MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4860f15c7870ac1d09c5aad7e6754eb34afd4b0f6341fd452049257513951ffe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 8 File information Comments

SHA256 hash:	4860f15c7870ac1d09c5aad7e6754eb34afd4b0f6341fd452049257513951ffe
SHA3-384 hash:	007ea69d0007554ae03482a5edb29f9cfe4cc8d2aab4d6899c54671a564fd853451399a8b0098ec618ebf867e6c67d57
SHA1 hash:	09608001831266a6f377394b24bae15e6897a870
MD5 hash:	3adf81d1c179df8cf6f3b81bb8c88063
humanhash:	eighteen-three-jersey-hot
File name:	RFQ - QT-2110-300-280302 - (DWG.NO-CV-03) -RI.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	905'216 bytes
First seen:	2021-10-05 07:31:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:Owa07x3QZMTUJgY4W3jcHd9CfKMGxz7+azQsH68+iDgTdTa4BEMoWLq3wRSSML5M:1a238Jg7vv1Xa8+iDePEMQ
Threatray	1'635 similar samples on MalwareBazaar
TLSH	T1FD15E1AC3A53349DED66C1B6DD586CB0A6697C62231BC52340D33D98797CAEADF000F6
File icon (PE):
dhash icon	c088696161692b23 (4 x AgentTesla, 2 x SnakeKeylogger, 1 x CoinMiner)
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

abuse_ch

RemcosRAT C2:
212.193.30.51:24133

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
212.193.30.51:24133	https://threatfox.abuse.ch/ioc/230450/

Intelligence

File Origin

# of uploads :

# of downloads :

201

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

RFQ - QT-2110-300-280302 - (DWG.NO-CV-03) -RI.exe

Verdict:

Malicious activity

Analysis date:

2021-10-05 07:34:20 UTC

Tags:

trojan rat remcos

Link:

https://app.any.run/tasks/107be6a1-7099-474a-84aa-7cca4e1efb15

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/194926/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.935-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/615c06a2e3d213d202b76e38/reports/9dbd0edb-aa5f-4bd7-a638-89f8d1b9c0d4/overview

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4fb80964-6048-48b7-a204-eafd801ad29f

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/864537

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Detected Remcos RAT

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/4860f15c7870ac1d09c5aad7e6754eb34afd4b0f6341fd452049257513951ffe/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-10-05 03:21:03 UTC

AV detection:

13 of 44 (29.55%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jbqpcxdyocwb2cofvll6m5kownfp2sypmna72rjajesxke4vd77a._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

13e6341cacb27fdd36b2ce19395dbb02947f0c917b6fd10447f1d6381d51b7d4

RemcosRAT

2eb44403d1de2a792569f63907f746809e3d4e35fccf689c2e637f77df79254c

RemcosRAT

7eb677c1c5c60d34da90cab2b4ea019c500b5c3db6964cc14849dbe2f9f5fa30

RemcosRAT

91e8ea3e431c0ad9faf6dfe01eb29e4834940054379deb8b657d9cbe23e91682

RemcosRAT

a3faa214333ce59ed895410e011c4cbd44fe51b26ed5bf2a0ed54e225616f893

RemcosRAT

b56242ce9875402fca36f6d831072462bcf7b0996c2a98d048455459485ade1d

RemcosRAT

b67741cbd39464c7526c9cda83175c342aaba91fb990dd96d60083d028f00228

RemcosRAT

e6930000e13aa3deafe16f78fcfca8e6276e18ba6a252b8045dfaf570f044328

RemcosRAT

+ 1'625 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:reed rat

Link:

https://tria.ge/reports/211005-jc1ppahdd3/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Uses the VBS compiler for execution

Remcos

Malware Config

C2 Extraction:

ezfax2021.home-webserver.de:24133

Unpacked files

SH256 hash:

3eee0b9b0ad59bbce6e6002c5099f0d0b75ebdf12ead209383f595da170e2b19

MD5 hash:

3df180b55697bfd152dccc19a47be3ac

SHA1 hash:

91e8caabcba63e272ffe9c013443afc3b96d915f

Link:

https://www.unpac.me/results/5fcfa5f4-abfe-44fa-a71d-85c24f67875d/

SH256 hash:

82203a0aa285e1c901e54c9be13c77882e2dd4beedca5ccb80b89918b7a8952a

MD5 hash:

720943404516b6fb057dfc5daacf6e3e

SHA1 hash:

662bebef2c8676f638c5dfe43186154220c8bb4f

Link:

https://www.unpac.me/results/5fcfa5f4-abfe-44fa-a71d-85c24f67875d/

SH256 hash:

2a31a746124c66e5959e23a4a2adc389f3b815ff7af87172272ce23a28616243

MD5 hash:

e3107d5bcdfa213a7480d5f439e5bd00

SHA1 hash:

4a9c19c03d5c3cfd08c9e7f3b528b9e115f09c74

Detections:

win_remcos_g0

Link:

https://www.unpac.me/results/5fcfa5f4-abfe-44fa-a71d-85c24f67875d/

Parent samples :

4860f15c7870ac1d09c5aad7e6754eb34afd4b0f6341fd452049257513951ffe
978567f9e1c96845ed398ae0a75445a68cea415395c1df41cfeb673bf4ca57a6
05bcd7e7ff6fe673b2238b5b62e08c01ff5cc5fd4da38aaa97279d2889a1149b

SH256 hash:

fe8637d821a39a8b74abce7e043007d38cb9c5cfcb7098af9846cfd98185ac03

MD5 hash:

c380b6831f456ac5cac08c78c0e4dada

SHA1 hash:

3e241a0b9d96c1dfbadd7ee1a8c5ee6d74eba11c

Link:

https://www.unpac.me/results/5fcfa5f4-abfe-44fa-a71d-85c24f67875d/

SH256 hash:

4860f15c7870ac1d09c5aad7e6754eb34afd4b0f6341fd452049257513951ffe

MD5 hash:

3adf81d1c179df8cf6f3b81bb8c88063

SHA1 hash:

09608001831266a6f377394b24bae15e6897a870

Link:

https://www.unpac.me/results/5fcfa5f4-abfe-44fa-a71d-85c24f67875d/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/4860f15c7870/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4860f15c7870ac1d09c5aad7e6754eb34afd4b0f6341fd452049257513951ffe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/194926/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample