MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 54c80a5fe7948807fd8565063162970030d9e672de950878bf746dc21dd79c58. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 3 Comments

SHA256 hash: 54c80a5fe7948807fd8565063162970030d9e672de950878bf746dc21dd79c58
SHA3-384 hash: 597cef40e2c47af3765feecd41a8afc7f5730401bf9404a727496f49ea9482e44fd6fe7ebe51d5c9a6da8b2470185087
SHA1 hash: b5928f5589ea65de468b1bdf71b1c89e2fea73f3
MD5 hash: eb820273af291486bd54f63681925424
humanhash: double-three-fish-jig
File name:54c80a5fe7948807fd8565063162970030d9e672de950878bf746dc21dd79c58
Download: download sample
Signature RemcosRAT
File size:1'163'264 bytes
First seen:2020-06-16 09:29:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7
ssdeep 24576:iAHnh+eWsN3skA4RV1Hom2KXMmHa68a111CH7u+SUj4UtC5:lh+ZkldoPK8Ya68aBCbdkb
TLSH A035BE0273D1C036FFABA2739B6AF60556BC79254123852F13982DB9BD701B1237E663
Reporter @JAMESWT_MHT
Tags:RemcosRAT

Intelligence


File Origin
# of uploads :
1
# of downloads :
20
Origin country :
IT IT
Mail intelligence
No data
Vendor Threat Intelligence
Gathering data
Threat name:
Win32.Trojan.Predator
Status:
Malicious
First seen:
2020-06-13 16:37:14 UTC
AV detection:
25 of 31 (80.65%)
Threat level
  5/5
Result
Malware family:
remcos
Score:
  10/10
Tags:
rat family:remcos
Behaviour
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious use of SetThreadContext
Drops startup file
Remcos
Malware Config
Extraction:
boot.awsmppl.com:2266
coolta71.com:2266
coolta1.xzy:2266
coolta2.xzy:2266
coolget1.xzy:2266
coolcc1.xzy:2266

Yara Signatures


Rule name:ach_RemcosRAT
Author:abuse.ch
Rule name:win_remcos_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_remcos_g0
Author:Daniel Plohmann <daniel.plohmann<at>fkie.fraunhofer.de>

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments