MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f1a2ec195c60a1f8789ac36368ae30a2b187858c957115bf88f40344bf0e6fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 13

Intelligence 13 IOCs YARA 9 File information Comments

SHA256 hash:	3f1a2ec195c60a1f8789ac36368ae30a2b187858c957115bf88f40344bf0e6fa
SHA3-384 hash:	6eb6a84458cac6f6f7390e6bb7868236d890e5a12bea9da8c34007672dcbab79f982b17c2a944d393c3ffc9cd509b3a6
SHA1 hash:	95b7277e3bdabe4d85e9a4fb5f7de8c05c6370e6
MD5 hash:	0339d1393354ef634d7517bd4704a3c2
humanhash:	mirror-september-sink-one
File name:	0339d1393354ef634d7517bd4704a3c2.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'383'160 bytes
First seen:	2020-12-21 07:49:01 UTC
Last seen:	2020-12-21 09:34:09 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	12288:3rp0ghLYATjUsjDU7YSg8+3F+pWknOEoCoPemGPWEIIfoja99PZ0SPduYTfhDch+:bp0h/
Threatray	1'261 similar samples on MalwareBazaar
TLSH	B355310249816CCBD7B2D090A34EC6D6B38795DCE7EA6FD4AE10E21532CC477EBA9D41
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

abuse_ch

RemcosRAT C2:
swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu:2017

Intelligence

File Origin

# of uploads :

# of downloads :

147

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2019-2020_SOA_Payment_21Dec2020.xlsx

Verdict:

Malicious activity

Analysis date:

2020-12-21 06:44:52 UTC

Tags:

encrypted exploit CVE-2017-11882 rat remcos keylogger

Link:

https://app.any.run/tasks/0caaed50-39f6-4c40-8681-6aa3ab364621

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/108643/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.35798067.8092.26556.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Adding an access-denied ACE

Creating a file

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a process with a hidden window

Creating a window

Sending a UDP request

Deleting a recently created file

Running batch commands

DNS request

Connection attempt

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process by context flags manipulation

Setting a global event handler for the keyboard

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/567225

Signature

.NET source code contains very large strings

Detected Remcos RAT

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/3f1a2ec195c60a1f8789ac36368ae30a2b187858c957115bf88f40344bf0e6fa/

Threat name:

ByteCode-MSIL.Backdoor.Remcos

Status:

Malicious

First seen:

2020-12-21 07:49:05 UTC

AV detection:

16 of 29 (55.17%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=h4nc5qmvyyfb7b4jvq3dncxdbivrq6cyzflrcw7yr5adis7q435a._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

4a94b062dbb9df940520146d100df5b019795d0f508d7ba89d24eb18725e1608

RemcosRAT

54c9967a2b3467f1a5961630d0bd429400e781de19866a383267c40e0f9acf2f

RemcosRAT

5b10f4a23880b51923a0df3e9e3c37f40eb0d3cc93de7b463da62f936a501385

RemcosRAT

843326e8aabda8025975ae55e6d36fcd8bb79e2e1a5f25e86303b82f16c3bac5

RemcosRAT

b8bcf3a59b89b2ebc0fb7cfba5f8f726de83b08acd072b55c557cf89d16210c9

RemcosRAT

c14895a7d0ca2633b565af7c08e77aef32397f4fdc78fd3560d2f23d89aa6d6a

RemcosRAT

e1865abf21c3b8f3b3d15e6c6e477468941f9e65700ceaaa0f4cb269d967c83e

RemcosRAT

f6c8f18b6a8db8307ea07c171236d118f91924e497027eeb305800ba2eee4fbe

RemcosRAT

f7e29cbf47c9804eb341836873ea6837be7a46639978f44d9ba2670d47e68d56

RemcosRAT

+ 1'251 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos persistence rat

Link:

https://tria.ge/reports/201221-7z9cy2tgxx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Adds Run key to start application

Loads dropped DLL

Executes dropped EXE

Remcos

Malware Config

C2 Extraction:

swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu:2017

Unpacked files

SH256 hash:

3f1a2ec195c60a1f8789ac36368ae30a2b187858c957115bf88f40344bf0e6fa

MD5 hash:

0339d1393354ef634d7517bd4704a3c2

SHA1 hash:

95b7277e3bdabe4d85e9a4fb5f7de8c05c6370e6

Link:

https://www.unpac.me/results/ac9ec09d-988c-4423-808d-5fc54ca881a4/

SH256 hash:

0afaf5864348f90a56329d6e2830e9174249420ecaddc5c1b79765a970c7f474

MD5 hash:

4d6e4e0fee721542d0b5f636c5cb63d8

SHA1 hash:

57e32baee5bbd2ec32157efad4161b3b74f3aca5

Link:

https://www.unpac.me/results/ac9ec09d-988c-4423-808d-5fc54ca881a4/

SH256 hash:

fdc92902f0cb09f325201e9072cc43bfecdf32ea4199b3e53db3f5c433031479

MD5 hash:

b1c44c1b03ddd37f559369eeb42bc2b6

SHA1 hash:

174a77cfaaae5918a49d29156ecb9d4f65604129

Detections:

win_remcos_g0

win_remcos_auto

Link:

https://www.unpac.me/results/ac9ec09d-988c-4423-808d-5fc54ca881a4/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Remcos

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3f1a2ec195c60a1f8789ac36368ae30a2b187858c957115bf88f40344bf0e6fa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator