MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a024542511c7d0a40e8317486b7177eaf71ee355f1731f17bc632731ea814b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a024542511c7d0a40e8317486b7177eaf71ee355f1731f17bc632731ea814b0
SHA3-384 hash: 132356296213b24f480cfe819a89076fcc7e9b89d91db6771d7e6be8caae6ba110e391a133063cb378f50b89ee780e2c
SHA1 hash: 0f538bce74d482a4f773c36f64de0f989f2e0ea1
MD5 hash: c8cd2d9e8f9ac669acd4fc594cd7db3a
humanhash: lake-quebec-mississippi-video
File name:c8cd2d9e8f9ac669acd4fc594cd7db3a.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:396'800 bytes
First seen:2020-10-15 10:28:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:9PYx9JWeK2WOFUwPZF/Xdd+adpPPljYUHv+BGgnpVVgszyXtrV7OwBb:9PSWwWOFUwP/TiXtcX77Ow
Threatray 833 similar samples on MalwareBazaar
TLSH FA84121F73E6C21ECA7E7BF0A490452D22B19B0330568ED1DDC85CBF129ABF06A5156B
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
160.20.147.120:2404

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/71234/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file
Connection attempt
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/492104
Signature
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Detected Remcos RAT
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4a024542511c7d0a40e8317486b7177eaf71ee355f1731f17bc632731ea814b0/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-14 23:39:19 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jibekqsrdr6quqhigf2innyxp2xxd3rvl4ltd4l3yyzhghvicsya._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
257b2b1a5694438c684e9d4fd44141fc3f09a18d15ebef5e46aad1603afa0b0c
RemcosRAT
2aca994114835d2663353454df341285535994068284d9cbbb03e2e87f388b80
RemcosRAT
2c1ae85bbe2ff52172aba947420e1a9bd98f7ac31671dee3cf9db19b14d21999
RemcosRAT
3569d46f24fc262031aad2932c38bf1347420472f197628c622a45e6b061ca76
RemcosRAT
52360edd07bcd18738ccc44906897ece6c659883978d6ed61bd1e73dca205bd4
RemcosRAT
5c9667b60610ff2eeb6b26096b7ac951ed3d59fc716a6b8aa1c94c38658b0db7
RemcosRAT
6637c089017af9c448d8235e20db32603d8547f0611187341cf184dc66c170b4
RemcosRAT
912dbbf9611cfd6d26072c85f44c3758c740a533ab01a76a82da92bcece73d1c
RemcosRAT
dfa62653c2606c14be6b244fdc19c07c2d31fe4553f2cebba08c972e92f27434
RemcosRAT
f332609731fb4f454cc0a03829a8dcd98b3f2b199f9ffedb7b6b0a42c1ee2180
RemcosRAT
+ 823 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
rat family:remcos
Link:
https://tria.ge/reports/201015-9fdc8t7tnx/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Remcos
Malware Config
C2 Extraction:
160.20.147.120:2404
Unpacked files
SH256 hash:
4579697cc882e39030a347c1cc36a0547c3966de5b64aa45f0594069f8951037
MD5 hash:
742c086a5d91f7ff241f0ff3585efe39
SHA1 hash:
0f7b604e4e758c7f7829b68deb8f659a5472f286
Link:
https://www.unpac.me/results/a2bfc23f-53ea-43e0-b142-1e0e4c4917e1/
SH256 hash:
2d4a31e1093e4f20e7b2634aa5c93184a89039eef4d84e65005d5a85ecd791d5
MD5 hash:
89ba258fb344eaffc7cb733497a13eeb
SHA1 hash:
62037f073fd70784e00cb8e289d76c06e48d72cd
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/a2bfc23f-53ea-43e0-b142-1e0e4c4917e1/
Parent samples :
257b2b1a5694438c684e9d4fd44141fc3f09a18d15ebef5e46aad1603afa0b0c
6637c089017af9c448d8235e20db32603d8547f0611187341cf184dc66c170b4
4a024542511c7d0a40e8317486b7177eaf71ee355f1731f17bc632731ea814b0
SH256 hash:
4a024542511c7d0a40e8317486b7177eaf71ee355f1731f17bc632731ea814b0
MD5 hash:
c8cd2d9e8f9ac669acd4fc594cd7db3a
SHA1 hash:
0f538bce74d482a4f773c36f64de0f989f2e0ea1
Link:
https://www.unpac.me/results/a2bfc23f-53ea-43e0-b142-1e0e4c4917e1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4a024542511c7d0a40e8317486b7177eaf71ee355f1731f17bc632731ea814b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_remcos_g0
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann<at>fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 4a024542511c7d0a40e8317486b7177eaf71ee355f1731f17bc632731ea814b0

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/71234/
  
URLhaus
https://urlhaus.abuse.ch/url/587553/
  
Delivery method
Distributed via web download

Comments