MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6147decc439b9d258f5b19f77dfa47ea441e681c49e0b699533eea18104f4092. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6147decc439b9d258f5b19f77dfa47ea441e681c49e0b699533eea18104f4092
SHA3-384 hash: a58dfef4463ef1739aa1a51e12771076353bfeb4fac105ae65c4ab2cc6d043864682291cb22ef933e700f479838023ff
SHA1 hash: 12b5d5a2d7d19e3efcd840b173f681acb5b1c497
MD5 hash: 3afbff763b9b7c1d7ee7c7d99ea33bb2
humanhash: glucose-bacon-oscar-batman
File name:3afbff763b9b7c1d7ee7c7d99ea33bb2.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:106'496 bytes
First seen:2021-02-18 06:15:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 28cfb83efbb0b6bd426b66f31651da5c (16 x GuLoader, 1 x RemcosRAT)
ssdeep 1536:PEv/F/F6MF33S7/h/Jk6P612mS6s+Bw+SFg+T2/:k3BSLk1cmSnT2
Threatray 247 similar samples on MalwareBazaar
TLSH B5A3F731B660D8F6D180C8318913F7BC0527BF368849DE6FB98D7A5E1A7B6D29050E1B
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
hsyuwbvxczbansmloiujdhsbnbcgywqauaghxvz.ydns.eu:2009 (192.253.246.136)

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/117643/
Detection(s):
SecuriteInfo.com.Variant.Razy.843298.12270.26519.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Sending a UDP request
DNS request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Deleting a recently created file
Running batch commands
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos GuLoader
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/611051
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected GuLoader
Yara detected Remcos RAT
Yara detected VB6 Downloader Generic
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 354544 Sample: pWokqkAwi2.exe Startdate: 18/02/2021 Architecture: WINDOWS Score: 100 71 Multi AV Scanner detection for domain / URL 2->71 73 Antivirus / Scanner detection for submitted sample 2->73 75 Multi AV Scanner detection for submitted file 2->75 77 8 other signatures 2->77 11 pWokqkAwi2.exe 1 2->11         started        14 win.exe 1 2->14         started        16 win.exe 1 2->16         started        process3 signatures4 95 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 11->95 97 Tries to detect Any.run 11->97 99 Tries to detect virtualization through RDTSC time measurements 11->99 101 Contains functionality to hide a thread from the debugger 11->101 18 pWokqkAwi2.exe 4 10 11->18         started        103 Hides threads from debuggers 14->103 23 win.exe 6 14->23         started        process5 dnsIp6 53 mtspsmjeli.sch.id 103.150.60.242, 49719, 49724, 49727 PC24NET-AS-IDPTPC24TelekomunikasiIndonesiaID unknown 18->53 55 192.168.2.1 unknown unknown 18->55 49 C:\Users\user\AppData\Roaming\win.exe, PE32 18->49 dropped 51 C:\Users\user\...\win.exe:Zone.Identifier, ASCII 18->51 dropped 79 Tries to detect Any.run 18->79 81 Hides threads from debuggers 18->81 25 wscript.exe 1 18->25         started        file7 signatures8 process9 process10 27 cmd.exe 1 25->27         started        29 win.exe 6 25->29         started        dnsIp11 33 win.exe 1 27->33         started        36 conhost.exe 27->36         started        61 mtspsmjeli.sch.id 29->61 105 Tries to detect Any.run 29->105 107 Hides threads from debuggers 29->107 signatures12 process13 signatures14 63 Antivirus detection for dropped file 33->63 65 Multi AV Scanner detection for dropped file 33->65 67 Detected unpacking (changes PE section rights) 33->67 69 6 other signatures 33->69 38 win.exe 2 7 33->38         started        process15 dnsIp16 57 mtspsmjeli.sch.id 38->57 59 hsyuwbvxczbansmloiujdhsbnbcgywqauaghxvz.ydns.eu 192.253.246.136, 2009, 49725, 49726 LEASEWEB-USA-NYC-11US United States 38->59 83 Tries to detect Any.run 38->83 85 Hides threads from debuggers 38->85 87 Injects a PE file into a foreign processes 38->87 42 win.exe 38->42         started        45 win.exe 13 38->45         started        47 win.exe 38->47         started        signatures17 process18 signatures19 89 Tries to steal Instant Messenger accounts or passwords 42->89 91 Tries to steal Mail credentials (via file access) 42->91 93 Tries to harvest and steal browser information (history, passwords, etc) 45->93
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6147decc439b9d258f5b19f77dfa47ea441e681c49e0b699533eea18104f4092/
Threat name:
Win32.Trojan.Razy
Create hunting rule
Status:
Malicious
First seen:
2021-02-18 05:45:38 UTC
AV detection:
21 of 48 (43.75%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mfd55tcdtoosld23dh3x36sh5jcb42a4jhqlngkth3vbqecpicja._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
22b13820a6139c7682d5e1108aefde2200dc593e14fe7fca28eb27d5e616bef7
RemcosRAT
3cbf0aeafec688023948cad7bf7475270ba9cb1acb0078cf1a9d6288f2751a20
RemcosRAT
593f9422a79559ab792b98a272ebd5db883b8a85f34de6a6f05f1c900b221dc5
RemcosRAT
7499c45e246fe759ff4180bd864252689b1cbadc7825d007c7e25aa39c6a4450
RemcosRAT
7765b39aa0345fd2af3838a548807c90094ea98d227d625ed742260833643b52
RemcosRAT
7f2da313a75add2d2762a6f8ef8ca2828fb96661ab726b8aaad79ae5f89577c9
RemcosRAT
c0e6f7a4aa809d2b93ba137245380ada0a44ac5576935e13e165d02b1b937583
RemcosRAT
c120fd3e62a0ecd299625f3fbf622fb8a56b534828b6788fe766f1bc36ac7a68
RemcosRAT
c3ca97abe1f0584928691bf13d02b25a4e20288a2477e466d67000c0bbe04df3
RemcosRAT
deb7f6e76d0d27a58d7eb53380b8f399d81caa842fe188830327b9aad82afdb0
RemcosRAT
+ 237 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat spyware
Link:
https://tria.ge/reports/210218-nwx8rgmjns/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
NirSoft MailPassView
Nirsoft
Remcos
Unpacked files
SH256 hash:
49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3
MD5 hash:
1f1b425190b2fb0396ad2d538b1060ba
SHA1 hash:
413f98641d46fdcabfcaf64f29495667de6282ea
Link:
https://www.unpac.me/results/617da3e0-f008-4795-a989-ae249bf3b4b4/
SH256 hash:
6147decc439b9d258f5b19f77dfa47ea441e681c49e0b699533eea18104f4092
MD5 hash:
3afbff763b9b7c1d7ee7c7d99ea33bb2
SHA1 hash:
12b5d5a2d7d19e3efcd840b173f681acb5b1c497
Link:
https://www.unpac.me/results/617da3e0-f008-4795-a989-ae249bf3b4b4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/6147decc439b9d258f5b19f77dfa47ea441e681c49e0b699533eea18104f4092

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 6147decc439b9d258f5b19f77dfa47ea441e681c49e0b699533eea18104f4092

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1016376/
  
URLhaus
https://urlhaus.abuse.ch/url/1017116/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/117643/

Comments