MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ae83a13a6fe98f6d3b293d69aa7e58e4752e4b1353978e1a390314f725ea44e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 11

Intelligence 11 IOCs YARA 7 File information Comments

SHA256 hash:	3ae83a13a6fe98f6d3b293d69aa7e58e4752e4b1353978e1a390314f725ea44e
SHA3-384 hash:	e8e7571adc011d2e01b224746b8bfb0cc7d8bb6ec0a60fb6fea6d6a30123bd8737d13bab0f1dbe8cbf200c0dfa6a5b24
SHA1 hash:	28b1711daac847a6e0f04c018b40ad1aab376441
MD5 hash:	205c04191a6c1f1d9b841ac49a81a901
humanhash:	sodium-king-stream-minnesota
File name:	Quotation (3).exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	510'464 bytes
First seen:	2020-10-16 13:40:39 UTC
Last seen:	2020-10-16 15:15:49 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:RGzY36DXLSiPnYFIQbYXQQwGHaKUHj0ud1o9:RGzdLLDPnYRbYX+MaKUDLU
Threatray	360 similar samples on MalwareBazaar
TLSH	7BB4C02523986FE1E47DD3BB20B0096053FAB486E735D61D7DA452CE3A62F808673B53
Reporter	abuse_ch
Tags:	exe RemcosRAT

abuse_ch

Malspam distributing unidentified malware:

HELO: yandex.com
Sending IP: 37.49.225.133
From: stoneadamss@yandex.com
Subject: QUOTATION
Attachment: Quotation 3.gz (contains "Quotation (3).exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/72057/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.424.23117.4280.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Creating a file

Sending a custom TCP request

Setting a global event handler for the keyboard

Enabling autorun by creating a file

Unauthorized injection to a system process

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/493710

Signature

.NET source code contains potential unpacker

Allocates memory in foreign processes

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Detected Remcos RAT

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected AntiVM_3

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/3ae83a13a6fe98f6d3b293d69aa7e58e4752e4b1353978e1a390314f725ea44e/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-10-16 11:48:19 UTC

AV detection:

20 of 29 (68.97%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hludue5g72mpnu5sspljvj7frzdvfzfrgu4xryndsayu64s6urha._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

4edd4c06c8b7cca23fce60e854323b80835e64c805daef22994f2d3d743dd83b

RemcosRAT

5967386e3a83cb9e0066223388892aade38751662b856048184c262239411aae

RemcosRAT

69e28c099c18f7fd000440db3155e9818916f70535e10b392ae7c1fb54ba48be

RemcosRAT

796283950089c8792456eb6b2f89a148de3def99691115ae7aadf8dc930d4d4a

RemcosRAT

8247f1c9100f98350ccc39ee0512d24a86c29881763eb262197347908a1315c4

RemcosRAT

82b2605b25b8443229154cf16788525e9dab3bdeff6b305792a11c0d5cd8e99f

RemcosRAT

abd47175466abe2058151e12919ca9501497dbb286909bf7896d20d59fe73ef6

RemcosRAT

bbcaf0746383dc1928fe53805da2d9bb28123e7495d48759202a46217e6b456d

RemcosRAT

d38a8652771ca87506e06b24d7b6b21fd051042714faa477c7d7189c9bd94633

RemcosRAT

+ 350 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

rat family:remcos spyware

Link:

https://tria.ge/reports/201016-vnkxehkn1s/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads user/profile data of web browsers

Uses the VBS compiler for execution

Remcos

Malware Config

C2 Extraction:

194.5.97.103:1011

Unpacked files

SH256 hash:

e8ef35ac9da0fb9b54f0213078522fc8d2e0ef2bb2c9a6d94db3487718dc89c1

MD5 hash:

c9ab3e689a95399d5f132dc0a9dd2ed4

SHA1 hash:

36be7d1a11298cba3c14764a6611aa3f5c053c5b

Link:

https://www.unpac.me/results/19311f19-4795-4e56-a995-93baa35035be/

SH256 hash:

3a1ab0bef6b08c2341fda53c70ed1cc75d7ef622bf3e53afb564da2c058ad1ee

MD5 hash:

63d15ef6df2d7cdb6e691242bf487bdc

SHA1 hash:

596580f727b13f731b6bff06b976199fbaa4f974

Link:

https://www.unpac.me/results/19311f19-4795-4e56-a995-93baa35035be/

SH256 hash:

bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049

MD5 hash:

a92cc1f6e0a2742350dfda6726db14c0

SHA1 hash:

e5404e3ed46498deb8ad8966a774540c2b8e9c1e

Link:

https://www.unpac.me/results/19311f19-4795-4e56-a995-93baa35035be/

SH256 hash:

c4c4a58252cd9cbbebd10e8b7829d1a5bd56db03e1347cd0d4b0fbf499437dca

MD5 hash:

b3c67330d485682db169fab9188de3b2

SHA1 hash:

70054f6ba2bedaf419e5cf3d7f94a3ad984fa848

Detections:

win_remcos_g0

win_remcos_auto

Link:

https://www.unpac.me/results/19311f19-4795-4e56-a995-93baa35035be/

SH256 hash:

3ae83a13a6fe98f6d3b293d69aa7e58e4752e4b1353978e1a390314f725ea44e

MD5 hash:

205c04191a6c1f1d9b841ac49a81a901

SHA1 hash:

28b1711daac847a6e0f04c018b40ad1aab376441

Link:

https://www.unpac.me/results/19311f19-4795-4e56-a995-93baa35035be/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3ae83a13a6fe98f6d3b293d69aa7e58e4752e4b1353978e1a390314f725ea44e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator