MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ce84e35cdb6590c162cd421a8a281385bc9195fb4ce3e2e589280ca8903d3b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 11

Intelligence 11 IOCs YARA 5 File information Comments

SHA256 hash:	5ce84e35cdb6590c162cd421a8a281385bc9195fb4ce3e2e589280ca8903d3b6
SHA3-384 hash:	54e860e0856ca41968c5a3e9875447e1d6d269c3a1c5fd8e84cfbcba397518030b9c97b23569e32bbcd7a5b8c56ecf50
SHA1 hash:	56408f6cb5358a97491db1e603dec7978b0a5d16
MD5 hash:	04ce1985069a7555f99d8aaa3e8ce4b2
humanhash:	triple-london-sad-kansas
File name:	Nouvel Ordre - p31010_20200401_14_31,pdf.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	642'048 bytes
First seen:	2021-09-01 14:05:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b22795c7c5933bf88ce6268fbff58dd7 (5 x RemcosRAT, 1 x Formbook, 1 x AveMariaRAT)
ssdeep	12288:ddKKG7bKBAsmMmkTPO+1xbeinq25zff/m/nPsilqj5:dLyshiWzxEgzff/6nJm5
Threatray	528 similar samples on MalwareBazaar
TLSH	T17FD46C11FAD3547BF26A6F788F9666ACF82A3E911A39D1CA3D971C0C2F745C010277A1
dhash icon	daebe9240804a462 (7 x RemcosRAT, 1 x Formbook, 1 x AveMariaRAT)
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

177

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Nouvel Ordre - p31010_20200401_14_31,pdf.exe

Verdict:

Malicious activity

Analysis date:

2021-09-01 14:14:25 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e38deb05-9beb-446a-a764-2276c747cc3f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/184484/

Detection(s):

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Creating a file

Deleting a recently created file

Launching a process

Creating a file in the %AppData% subdirectories

Sending a UDP request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/23ec99a7-b169-4e78-a8d0-2cbe425c9b31

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/843385

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to steal Firefox passwords or cookies

Creates a thread in another existing process (thread injection)

Delayed program exit found

Detected Remcos RAT

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5ce84e35cdb6590c162cd421a8a281385bc9195fb4ce3e2e589280ca8903d3b6/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2021-09-01 14:05:14 UTC

AV detection:

30 of 43 (69.77%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ltue4nonwzmqyfrm2qq2riubhbn4sgk7wthd4lsyskamvcid2o3a._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

864081d9870b1b81cb2c750b630a828b191f7c664790c54115a8033351f50ea1

RemcosRAT

8d076437949873b971f9534e630ebe26a8437f50786c430eaeb46c71d53a88e5

RemcosRAT

8dd453814cc59ecb7918da706244b3e8aacc66146b9ff80bcad195e066464139

RemcosRAT

af8ee88bf85615f2c305ce230560485be949dbb7355640e0498bf93f154df714

RemcosRAT

bf0cc4fd655e77d8b634ad0f7de607e8bda88034910511e120dafc86d96fd8df

RemcosRAT

e156425f76efbe5cdf1494564b1328f13b2284791e591961077d387329b024e1

RemcosRAT

efb8a01422e4878a75c28f13b9607184285834d20e5301c870b373db744d7c0b

RemcosRAT

+ 518 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:global_new persistence rat

Link:

https://tria.ge/reports/210901-4l413p1hls/

Behaviour

Suspicious use of WriteProcessMemory

Adds Run key to start application

Remcos

Malware Config

C2 Extraction:

godisgood247.duckdns.org:6397

Unpacked files

SH256 hash:

4e1202f3e7e04b0b3ca1df164bf5381f24063c142317e774d4e5d88b2b3ac744

MD5 hash:

aa23dee2c34813d67fe9c67ec784782a

SHA1 hash:

10b2e7af7cb9d6f852e6d607875a8c9613538930

Link:

https://www.unpac.me/results/ea0f0982-a328-471e-b86c-58f8f4170717/

SH256 hash:

5ce84e35cdb6590c162cd421a8a281385bc9195fb4ce3e2e589280ca8903d3b6

MD5 hash:

04ce1985069a7555f99d8aaa3e8ce4b2

SHA1 hash:

56408f6cb5358a97491db1e603dec7978b0a5d16

Link:

https://www.unpac.me/results/ea0f0982-a328-471e-b86c-58f8f4170717/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/5ce84e35cdb6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5ce84e35cdb6590c162cd421a8a281385bc9195fb4ce3e2e589280ca8903d3b6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/184484/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample