MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56fee643ba39ac908309688827397099ca6b707c45154eb14da1b693f6b16571. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	56fee643ba39ac908309688827397099ca6b707c45154eb14da1b693f6b16571
SHA3-384 hash:	2cc2a894528df1cbcc5c07e226c96dd8ae0a6428aa7212dacc74418fd7762e93b5d7f090c46b02bc13fadf5ad2291056
SHA1 hash:	f07aef2c9ac3d8e125222f9229ff8f7acf31f7f9
MD5 hash:	1fc032b7d0d6313d95f8423da1f379eb
humanhash:	potato-nitrogen-alanine-nevada
File name:	56fee643ba39ac908309688827397099ca6b707c45154eb14da1b693f6b16571
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	4'955'680 bytes
First seen:	2020-06-17 08:46:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep	98304:u2cPK1a4f2cPK1a4O2cPK1a4f2cPK1a482cPK1F:hCKECKTCKECKFCKj
Threatray	784 similar samples on MalwareBazaar
TLSH	F8369C0273D1C036FFABA2739B6AF24156BD79354123852F13982D79BD701B2272E663
Reporter	JAMESWT_WT

Intelligence

File Origin

# of uploads :

1

# of downloads :

70

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/19203/

Detection(s):

Win.Malware.Remcos-6985942-1

Win.Malware.Remcos-6985941-2

SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Wacatac

Status:

Malicious

First seen:

2020-06-17 00:26:36 UTC

File Type:

PE (Exe)

Extracted files:

128

AV detection:

30 of 31 (96.77%)

Threat level:

5/5

Verdict:

malicious

Label(s):

remcos

Similar samples:

23735f88fafab80a318fe17447a9eaff8d898daf2f31108c0ab051e50ae16ef5

36c0ddbebaeec834aefef44ead907270d13814c446634d4856e9ac27d30ba355

50a672f57c59c6c3658e484c1c271f358ef2a92596242c77eb8aba6b46465e97

58b53ee472e3b9882a0edf1a934567f1f02272090740def31bb1c52c2de73d7d

62115059096fc430f5e8b4cfe6884444fbb2b0733760a7f4a9856791f1151ba9

753883fa972dda966abb3adad3cfc94f0a82ca128d1908df58bac3ba93e60bd3

89313534a5c4579b6a00425281ef0473246cfb2340653bd3cf41b584bfa40578

8f326df009924cd7bf93a0a9cb83f1ae42adec4e7afce32971da35a8d792a223

c851749fd6c9fa19293d8ee2c5b45b3dc8561115ddfe7166fbaefcb9b353b7c4

d06558cd5d7615d66ea2d806877d962994732909cf003eff4b95d62100840b70

+ 774 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

rat family:remcos persistence

Link:

https://tria.ge/reports/200624-w43hw8q2se/

Behaviour

Suspicious use of SetWindowsHookEx

Runs ping.exe

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of SetThreadContext

Adds Run entry to start application

Loads dropped DLL

Drops startup file

Executes dropped EXE

Remcos

Malware Config

C2 Extraction:

213.208.129.213:137

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/19203/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample