MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3746f6d2d5f3e12e69c80085eef48b25f06974965b930563d773eac6e5c2f291. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3746f6d2d5f3e12e69c80085eef48b25f06974965b930563d773eac6e5c2f291
SHA3-384 hash: 8172763264361b90283a7eb4e060524243224a145a42f53076ad9700f08f73fceafa15e6da62f2468e6da538008346a3
SHA1 hash: 68d97daa03745c5addc52a791969183402908ae6
MD5 hash: bb0d18064cff3e8e3aaccb648089f87d
humanhash: romeo-mockingbird-stream-social
File name:3746f6d2d5f3e12e69c80085eef48b25f06974965b930563d773eac6e5c2f291
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:13'355'448 bytes
First seen:2020-10-19 06:59:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3abe302b6d9a1256e6a915429af4ffd2 (271 x GuLoader, 38 x Formbook, 25 x Loki)
ssdeep 393216:3RLMVsfdbhlU6T9QHpqJiSJBUu6bKnD5vSFNVL:usfdh9gpoJHnD5vSFNVL
Threatray 1'114 similar samples on MalwareBazaar
TLSH 39D63358B55B0986E6379E780AE0CBA0D92DDC4A066621313B053651FF7F3E719EC22F
Reporter JAMESWT_WT
Tags:OOO Fram RemcosRAT

Code Signing Certificate

Organisation:AAA Certificate Services
Issuer:AAA Certificate Services
Algorithm:sha1WithRSAEncryption
Valid from:Jan 1 00:00:00 2004 GMT
Valid to:Dec 31 23:59:59 2028 GMT
Serial number: 01
Intelligence: 370 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: D7A7A0FB5D7E2731D771E9484EBCDEF71D5F0C3E0A2948782BC83EE0EA699EF4
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

PUA.Win.Malware.Generic-6718284-0
Create hunting rule

PUA.Win.Adware.Hpdefender-6725853-0
Create hunting rule

SecuriteInfo.com.Troj.Inject-EAO.957.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Sending a UDP request
Launching a process
Transferring files using the Background Intelligent Transfer Service (BITS)
DNS request
Sending a custom TCP request
Deleting a recently created file
Unauthorized injection to a system process
Forced shutdown of a system process
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/494955
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Detected Remcos RAT
Detected VMProtect packer
Found strings related to Crypto-Mining
Hides threads from debuggers
Hijacks the control flow in another process
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens the same file many times (likely Sandbox evasion)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect debuggers (CloseHandle check)
Tries to detect debuggers by setting the trap flag for special instructions
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 299940 Sample: qrddS5Diau Startdate: 19/10/2020 Architecture: WINDOWS Score: 100 37 ipv4.imgur.map.fastly.net 2->37 39 i.imgur.com 2->39 51 Malicious sample detected (through community Yara rule) 2->51 53 Multi AV Scanner detection for dropped file 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 5 other signatures 2->57 9 qrddS5Diau.exe 10 2->9         started        signatures3 process4 file5 27 C:\Users\user\AppData\Local\Temp\t-rex.exe, PE32+ 9->27 dropped 29 C:\Users\...\policy converter manager.exe, PE32 9->29 dropped 12 policy converter manager.exe 9->12         started        15 t-rex.exe 1 9->15         started        process6 signatures7 67 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->67 69 Hijacks the control flow in another process 12->69 71 Writes to foreign memory regions 12->71 79 2 other signatures 12->79 17 extrac32.exe 14 12->17         started        73 Antivirus detection for dropped file 15->73 75 Multi AV Scanner detection for dropped file 15->75 77 Tries to detect debuggers by setting the trap flag for special instructions 15->77 81 3 other signatures 15->81 21 conhost.exe 15->21         started        process8 dnsIp9 31 151.101.112.193, 443, 49763 FASTLYUS United States 17->31 33 ipv4.imgur.map.fastly.net 17->33 35 i.imgur.com 17->35 43 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 17->43 45 Hijacks the control flow in another process 17->45 47 Writes to foreign memory regions 17->47 49 Maps a DLL or memory area into another process 17->49 23 cmd.exe 2 6 17->23         started        signatures10 process11 dnsIp12 41 95.217.144.93, 49766, 5864 HETZNER-ASDE Germany 23->41 59 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 23->59 61 Contains functionality to steal Chrome passwords or cookies 23->61 63 Contains functionality to capture and log keystrokes 23->63 65 2 other signatures 23->65 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3746f6d2d5f3e12e69c80085eef48b25f06974965b930563d773eac6e5c2f291/
Threat name:
Win32.Trojan.Rugmi
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 07:00:27 UTC
File Type:
PE (Exe)
Extracted files:
161
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
26448f5f651589c5fd39721e68693c8eba2ada59eee363b365b984e90f0a47b0
RemcosRAT
487032be06deec0a6b50c6c0464edb67d50f9bb769ea1527969d4b67b83e8733
RemcosRAT
644aa25d23ed0bde16287cbf053890168f01b13ba8909a1c9b984f8f2f58180f
RemcosRAT
91adaeeb7ac7733741a68cc0283a10f64403f64d1378558bae2342bec847f8e5
RemcosRAT
9ad345199fba200ac03609aa9a93be1c10663b7c2c1f3d0467e747f0f0147caf
RemcosRAT
a32c37dd601a6fcdd6e622b2c928c7ef7935a77a0df9a2dfb9c7774630dd266e
RemcosRAT
b05eb1ace6dd219a6e5ea23d25ea88bbd672ad379ac4dcaa935acbfdece37c0b
RemcosRAT
c689edeb2bea45f5a7e6402ba51dc23e40e6c8b509841f60cb3d7327340b9b60
RemcosRAT
ca1db184290b274c1f78b091bf019926fa258dd8b1f5bb316a55832aec970338
RemcosRAT
e138622ca793f4a546496b40dcf406a83aa667d16fa2a29879d8282a39d6e7ff
RemcosRAT
+ 1'104 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
vmprotect rat family:remcos
Link:
https://tria.ge/reports/201019-w9w13727jx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Loads dropped DLL
Blacklisted process makes network request
Executes dropped EXE
VMProtect packed file
Remcos
Malware Config
C2 Extraction:
95.217.144.93:5864
Unpacked files
SH256 hash:
3746f6d2d5f3e12e69c80085eef48b25f06974965b930563d773eac6e5c2f291
MD5 hash:
bb0d18064cff3e8e3aaccb648089f87d
SHA1 hash:
68d97daa03745c5addc52a791969183402908ae6
Link:
https://www.unpac.me/results/2a419aaf-fb50-4b5f-a53b-ccaa9a703ddc/
SH256 hash:
f277d497022c66a4029769330cf7c2ae0d4abaf73d2431dc58954d4cdbd7f945
MD5 hash:
2080e98e9bc885d302dd886136dd6611
SHA1 hash:
57090ed06d939dec28bc1de2ef7f1ba344467895
Link:
https://www.unpac.me/results/2a419aaf-fb50-4b5f-a53b-ccaa9a703ddc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
CoinMiner
Score:
0.60
Link:
https://yomi.yoroi.company/submissions/3746f6d2d5f3e12e69c80085eef48b25f06974965b930563d773eac6e5c2f291

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/72765/

Comments