ryuk Ransomware
Sigma detected: Suspicious Eventlog Clear or Configuration Using Wevtutil
Suspicious powershell command line found
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 401622 Sample: To1sRo1E8P.exe Startdate: 30/04/2021 Architecture: WINDOWS Score: 100 62 nothinglike.ac.ug 2->62 64 brudfascaqezd.ac.ug 2->64 74 Found malware configuration 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 Sigma detected: APT29 2->78 80 12 other signatures 2->80 12 To1sRo1E8P.exe 1 25 2->12         started        17 Yzsmfc.exe 13 2->17         started        19 Yzsmfc.exe 14 2->19         started        signatures3 process4 dnsIp5 72 cdn.discordapp.com 162.159.130.233, 443, 49733, 49734 CLOUDFLARENETUS United States 12->72 50 C:\Users\Public50etplwiz.exe, PE32+ 12->50 dropped 52 C:\Users\Public52ETUTILS.dll, PE32+ 12->52 dropped 54 C:\Users\Public\Libraries\Yzsmfc\Yzsmfc.exe, PE32 12->54 dropped 56 3 other malicious files 12->56 dropped 88 Detected unpacking (changes PE section rights) 12->88 90 Detected unpacking (overwrites its own PE header) 12->90 92 Contains functionality to steal Chrome passwords or cookies 12->92 98 3 other signatures 12->98 21 cmd.exe 1 12->21         started        23 To1sRo1E8P.exe 1 12->23         started        94 Multi AV Scanner detection for dropped file 17->94 96 Injects a PE file into a foreign processes 17->96 26 Yzsmfc.exe 17->26         started        28 Yzsmfc.exe 19->28         started        file6 signatures7 process8 dnsIp9 30 cmd.exe 5 21->30         started        34 conhost.exe 21->34         started        66 nothinglike.ac.ug 79.134.225.25, 49745, 49746, 49747 FINK-TELECOM-SERVICESCH Switzerland 23->66 68 brudfascaqezd.ac.ug 23->68 70 192.168.2.1 unknown unknown 23->70 process10 file11 58 C:\Windows \System3258etplwiz.exe, PE32+ 30->58 dropped 60 C:\Windows \System3260ETUTILS.dll, PE32+ 30->60 dropped 100 Drops executables to the windows directory (C:\Windows) and starts them 30->100 36 Netplwiz.exe 30->36         started        38 conhost.exe 30->38         started        signatures12 process13 process14 40 cmd.exe 1 36->40         started        signatures15 82 Suspicious powershell command line found 40->82 84 Adds a directory exclusion to Windows Defender 40->84 43 powershell.exe 25 40->43         started        46 conhost.exe 40->46         started        process16 signatures17 86 DLL side loading technique detected 43->86 48 conhost.exe 43->48         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3418e1333e9001927ecc9000abf19f6dfd97a2a48399c9769182a132df8b39dc/
Threat name:
Win32.Trojan.GenCBL
Create hunting rule
Status:
Malicious
First seen:
2021-04-30 18:02:21 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gqmocmz6saaze7wmsaakx4m7nx6zpiveqom4s5urqkqtfx4lhhoa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0b02739c5fd7a7fa53410bc2287c42cf66a3a6d51ecc9570e76e4f0f8129f2d7
RemcosRAT
375b5d8e986b228149dbe2f4cd9df92e697491052531a094fb7172ad0d25bd82
RemcosRAT
3c0df5607ab1e7bf906ce2be36ee0bb970c26baf19710f0c195ca9356a2d918f
RemcosRAT
5f06da67169389577ec237bfb0c3e0e9203833048f48081deed7b6201ad18c27
RemcosRAT
6f3f6c0f427dd7a5584141e0bc5a1ce8eed39721b3621a86c11bdf571472a610
RemcosRAT
8c3a6d5b05325958afeb7885e7d4bbe59f7f5a849b5acdf0a8f7cbb8febc4a81
RemcosRAT
9945152f2509b0f8bccc5813830e6584502ceab5e5cc73912ef1b3950fee0cb9
RemcosRAT
d2d9b66c9aad0e6cc20a786a89299a8b4a65a5a344db369dfd7bfbad3fb40b55
RemcosRAT
d9c227ed57ca134b518a38f74580faf7f3c5e05c5caae3ed3166641341950ee7
RemcosRAT
f138fb2bb1b74757f02ed6159d3766cd5bbae760e04907ea7520bc09dd968783
RemcosRAT
+ 282 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210430-a2fdv1x832/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
8f63001a412f92b1e28e17cf0ca84b5d4fa126a661cdae11c5221b7344c26999
MD5 hash:
77fbc4c0b74cf1b87fa3804f3c4c0ff1
SHA1 hash:
721f7b2c9db79c8a34b8ad43f103b22df632d2dc
Link:
https://www.unpac.me/results/f85793ba-5d9a-44fe-acdf-5b20e344e632/
SH256 hash:
3418e1333e9001927ecc9000abf19f6dfd97a2a48399c9769182a132df8b39dc
MD5 hash:
e1d12a9c20844533f411f44a11c8ebd7
SHA1 hash:
6486bee5805be89084fc6286a43af065a93af310
Link:
https://www.unpac.me/results/f85793ba-5d9a-44fe-acdf-5b20e344e632/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3418e1333e9001927ecc9000abf19f6dfd97a2a48399c9769182a132df8b39dc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:MALWARE_Win_DLAgent07
Create hunting rule
Author:ditekSHen
Description:Detects delf downloader agent
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 3418e1333e9001927ecc9000abf19f6dfd97a2a48399c9769182a132df8b39dc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/948788/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1185401/
Cape
Cape
https://www.capesandbox.com/analysis/147714/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-30 19:08:31 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.025] Anti-Behavioral Analysis::Software Breakpoints
1) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
2) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
3) [F0002.002] Collection::Polling
5) [C0026.002] Data Micro-objective::XOR::Encode Data
7) [C0051] File System Micro-objective::Read File
8) [C0052] File System Micro-objective::Writes File
9) [C0007] Memory Micro-objective::Allocate Memory
10) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
11) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
12) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
13) [C0038] Process Micro-objective::Create Thread
14) [C0041] Process Micro-objective::Set Thread Local Storage Value
15) [C0018] Process Micro-objective::Terminate Process