MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5032fd3fd02f8b279c106fd0796d65d1451ff03b3bb83449241a6e3fd4a0126b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 9

Intelligence 9 IOCs 1 YARA 8 File information Comments

SHA256 hash:	5032fd3fd02f8b279c106fd0796d65d1451ff03b3bb83449241a6e3fd4a0126b
SHA3-384 hash:	250169b3336166d450afab80d244f2edb7b0f6c43888c6d1db49f4e3ac506ba8ecd90d0e8d38970c3cb69507b62345cb
SHA1 hash:	32bd71aaa32d7cee7e37e947b6cc6a5dda9fb636
MD5 hash:	de034ad18c1b13a726ef98edb878071e
humanhash:	whiskey-moon-kansas-illinois
File name:	Urgent RFQAP65425652032421,pdf.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	642'048 bytes
First seen:	2021-09-27 14:17:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b22795c7c5933bf88ce6268fbff58dd7 (5 x RemcosRAT, 1 x Formbook, 1 x AveMariaRAT)
ssdeep	12288:ddKKG7bKBAsmMmkTPO+vxbeinq25zff/m/nPsilqj5:dLyshiW9xEgzff/6nJm5
Threatray	704 similar samples on MalwareBazaar
TLSH	T189D48D9EAB9181BEC01625F99CFA725D3449BF2912699C073BD9DC0DBF342467836383
dhash icon	daebe9240804a462 (7 x RemcosRAT, 1 x Formbook, 1 x AveMariaRAT)
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

abuse_ch

RemcosRAT C2:
185.140.53.130:6642

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.140.53.130:6642	https://threatfox.abuse.ch/ioc/227067/

Intelligence

File Origin

# of uploads :

# of downloads :

139

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Urgent RFQAP65425652032421,pdf.exe

Verdict:

Suspicious activity

Analysis date:

2021-09-27 14:25:07 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/79bb7604-2d97-4eb6-b152-8079393c6eea

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/192159/

Detection(s):

SecuriteInfo.com.Trojan.Siggen15.4023.11565.32694.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Malware family:

SpamSoldier

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/deed28ea-aeaa-4d2d-b1ef-8179aec87838

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

52 / 100

Link:

https://www.joesandbox.com/analysis/859060

Signature

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5032fd3fd02f8b279c106fd0796d65d1451ff03b3bb83449241a6e3fd4a0126b/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2021-09-01 16:27:29 UTC

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=kazp2p6qf6fsphaqn7ihs3lf2fcr74b3ho4disjedjxd7vfacjvq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

83b94c2312c673c3edf7eb5743019777252ec8dc71d16f885f41f83abb1ef2d5

RemcosRAT

88b1766ff9c749387b51b47bde3e387393a01d10133a04c5afb763fd9670926a

RemcosRAT

9b230ecb2de41faed1f6977799a2e7e03f4411fefbcf2e8b2e92a989f6bdd685

RemcosRAT

9f0c13034df95e3af02c98c025e517e4648c5a229217533f936cf811f61995e9

RemcosRAT

a3dbda9e244c0a7a63e9d669c838c9c290fd8bca5b1d35fa7add5a1950f578bd

RemcosRAT

a9584f63d38c2dec8fa79a9f0e1d9d2c30d8afdd84bea99e2139ff65898f0df8

RemcosRAT

c051b0ccdcb1d71dd1178412de70ad5f240a4f97ada53a54add41e1aadbe7694

RemcosRAT

+ 694 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/210927-rma6sahbg8/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

4e1202f3e7e04b0b3ca1df164bf5381f24063c142317e774d4e5d88b2b3ac744

MD5 hash:

aa23dee2c34813d67fe9c67ec784782a

SHA1 hash:

10b2e7af7cb9d6f852e6d607875a8c9613538930

Link:

https://www.unpac.me/results/86d6579c-c8a0-4226-9d6a-d67a18f78880/

SH256 hash:

5032fd3fd02f8b279c106fd0796d65d1451ff03b3bb83449241a6e3fd4a0126b

MD5 hash:

de034ad18c1b13a726ef98edb878071e

SHA1 hash:

32bd71aaa32d7cee7e37e947b6cc6a5dda9fb636

Link:

https://www.unpac.me/results/86d6579c-c8a0-4226-9d6a-d67a18f78880/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.64

Link:

https://yomi.yoroi.company/submissions/5032fd3fd02f8b279c106fd0796d65d1451ff03b3bb83449241a6e3fd4a0126b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	INDICATOR_EXE_Packed_MPress Create hunting rule
Author:	ditekSHen
Description:	Detects executables built or packed with MPress PE compressor

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/192159/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample