MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4cff4b2d2ec7a93a5bc6e3a6e1f82524ea97a0f910099013b68d0561ba3ba9e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 4 File information Comments

SHA256 hash:	4cff4b2d2ec7a93a5bc6e3a6e1f82524ea97a0f910099013b68d0561ba3ba9e4
SHA3-384 hash:	c51934864e95cb73939e659afb5738baee87232837ead3d0fd23d0ad89b7e0b77ac31a72524ac030e5c91e4e0f99a917
SHA1 hash:	44c6b9609ee29134c566b93bfd121fd7de4af6c0
MD5 hash:	e10e97b2bed5c11cf9b2bdd523f88855
humanhash:	pip-saturn-sad-moon
File name:	doc2198754329.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	411'472 bytes
First seen:	2021-06-18 00:41:38 UTC
Last seen:	2021-06-18 01:50:56 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:ZWzmsLUqR0w/6yFXCWZAv88fWOQeYnghAH:XqeYfCdWrebU
Threatray	1'977 similar samples on MalwareBazaar
TLSH	5D941246F7871861E8960A3125BBCD004B30BF19AB53D17B76A871274FB338F62E8659
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

abuse_ch

RemcosRAT C2:
172.94.44.156:2404

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
172.94.44.156:2404	https://threatfox.abuse.ch/ioc/135599/

Intelligence

File Origin

# of uploads :

# of downloads :

158

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

doc2198754329.exe

Verdict:

Malicious activity

Analysis date:

2021-06-18 00:51:09 UTC

Tags:

rat remcos

Link:

https://app.any.run/tasks/613a1be8-1e15-4154-b701-141d1253829e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/166677/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.46506734.723.1146.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

NanoCoreRAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/46f331fe-9651-4ff4-9dd7-7a46c2bbd578

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/804043

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Contains functionality to capture and log keystrokes

Contains functionality to detect virtual machines (IN, VMware)

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Creates an undocumented autostart registry key

Detected Remcos RAT

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/4cff4b2d2ec7a93a5bc6e3a6e1f82524ea97a0f910099013b68d0561ba3ba9e4/

Threat name:

ByteCode-MSIL.Trojan.Wacatac

Status:

Malicious

First seen:

2021-06-18 00:42:16 UTC

AV detection:

18 of 29 (62.07%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jt7uwljoy6utuw6g4otod6bfetvjpihzcaezae5wrucwdor3vhsa._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

10c5df44b26355f12a62e1243923e9156150f7c86c0ee0f0b25555fae9fca5bd

RemcosRAT

3ce969a94f4bc8dec526e3551626d7e3639bae986304deba85e8f29f039fe345

RemcosRAT

5b474ca6fc8158bd6f14d53bca8962f25db3392dfe324f49ddf376610bd785e4

RemcosRAT

5f4e4a43a01b235d781c6888198b18750529dda9fc4727727940115090e06a6d

RemcosRAT

753883fa972dda966abb3adad3cfc94f0a82ca128d1908df58bac3ba93e60bd3

RemcosRAT

762d689595557fa3064907433659411b95132e554f7d17fcf62d1a77db51e3e5

RemcosRAT

aad53b1b6e50e7ee426f0790b5497cb7d63704a6775248f258db1263762761bb

RemcosRAT

ac7d008a3ac44bc8dfe3edbbc8542ed5b51bcf911b67eb8e9a715ebb5250ad27

RemcosRAT

ce4962d3126223b4bd68704159cbdc7479fb2df4263fb9f3d57492e770b74a94

RemcosRAT

+ 1'967 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:host persistence rat

Link:

https://tria.ge/reports/210618-6n5jceej3e/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Modifies WinLogon for persistence

Remcos

Malware Config

C2 Extraction:

metx.duckdns.org:2404

Unpacked files

SH256 hash:

1117de381eb11350fdfec5ebb6dd1d705d215ff3ad2db896c9e520dc6adf985f

MD5 hash:

5c8e369f7b1d847f12ae94b263a9ecc7

SHA1 hash:

8b92fbd4eb36567645ba02b50925f8643b32b3b4

Detections:

win_remcos_g0

win_remcos_auto

Link:

https://www.unpac.me/results/32795499-b0f7-447c-a7a0-2804945ac301/

SH256 hash:

9675d06c71fdee31e69ab2bf9838c88638b6aa0969d44ec1e285a108bee9c2e4

MD5 hash:

fa9045bcbb237d7f623bccef67296580

SHA1 hash:

76192c6256bdb75c781ebeec6ad81bccc7dc4269

Link:

https://www.unpac.me/results/32795499-b0f7-447c-a7a0-2804945ac301/

SH256 hash:

fa1f380dbddf7c30e55e55f025bd0e612a538c8d3915fdd719bd38788e7f4e21

MD5 hash:

c6bfe66e97d8e29771738d6b10f6ca8e

SHA1 hash:

589e5d867072956cb736eb9c2ece6d5393ed2c3f

Link:

https://www.unpac.me/results/32795499-b0f7-447c-a7a0-2804945ac301/

SH256 hash:

4cff4b2d2ec7a93a5bc6e3a6e1f82524ea97a0f910099013b68d0561ba3ba9e4

MD5 hash:

e10e97b2bed5c11cf9b2bdd523f88855

SHA1 hash:

44c6b9609ee29134c566b93bfd121fd7de4af6c0

Link:

https://www.unpac.me/results/32795499-b0f7-447c-a7a0-2804945ac301/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4cff4b2d2ec7a93a5bc6e3a6e1f82524ea97a0f910099013b68d0561ba3ba9e4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_KB_CERT_0c15be4a15bb0903c901b1d6c265302f Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/166677/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample