MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60119cfc3cd6b63295c163fad7ab43949d62d5ed6bb024cd3054a2c64e8339c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	60119cfc3cd6b63295c163fad7ab43949d62d5ed6bb024cd3054a2c64e8339c7
SHA3-384 hash:	5a0546f2e332660226707f4e574205503480882f7b1f80f6eb02f18b5ef219c09e1007328ea49d03b4aad09e873af99c
SHA1 hash:	8dde953e501af236d8be98dbf6d683fda458ba38
MD5 hash:	1982963b64d323f39033d40641437595
humanhash:	magazine-iowa-william-diet
File name:	USD35900.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	856'336 bytes
First seen:	2021-01-18 16:25:53 UTC
Last seen:	2021-01-18 18:24:21 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7dc63884fd11920a617a7dccbce258fe (3 x RemcosRAT, 1 x NetWire)
ssdeep	12288:Ps3/7rrM09fj4J5ybH/dGesLNDH+XFaqFV681o:PsnreJ5alkV+8So
Threatray	1'568 similar samples on MalwareBazaar
TLSH	24056C22E5994773C1221ABD5C27E6696834BF4C7928540F37E43D088F762B2392DE6F
Reporter	James_inthe_box
Tags:	exe RemcosRAT

Code Signing Certificate

Organisation:	Binance Holdings Limited
Issuer:	DigiCert EV Code Signing CA
Algorithm:	sha1WithRSAEncryption
Valid from:	Sep 21 00:00:00 2020 GMT
Valid to:	Sep 29 12:00:00 2021 GMT
Serial number:	0D07705FA0E0C4827CC287CFCDEC20C4
Thumbprint Algorithm:	SHA256
Thumbprint:	1A5CD6196FDA7248AE332FB84F349CFC0171822C1B73295F23A424B4997762C3
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

131

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

USD35900.exe

Verdict:

Malicious activity

Analysis date:

2021-01-18 16:26:50 UTC

Tags:

trojan rat remcos

Link:

https://app.any.run/tasks/da7d40b0-d84b-41d5-85cf-9457890c85e6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/114535/

Detection(s):

PUA.Win.Trojan.Generic-6629274-0

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file

Searching for the window

Sending a custom TCP request

DNS request

Deleting a recently created file

Launching a process

Sending a UDP request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process

Sending a TCP request to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Remcos

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/584003

Signature

Allocates memory in foreign processes

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Creates a thread in another existing process (thread injection)

Detected Remcos RAT

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Writes to foreign memory regions

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/60119cfc3cd6b63295c163fad7ab43949d62d5ed6bb024cd3054a2c64e8339c7/

Threat name:

Win32.Trojan.Delf

Status:

Malicious

First seen:

2021-01-18 13:05:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=maizz7b4223dffobmp5npk2dssowfvpnnoycjtjqksrmmtudhhdq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

069f3de8e79399dcc2a0811f2b560b34339c31eed7a465b9c759bd25d5aea17f

RemcosRAT

0d233d14dd5333614b0521a887e1917ab36649531c8aaaf96a3660e72ac8c463

RemcosRAT

21691425c52cf7a77c0e3a65cc1c0c59cb026d5b76e78160ebb8a553f9bbe50c

RemcosRAT

7ad833f9f06a7ebbad69a40515654c8a7a1b3346cf93214e2638e33901133409

RemcosRAT

7f53893a9ce40e497ef34ecfc9c4f493b9d5dd7f989b60ffa248cbf289a1505a

RemcosRAT

a1c561c21720c4f1c3626276db6afc2c12b1aae9304c78518763eb78454f84b8

RemcosRAT

a7bba5cba33b4320a78cd057e3cdd5169a86e90f6550e997772f4447549fd729

RemcosRAT

e98459447d40bb2a0917db99a3b9a99f22ee66234bfece9bba40f4fea3851201

RemcosRAT

ec84a8bda79a0fd968138e6eb7bed4da519a44b4f24f30eceae26606bf73d5f0

RemcosRAT

+ 1'558 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:modiloader family:remcos persistence rat

Link:

https://tria.ge/reports/210118-38t985mbgx/

Behaviour

Modifies Internet Explorer settings

Modifies system certificate store

Script User-Agent

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Program crash

Adds Run key to start application

Remcos

Suspicious use of NtCreateProcessExOtherParentProcess

Malware Config

C2 Extraction:

79.134.225.19:2556

Unpacked files

SH256 hash:

60119cfc3cd6b63295c163fad7ab43949d62d5ed6bb024cd3054a2c64e8339c7

MD5 hash:

1982963b64d323f39033d40641437595

SHA1 hash:

8dde953e501af236d8be98dbf6d683fda458ba38

Link:

https://www.unpac.me/results/62115f17-6f7e-456f-89ec-157273b8ea36/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Remcos

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/60119cfc3cd6b63295c163fad7ab43949d62d5ed6bb024cd3054a2c64e8339c7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

URLhaus

https://urlhaus.abuse.ch/url/970631/

Cape

https://www.capesandbox.com/analysis/114535/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample