MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 491cff43b259addd44a312094b15674d2c33c9ab901500130fead03e7d9d6530. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	491cff43b259addd44a312094b15674d2c33c9ab901500130fead03e7d9d6530
SHA3-384 hash:	e21846cac572282c4afca2b0ee769722d0196d8831092e446f6627baf5131c1600f79739465dfb3631c2bb8091cd8adc
SHA1 hash:	686ca5b3fdb1606769054107783ab4ad49a3acec
MD5 hash:	0c6a22a028ce02e10608bb44b7b4c66f
humanhash:	king-mexico-venus-sad
File name:	SecuriteInfo.com.Artemis0C6A22A028CE.16359
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'528'320 bytes
First seen:	2020-07-10 12:10:52 UTC
Last seen:	2020-07-11 06:55:31 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	67b246f5bc27b6a1b537c01e50aff789 (3 x RemcosRAT, 3 x AveMariaRAT, 1 x ParallaxRAT)
ssdeep	12288:QdNBlWS3MVbDQmQQSzZEjBcoIdGmYbUxjq:IbvcbDQmQzGjz2GnbC
Threatray	826 similar samples on MalwareBazaar
TLSH	55657D22F2D18537F16A1A79CC4B97A85839BDD33D24EC463BE83D0C5F39681782A197
Reporter	SecuriteInfoCom
Tags:	RemcosRAT

Intelligence

File Origin

# of uploads :

3

# of downloads :

83

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/24388/

Detection(s):

SecuriteInfo.com.Artemis0C6A22A028CE.16359.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

DNS request

Sending a custom TCP request

Launching the default Windows debugger (dwwin.exe)

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/491cff43b259addd44a312094b15674d2c33c9ab901500130fead03e7d9d6530/

Threat name:

Win32.Trojan.RemcosCrypt

Status:

Malicious

First seen:

2020-07-10 10:15:18 UTC

File Type:

PE (Exe)

Extracted files:

75

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Verdict:

malicious

Label(s):

remcos

Similar samples:

308c96557c6be5d4519ba4bac38c23e611c7b61683cfc1063a6009e216c24f5e

4444f1da7f9b30eb4fb593b9492e42745332402980e118b6a0431c7d1f5670ce

46f44909e841bd865bdebedd53ce89131ab3f50ba949953890d797c7aa041ab5

6916d0f41d35a9142e598496a1e996616b4fad6d15f0f3da7ec9210b6a124586

8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464

a486d1f0ad1fb2729dbbcd5d3606f30566f86abd3f2d5218c11077dfeac95f0e

c046bdf5af7c66114243efcb5f6d33a96456134077dbcf068bf748f3f0229a19

c10cdf38e26339e4373c7e0a9a119381e703c7b8404ce0ed694fb3aae286d9b9

db4bb50f2327328901cc6fff050acb653a059dc905917dcefedccbd8154c13ce

f8185c5af3e891bdb81a646bb410777393f7ba6db6f4fc0727948c4b95264334

+ 816 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

persistence rat family:remcos

Link:

https://tria.ge/reports/200710-dqg9nwg3aa/

Behaviour

Suspicious use of WriteProcessMemory

Modifies registry key

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Adds Run entry to start application

Executes dropped EXE

Remcos

Malware Config

C2 Extraction:

karimgoussd.ug:6969
fgdjhksdfsdxcbv.ru:6969

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 491cff43b259addd44a312094b15674d2c33c9ab901500130fead03e7d9d6530

(this sample)

Cape

Cape

https://www.capesandbox.com/analysis/24388/

URLhaus

https://urlhaus.abuse.ch/url/410340/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/410774/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample