MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41f469d18016a7ba9938f2f4409b7e15acd9657a4c639f772a05c53e93287aa7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 12

Intelligence 12 IOCs YARA 6 File information Comments

SHA256 hash:	41f469d18016a7ba9938f2f4409b7e15acd9657a4c639f772a05c53e93287aa7
SHA3-384 hash:	e68f773763a5b8c6464487ecf02b7582460984fc765a49dd6af2e522fb7cf0eb75840cdf9f7a41ecb619a14128da6f81
SHA1 hash:	f057791373ceff4286ebe91894f09a36b3ffb69e
MD5 hash:	3d5cbe744dce24113248ee279b4690c4
humanhash:	massachusetts-blossom-pasta-potato
File name:	3d5cbe744dce24113248ee279b4690c4.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	603'380 bytes
First seen:	2021-07-06 15:58:54 UTC
Last seen:	2021-07-06 17:18:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep	12288:8yvbM3mkIIQS/UBwAJzLehIGqh4Jq1WI1hukKuIx5lHxkZrbNfK64:HvbM3LUhJzLeDqh/ukWlRkxN8
TLSH	E8D48B685CF4DD22FCBCFEF4EE4193091D6E2D3600A57B497AB3BE6926B40B6610D064
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

170

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

3d5cbe744dce24113248ee279b4690c4.exe

Verdict:

Malicious activity

Analysis date:

2021-07-06 17:03:05 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/eb8a181b-d231-4176-a1ed-3bff3dc21392

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/170017/

Detection(s):

SecuriteInfo.com.Zum.Androm.1.14821.30946.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c890be2d-8e23-4333-b783-e760ef3c3724

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/812470

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Detected Remcos RAT

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/41f469d18016a7ba9938f2f4409b7e15acd9657a4c639f772a05c53e93287aa7/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2021-07-05 23:06:05 UTC

AV detection:

19 of 29 (65.52%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ih2gtumac2t3vgjy6l2ebg36cwwnszl2jrrz65zkaxct5ezipktq._file

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos rat

Link:

https://tria.ge/reports/210706-qdgneyrwv2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Loads dropped DLL

Remcos

Unpacked files

SH256 hash:

a8ccb71cbd1fb662f192528c9aaec9aba5d5de8b130f77119782085bf6d193d4

MD5 hash:

8c6f9a330b50b3aa423eae8d2de5346a

SHA1 hash:

e0f3696ac49794f8343921e725c0069d48ea8274

Link:

https://www.unpac.me/results/838fb915-6f57-4037-9ac3-07877df66bca/

SH256 hash:

6d73cedbfb30c62b119ef1433508eec41c274abd313295c024e92d57c0c8d5e4

MD5 hash:

6182806d317c2612c2cb11a9ffede27a

SHA1 hash:

6843cac34e6897cfae53d5110a9a34ecd72b7f04

Detections:

win_remcos_g0

Link:

https://www.unpac.me/results/838fb915-6f57-4037-9ac3-07877df66bca/

Parent samples :

704cea9cf2bcfaf5eb8e072ec299125703ff291d1223db387365079758e366bb
41f469d18016a7ba9938f2f4409b7e15acd9657a4c639f772a05c53e93287aa7

SH256 hash:

579e4b9364d59e2d6c5a27b4ec8a098cd31eb2cd1d60997752005ed91b09b9ce

MD5 hash:

7a716f7112abb7d6c49f47ab244f4aa1

SHA1 hash:

2195e8ac14cbda13c78df24b106f7fd8954343a2

Link:

https://www.unpac.me/results/838fb915-6f57-4037-9ac3-07877df66bca/

SH256 hash:

41f469d18016a7ba9938f2f4409b7e15acd9657a4c639f772a05c53e93287aa7

MD5 hash:

3d5cbe744dce24113248ee279b4690c4

SHA1 hash:

f057791373ceff4286ebe91894f09a36b3ffb69e

Link:

https://www.unpac.me/results/838fb915-6f57-4037-9ac3-07877df66bca/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.67

Link:

https://yomi.yoroi.company/submissions/41f469d18016a7ba9938f2f4409b7e15acd9657a4c639f772a05c53e93287aa7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

exe 41f469d18016a7ba9938f2f4409b7e15acd9657a4c639f772a05c53e93287aa7

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1417371/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/170017/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample