MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5fdecb2c511ec2b584766991bc2126ae802ed2618a80a227046df5379f12e745. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5fdecb2c511ec2b584766991bc2126ae802ed2618a80a227046df5379f12e745
SHA3-384 hash: 049cbaf9994303b34dedc4756c0556e1f79c067b8cab31221a9ddfd7cbc24ef9d416e539299635747273246c7f6c8b35
SHA1 hash: 6cb696d2e19686f3a3f7cf8e8682439d717c23bc
MD5 hash: 057232dd82dfcfa30b91feeda42d9444
humanhash: hot-carbon-montana-mars
File name:1.5% commission.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:379'392 bytes
First seen:2021-01-12 18:13:03 UTC
Last seen:2021-01-12 19:49:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 65b6f29d4b19d390b176b88cd5b7966d (5 x RemcosRAT, 1 x Formbook, 1 x MassLogger)
ssdeep 6144:hLSPZBGNImhXwXZtBIVvD658edbFgtpTbWVYllJI5:WBPp7YvD65upTbWVuC
Threatray 1'563 similar samples on MalwareBazaar
TLSH 7384D5DE12F1106BD11849B4A959BFE015A1ECB87B52C256BE40FCCEBE723E154622F3
Reporter abuse_ch
Tags:exe RemcosRAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: gmkey.mywire.org
Sending IP: 23.254.227.72
From: Rebecca F. Precia <rebecca@wjhuis.top>
Subject: Order 1.5% commission added
Attachment: 1.5% commission.7z (contains "1.5% commission.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
146
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
38c251b9-4111-4734-b129-59ed39d26374
Verdict:
Malicious activity
Analysis date:
2021-01-12 18:24:32 UTC
Tags:
rat remcos trojan keylogger
Link:
https://app.any.run/tasks/175501d4-38ae-41db-a0cb-0c09fca826ab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/111597/
Detection(s):
SecuriteInfo.com.Artemis057232DD82DF.28046.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Creating a file in the %AppData% subdirectories
Setting a global event handler for the keyboard
Sending a TCP request to an infection source
Enabling autorun by creating a file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/579349
Signature
Antivirus / Scanner detection for submitted sample
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for sample
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5fdecb2c511ec2b584766991bc2126ae802ed2618a80a227046df5379f12e745/
Threat name:
Win32.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2021-01-12 18:13:18 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l7pmwlcrd3bllbdwngi3yijgv2ac5utbrkakejyenx2tphys45cq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
00b65900131d5d5cac9d48c65ff2e53677418d7c50f0c09480af43e80845bef3
RemcosRAT
0854f5df5291e4abbcf7cc57f29b3148007ede15c53f61244f9dfefb9669dc96
RemcosRAT
3a11a9e7276e2d3d9fccd3f6e5a5b46ea9e9fb82946ef89a3f5dc8ca9a243b70
RemcosRAT
5af5665fcaf756eec2ab43c07645c814438102dba39e782a030025635a8fb713
RemcosRAT
6da5a41c6dd6f0ddc638a3bccceeae8132814f605971a2f9eb1af58040f60eb8
RemcosRAT
7938ab5a2e1c4eaf450a144c2d451cfab20feddb85eec8310f14fefebe09e953
RemcosRAT
816f26e5b5de1be644fff419718bc3e1b8410a4a9a9f405d8db814e7758608d9
RemcosRAT
b67361c9d7c2bcbe7e94b698f4d5abd1e6ffd96429d2c66dcfd92a573303e4f0
RemcosRAT
bfe8692e2e6e89e7d77482f315a22b3679e511e50eab20ba852cabc06dc4e5fa
RemcosRAT
e7c74f89332dcf4bf0ebaa50d960a8c82a521ca2c9608ecbb13e719e9744b5ca
RemcosRAT
+ 1'553 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos rat
Link:
https://tria.ge/reports/210112-a4t28ynj8n/
Behaviour
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Remcos
Unpacked files
SH256 hash:
5fdecb2c511ec2b584766991bc2126ae802ed2618a80a227046df5379f12e745
MD5 hash:
057232dd82dfcfa30b91feeda42d9444
SHA1 hash:
6cb696d2e19686f3a3f7cf8e8682439d717c23bc
Link:
https://www.unpac.me/results/caa5f30a-9957-4e63-9401-595db20ffe7a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.66
Link:
https://yomi.yoroi.company/submissions/5fdecb2c511ec2b584766991bc2126ae802ed2618a80a227046df5379f12e745

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

7z 3ad73cf6be49258269681ee9443b8e6058299dc13a0f9018f23d191da78bf6a4

RemcosRAT

Executable exe 5fdecb2c511ec2b584766991bc2126ae802ed2618a80a227046df5379f12e745

(this sample)

  
Dropped by
MD5 045d7456fc9126ffdec64f300d058453
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/111597/
  
Dropped by
SHA256 3ad73cf6be49258269681ee9443b8e6058299dc13a0f9018f23d191da78bf6a4

Comments