MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 427102cfb84006044ecb4a6e42daaceb66f01c098c6a848106f30a2ce22dd5c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 7 File information Comments

SHA256 hash:	427102cfb84006044ecb4a6e42daaceb66f01c098c6a848106f30a2ce22dd5c4
SHA3-384 hash:	71381c1e42fbf0e496f3107ecb61ddb86956c61cd5c59f4fb0b26cdda2f7baa723c05fe60c69111d9ba3e7585dbd5213
SHA1 hash:	689c74723dc40bb7274e50a6a9f97bfdb580bd07
MD5 hash:	fd8a0eec7f14e78cb689f5c88e0d8222
humanhash:	alpha-low-hydrogen-august
File name:	427102cfb84006044ecb4a6e42daaceb66f01c098c6a848106f30a2ce22dd5c4
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	686'080 bytes
First seen:	2020-11-14 18:03:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:sQZmUQgWIPbGiJbtkUsehD7BG4oYhV5TuZMMHaFLMTsHQEbWIPpY:bZPW2bGiJbtkU3D7ZoMLaYq6WIPp
Threatray	1'125 similar samples on MalwareBazaar
TLSH	5BE48D132A48AFC9F1BD9337986D1841C3F9F843E722CA6A7CE264CD9DB1F948611716
Reporter	seifreed
Tags:	RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Creating a file

DNS request

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/535987

Signature

Contains functionality to capture and log keystrokes

Contains functionality to detect virtual machines (IN, VMware)

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Detected Remcos RAT

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM_3

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/427102cfb84006044ecb4a6e42daaceb66f01c098c6a848106f30a2ce22dd5c4/

Threat name:

ByteCode-MSIL.Trojan.Heracles

Status:

Malicious

First seen:

2020-11-14 18:05:25 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ijyqft5yiadaitwljjxefwvm5ntpahajrrvijaig6mfczyrn2xca._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

5f4e4a43a01b235d781c6888198b18750529dda9fc4727727940115090e06a6d

RemcosRAT

608d70c1cb35d04fa09469743651ee50e859d9ea016f7492bc53008de310deb7

RemcosRAT

753883fa972dda966abb3adad3cfc94f0a82ca128d1908df58bac3ba93e60bd3

RemcosRAT

762d689595557fa3064907433659411b95132e554f7d17fcf62d1a77db51e3e5

RemcosRAT

81783c63ad44bdb77b3db79ec3cafb33222395e89d765c4ffbab36ea6b9c96eb

RemcosRAT

9160a75fe7bd27c3cb8141039d4c7383162b199454dfa285dd7d11f9fcfe52b1

RemcosRAT

a362c422dd9a2c24a7cc96dc14244742d24274b78da4b0a27157ac9e7c38b04a

RemcosRAT

aad53b1b6e50e7ee426f0790b5497cb7d63704a6775248f258db1263762761bb

RemcosRAT

ef93be06b93e89bc68dd92ca713f40e320a654c49a241a6884785acf964b8ba9

RemcosRAT

+ 1'115 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos rat

Link:

https://tria.ge/reports/201114-zqj6jgq4ca/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Remcos

Malware Config

C2 Extraction:

podzeye.duckdns.org:333
pmanz.sytes.net:333

Unpacked files

SH256 hash:

311a5d41486bf418e06ac6604c686f8fe5696f4a4fbd1fcb665160fa34f81c7a

MD5 hash:

8147aef03af5d530162eca46dca9bb61

SHA1 hash:

4f0f7976fdd5339778a19cb592f4ffcaabd82ee2

Link:

https://www.unpac.me/results/148c3bd8-f056-4244-9ae2-38b61f71257d/

SH256 hash:

b8331f72b1377fe2af860c78e155829718a3d27e3fbe26c814a50360b1999954

MD5 hash:

c731b88a9c8d2ece462cc181fca5d039

SHA1 hash:

1617fea47ebdaa068e3a7c60c91e35e68aecad36

Link:

https://www.unpac.me/results/148c3bd8-f056-4244-9ae2-38b61f71257d/

SH256 hash:

20b22b91ad511cb719401cc1af78b2747bdfe6e55950c607ae484701cb869671

MD5 hash:

3dace9717f651418154ff8d338c4995c

SHA1 hash:

255503b456fb8a15a21149daac5396b22f93ddb2

Detections:

win_remcos_g0

win_remcos_auto

Link:

https://www.unpac.me/results/148c3bd8-f056-4244-9ae2-38b61f71257d/

SH256 hash:

f369a51d47f0b69a1d6db9e414f8766aee618b4ad9c95f1956d40653de2531af

MD5 hash:

d33d6db9c298fe6621ddb0175bceb344

SHA1 hash:

4786e206bee85f733b013cd81be85aebfa64f168

Link:

https://www.unpac.me/results/148c3bd8-f056-4244-9ae2-38b61f71257d/

SH256 hash:

bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049

MD5 hash:

a92cc1f6e0a2742350dfda6726db14c0

SHA1 hash:

e5404e3ed46498deb8ad8966a774540c2b8e9c1e

Link:

https://www.unpac.me/results/148c3bd8-f056-4244-9ae2-38b61f71257d/

SH256 hash:

427102cfb84006044ecb4a6e42daaceb66f01c098c6a848106f30a2ce22dd5c4

MD5 hash:

fd8a0eec7f14e78cb689f5c88e0d8222

SHA1 hash:

689c74723dc40bb7274e50a6a9f97bfdb580bd07

Link:

https://www.unpac.me/results/148c3bd8-f056-4244-9ae2-38b61f71257d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/427102cfb84006044ecb4a6e42daaceb66f01c098c6a848106f30a2ce22dd5c4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample