MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 449c33f2127c186ec3304d4a6979831b41776c8a09357f2f572f0fd40a2732cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 449c33f2127c186ec3304d4a6979831b41776c8a09357f2f572f0fd40a2732cf
SHA3-384 hash: 8b79352789f56a5b415d51f020d6289fb1df89a4f5638726ffb59a7b063dd6e5b86d7f882d7215fd502dbbd1933ef613
SHA1 hash: 5517f5968d9b63ba6e58f6307305aef0b90b614d
MD5 hash: 5546bea107b5ae87fef0150aa7f16a84
humanhash: alabama-london-romeo-kitten
File name:IMG-2021040235AWSERDQ1DOC0302738YJ5452.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'027'584 bytes
First seen:2021-11-21 10:35:46 UTC
Last seen:2021-11-21 13:11:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 111c275bb6312869d7d7ee4ac560b94c (1 x RemcosRAT)
ssdeep 24576:9estUEYOzF0U/6nPYfk7KomUNoV5TQeyMMtuLLl411u/pj:9XRkel4ex
Threatray 345 similar samples on MalwareBazaar
TLSH T19B258E31DB7549B3C2135834BD0F3272AC3A7F431B685C252EAAAECC6F397912426597
File icon (PE):PE icon
dhash icon 342c6c9c97cc6492 (11 x Formbook, 9 x RemcosRAT, 1 x AveMariaRAT)
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
185.140.53.230:5200

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.140.53.230:5200 https://threatfox.abuse.ch/ioc/251748/

Intelligence

File Origin
# of uploads :
2
# of downloads :
150
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
IMG-2021040235AWSERDQ1DOC0302738YJ5452.exe
Verdict:
Malicious activity
Analysis date:
2021-11-21 10:38:47 UTC
Tags:
rat remcos keylogger trojan
Link:
https://app.any.run/tasks/b28bd87f-e26c-42c5-8ac9-491fddaf05cb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.UDS.Backdoor.Win32.Remcos.gen.20527.17755.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger packed
Link:
https://www.filescan.io/uploads/619a2115398e2553d2ffaf11/reports/9dfc294f-cc27-42b0-87bc-0481486df02f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1d4467a3-8856-4b81-abb1-5ba437f3eae0
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/893269
Signature
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/449c33f2127c186ec3304d4a6979831b41776c8a09357f2f572f0fd40a2732cf/
Threat name:
Win32.Downloader.FormBook
Create hunting rule
Status:
Malicious
First seen:
2021-11-21 10:36:06 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=isodh4qspqmg5qzqjvfgs6mddnaxo3ekbe2x6l2xf4h5icrhglhq._file
Verdict:
malicious
Similar samples:
3bfb18b65c870e3c012f8d38fa70ea7441d6b09530e5f77d837d636c0e2abd0d
RemcosRAT
6402f4385282298774063f11374e0162643b5d2eaa42b5a5878755b7f97e9e24
RemcosRAT
71f1357b11f35eef18854a9a7c33b65ce665b2b150ae5dd79aeaefc2691e9849
RemcosRAT
a192572433f8f1a41f0035e040f0f455608b6eb9695cbb87c9734f3a4bf7d4cc
RemcosRAT
c66278e7c7a5ccb279d55d3dc1b3ef42188e47f276f09d5a8f686a5ba2ab3dd7
RemcosRAT
cc2894394da12ab098b78a9ca9fa5c462f294a6c678d584d6d283c6d436d88c4
RemcosRAT
d90b2ee420fc51d84a0c3c3fe2ae4e13b6313cd030be264440538a396dfe7956
RemcosRAT
e78db46391cadbbffb7825a2144ca2c8cbbf8afedf91b9d3575d48eede2b9cce
RemcosRAT
fc9ba22e8b90dbfe7b8b4b8450f2a93227c949d57395f59a0cedd30c78f05697
RemcosRAT
+ 335 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/211121-mm9bcsggd7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Unpacked files
SH256 hash:
310c3775c8dc66678afb21d92e2c48045a8a36584473dbf6bbb8e21eda8ea33c
MD5 hash:
56ff99659c913037c458ed0992ec4a68
SHA1 hash:
9e30db954a019989e2562842648a18b1495a0e6b
Detections:
win_temple_loader_w0
Create hunting rule
Link:
https://www.unpac.me/results/e66ce5cd-18c0-4c5a-8045-a88b14a17391/
SH256 hash:
449c33f2127c186ec3304d4a6979831b41776c8a09357f2f572f0fd40a2732cf
MD5 hash:
5546bea107b5ae87fef0150aa7f16a84
SHA1 hash:
5517f5968d9b63ba6e58f6307305aef0b90b614d
Link:
https://www.unpac.me/results/e66ce5cd-18c0-4c5a-8045-a88b14a17391/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/449c33f2127c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/449c33f2127c186ec3304d4a6979831b41776c8a09357f2f572f0fd40a2732cf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EnvVarScheduledTasks
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC (ab)using Environment Variables in Scheduled Tasks
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/207880/

Comments