MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45f3e6d6f40de19bca584dfafdfac7a3f5fb9b481717a0997d9f9c2d78d58fad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 45f3e6d6f40de19bca584dfafdfac7a3f5fb9b481717a0997d9f9c2d78d58fad
SHA3-384 hash: bd0a2b842bbd507566b4f23a4f1d99745a4d803fcab4aab118a7d2d2bae998452fdb2b1590d4c7b1cb4f089be9c0fc4d
SHA1 hash: dbae83dda1b3f3112fad3d443d36181c3161362c
MD5 hash: 84a0c62e8cf9fa26ca0d446d8883cf20
humanhash: angel-fish-two-tennis
File name:MV GENCO RESOLUTE VOY 1.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:725'504 bytes
First seen:2021-05-10 08:00:36 UTC
Last seen:2021-05-10 10:54:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:57Q582orkooLLoS60/K7yh0Kc9EHTz2WHdApYSojay9z5aiqXL6ZVoJB:i582orkooLAJEHn2IAppoj79zX76
Threatray 1'769 similar samples on MalwareBazaar
TLSH A2F45BAC715459F1D36B1E7663CF1C0243652174683BEA0E8FA013FA5A67F172E3898E
Reporter GovCERT_CH
Tags:RemcosRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
136
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/153827/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.43091.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/777227
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/45f3e6d6f40de19bca584dfafdfac7a3f5fb9b481717a0997d9f9c2d78d58fad/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-10 01:49:51 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ixz6nvxubxqzxssyjx5p36whup27xg2ic4l2bgl5t6oc26gvr6wq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
023946cb10325407c30c9ec45ecd241d5e0e3f9ebaeffe2ab12f8cd5f0646013
RemcosRAT
3ce969a94f4bc8dec526e3551626d7e3639bae986304deba85e8f29f039fe345
RemcosRAT
5b474ca6fc8158bd6f14d53bca8962f25db3392dfe324f49ddf376610bd785e4
RemcosRAT
5f4e4a43a01b235d781c6888198b18750529dda9fc4727727940115090e06a6d
RemcosRAT
753883fa972dda966abb3adad3cfc94f0a82ca128d1908df58bac3ba93e60bd3
RemcosRAT
753cc07b3d3e9d5cc44061f9f5b2933d2e1f7f18155f9c17346592e254eab0c2
RemcosRAT
762d689595557fa3064907433659411b95132e554f7d17fcf62d1a77db51e3e5
RemcosRAT
aad53b1b6e50e7ee426f0790b5497cb7d63704a6775248f258db1263762761bb
RemcosRAT
ac7d008a3ac44bc8dfe3edbbc8542ed5b51bcf911b67eb8e9a715ebb5250ad27
RemcosRAT
ce4962d3126223b4bd68704159cbdc7479fb2df4263fb9f3d57492e770b74a94
RemcosRAT
+ 1'759 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos rat
Link:
https://tria.ge/reports/210510-vczft3tg6j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Remcos
Malware Config
C2 Extraction:
185.244.26.244:5888
10.26.244.6:5888
Unpacked files
SH256 hash:
74b2935b9dfe4ba397fd0507ae3c36abb77193041f2e7c43c55dc4e7b33de61c
MD5 hash:
b5c218f30fecc9cb8513ff6a46737b01
SHA1 hash:
f0416867c2b114789620b318051f1fa390b07eae
Link:
https://www.unpac.me/results/af3fed8b-5d9b-4ea1-aa65-381379a19c74/
SH256 hash:
00a1955e05bf81d282de17b74be811ce0d4dd4bc27a55372a48e6c2967a21bc0
MD5 hash:
fefa0b240ec254a8ca8d3598d10874f1
SHA1 hash:
528aa597e6e618ff4fa6c49896ce13e104f9ba43
Link:
https://www.unpac.me/results/af3fed8b-5d9b-4ea1-aa65-381379a19c74/
SH256 hash:
f41be4b0b5935218fd9e6a5495219dd444e90c4a73842e8049c6024a052097e9
MD5 hash:
6ca3f961ecbc3affa0e6714ec79237a6
SHA1 hash:
178240e118eb1e7e4289a6c21ccc4c18c77b56ba
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/af3fed8b-5d9b-4ea1-aa65-381379a19c74/
SH256 hash:
45f3e6d6f40de19bca584dfafdfac7a3f5fb9b481717a0997d9f9c2d78d58fad
MD5 hash:
84a0c62e8cf9fa26ca0d446d8883cf20
SHA1 hash:
dbae83dda1b3f3112fad3d443d36181c3161362c
Link:
https://www.unpac.me/results/af3fed8b-5d9b-4ea1-aa65-381379a19c74/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/45f3e6d6f40de19bca584dfafdfac7a3f5fb9b481717a0997d9f9c2d78d58fad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:pe_imphash
Create hunting rule
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 45f3e6d6f40de19bca584dfafdfac7a3f5fb9b481717a0997d9f9c2d78d58fad

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/153827/

Comments