MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3cad10488e9efd31ba0fe6cacc311572a2fac4c4760b315e5ce337ea731ce22c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	3cad10488e9efd31ba0fe6cacc311572a2fac4c4760b315e5ce337ea731ce22c
SHA3-384 hash:	c9b248cab7a5a191f7af87fcea98309d5c0fdf40295cdc00b9f200a2e390d4dc188e1336fff2638c9a27c766aaae64e9
SHA1 hash:	a6cf2cbcf8aee310c4bde6b846a83a91b3855c46
MD5 hash:	3c37c322eabf6eda7375d85e15e3c6e3
humanhash:	beryllium-alaska-florida-seventeen
File name:	SecuriteInfo.com.AI.Packer.F6FD72BA21.14573
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	665'088 bytes
First seen:	2020-07-08 16:56:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c769aa33458940b0c0e3838f7c635f27 (4 x RemcosRAT, 3 x FormBook, 1 x AveMariaRAT)
ssdeep	12288:I1uSw3tWopwOdOGakJ1olUL+zUQJ75w/nGasCqDaitL8ST:Ikx308tOGakJ1gh4QJdw/G9VDaML8ST
Threatray	810 similar samples on MalwareBazaar
TLSH	47E47D52F6C09877D02B1A7DCC5FD664683ABE152D24D84A3AE67E0C4EF6341343B29B
Reporter	SecuriteInfoCom
Tags:	RemcosRAT

Intelligence

File Origin

# of uploads :

1

# of downloads :

85

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/23290/

Detection(s):

SecuriteInfo.com.AI.Packer.F6FD72BA21.14573.UNOFFICIAL

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

DNS request

Sending a custom TCP request

Launching the default Windows debugger (dwwin.exe)

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3cad10488e9efd31ba0fe6cacc311572a2fac4c4760b315e5ce337ea731ce22c/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2020-07-08 16:58:04 UTC

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Verdict:

malicious

Label(s):

remcos

Similar samples:

0067b722606e5742dfa241ea0684189ab4989ab495328a327569027577f8592c

13eaaf168207a5014c105532b6a23805fc6db28f73908914a4583979173cc254

1887a3510750f3511193c6c51a64dd2af035402cafd8e8f4fc63666412ea010e

397545efcbf53bebabdb003bbe9f8b619b7ffdd5383c21ecd9e99c6de3e3cd83

97660e6482890360d2da0c3732f09b7e7b30d8a90bb93b9de2ef7d4953adea22

a030c2bf64a9ee2737aca5e34c9c89fa34c16ed61b16af1f0b9a8455fd6f4b1f

b59d01c152a084a23f8477e2a20bde57045b2e3a1ca9a938ba4dbf6ac262b73f

c8c1e04edd5c422d065e27a3a73931d373de200419cd9ba649fdfadee686e5f2

d69aa1932b2e702e5065ee19da9fc9cf2b05e7dbaa617141b14eaa501a14955e

e67dd040ce53fbf4e0ef2121dabd060c5c764ede3eec55801376b144a0f40419

+ 800 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

persistence rat family:remcos

Link:

https://tria.ge/reports/200708-gxkw2m7cya/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run entry to start application

Legitimate hosting services abused for malware hosting/C2

Remcos

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 3cad10488e9efd31ba0fe6cacc311572a2fac4c4760b315e5ce337ea731ce22c

(this sample)

Cape

Cape

https://www.capesandbox.com/analysis/23290/

URLhaus

https://urlhaus.abuse.ch/url/408796/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample