MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 46f9b3a73b2ef17c7ace714e6b69b02e444096fb395d85e3b3220ed13d060a48. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 46f9b3a73b2ef17c7ace714e6b69b02e444096fb395d85e3b3220ed13d060a48
SHA3-384 hash: 3c917f6a0037ba5903ed27f88dfc0e35c7f93236aea84cf0ee2ef056ef1dae218664e3acf04a67c2778cb3e493585e50
SHA1 hash: 0f27e8e24c40de4df8d6f50634c7aba117679f7a
MD5 hash: 46580314ad41ee9c33eea70fd336f9d1
humanhash: diet-blossom-johnny-earth
File name:drivers_check.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'456'640 bytes
First seen:2021-01-01 18:47:50 UTC
Last seen:2021-01-01 20:42:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ec4d0cb36c27bab38f41ffb84797488 (1 x RemcosRAT)
ssdeep 24576:BiDA2fwduM0v4LHqHEwrk7TGuuuENtPoH+mWMXw1mpg1y:BiDsdqyauuuFHAIJa
Threatray 1'328 similar samples on MalwareBazaar
TLSH 6F653AD26DDD48FBC06A16344D1BA6A5552BFEBC3A2045DBA7E01C0CDB393C178352AB
Reporter o2genum
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
245
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
drivers_check.exe
Verdict:
Malicious activity
Analysis date:
2021-01-01 18:50:25 UTC
Tags:
installer
Link:
https://app.any.run/tasks/5e639018-6731-4a4c-98cb-9ab4e9d50246

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/110231/
Detection(s):
PUA.Win.Packer.BorlandCpp-9
Create hunting rule

PUA.Win.Adware.Webalta-6862190-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Transferring files using the Background Intelligent Transfer Service (BITS)
DNS request
Sending a custom TCP request
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Moving a file to the %temp% directory
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/572812
Signature
Contains functionality to detect sleep reduction / modifications
Found potential dummy code loops (likely to delay analysis)
Hijacks the control flow in another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/46f9b3a73b2ef17c7ace714e6b69b02e444096fb395d85e3b3220ed13d060a48/
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
17a87ce9f1b198eb1dacc4dde36af67169515d41b322d6bcbaf1861f2d812d39
RemcosRAT
44eb61ad9603cc802e8a59f356dadedf4be9dc315862a9bb2eddec1bcc9288a8
RemcosRAT
4f718a40662228b1b5efca4664eb07f6d1918b62bc8b29598410d1dc5bb76c70
RemcosRAT
622a12c9935eb8f0cfa499bb445642a837fa150a161e5393f7a1d759e6f94f02
RemcosRAT
891c233cff0f39e408dea777835b5a9de9169152c7778d37bbd443d55cae18de
RemcosRAT
98d8bbdf43367821e74fd0c26f5bdda07fe9a750476cce1bb0df88c5aa18b745
RemcosRAT
b3220a05f0d1fbd5739d07701d1ba84373f9574f0904a464395fcf63246dd1ed
RemcosRAT
bc8513a74ddfc1a9a78fbdbf39d90a61d59819dfb116846daf730693622c3c69
RemcosRAT
be9005c3def853773256e54e0d8f307a7cd323fa0e86b4691c6e8619b9632afd
RemcosRAT
d4acc0dd3b974dde3fce2ec192c8013e8ec975a71cd6ea9d805cc1992a5930ec
RemcosRAT
+ 1'318 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos rat
Link:
https://tria.ge/reports/210101-qw3stjsds2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Blocklisted process makes network request
Remcos
Malware Config
C2 Extraction:
5.61.56.10:9003
Unpacked files
SH256 hash:
46f9b3a73b2ef17c7ace714e6b69b02e444096fb395d85e3b3220ed13d060a48
MD5 hash:
46580314ad41ee9c33eea70fd336f9d1
SHA1 hash:
0f27e8e24c40de4df8d6f50634c7aba117679f7a
Link:
https://www.unpac.me/results/28123548-3a06-4465-bf99-073388af2f8d/
SH256 hash:
c7fbdc61eb62c05e40295617e2db75877672931f751a770d2629e6eab6075f2c
MD5 hash:
abf6c724b20844d5b0073988a58faf1e
SHA1 hash:
7a8269d5b2ae623f8148ce9863f48f7e12ce036b
Link:
https://www.unpac.me/results/28123548-3a06-4465-bf99-073388af2f8d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/46f9b3a73b2ef17c7ace714e6b69b02e444096fb395d85e3b3220ed13d060a48

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 46f9b3a73b2ef17c7ace714e6b69b02e444096fb395d85e3b3220ed13d060a48

(this sample)

anyrun
any.run
https://app.any.run/tasks/8b616447-ae31-4b5f-ad75-2131f93306de
  
Link
https://blockchain-media.org/en/overdriventool/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/110231/

Comments