MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6274c01dd6783517a68267d2c6c2af38143ed35074cfc2372d8bc385a7c5f4e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6274c01dd6783517a68267d2c6c2af38143ed35074cfc2372d8bc385a7c5f4e9
SHA3-384 hash: 5175191cb3143f9ef54bcebaaa808f7837000404e52c48d1c085b505b72d6d398d268cc5083530e73445b1a229df3828
SHA1 hash: 56a5810c0c5132fd6955d5fda3546b6b533272bb
MD5 hash: 4570176089d72d12df1e8feeb6ee3e96
humanhash: five-alanine-uniform-november
File name:New REMCOS TES.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:884'736 bytes
First seen:2020-07-13 15:50:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2a2488d4e6117f1c1c09ec31ad2be7a6 (9 x AgentTesla, 6 x MassLogger, 1 x FormBook)
ssdeep 12288:q8TTuvybypYorcL3JdNz0YAcPzw3SagvB4BW72XZiypBw4pV/cQEwOhF7qpIX:vivyudcBzOliBaw2xw6/czwuF7qpI
Threatray 785 similar samples on MalwareBazaar
TLSH 51158D22F6914433C6732A3C9D5B97645C2ABE10FE28E94A2BF45C8C4F7D68178352E7
Reporter JAMESWT_WT
Tags:RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/25465/
Detection(s):
SecuriteInfo.com.Adware.Generic4.BBFB.UNOFFICIAL
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Deleting a recently created file
Running batch commands
Replacing files
Launching a process
Launching a service
Reading critical registry keys
Creating a file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Sending a TCP request to an infection source
Setting a global event handler for the keyboard
Stealing user critical data
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6274c01dd6783517a68267d2c6c2af38143ed35074cfc2372d8bc385a7c5f4e9/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-13 15:43:56 UTC
File Type:
PE (Exe)
Extracted files:
42
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mj2mahowpa2rpjucm7jmnqvphakd5u2qoth4enznrpbylj6f6tuq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
21c0f71a640ec97eb4bf4e3445896f1200e676bc8c2c096db8a725d5eb6f3427
RemcosRAT
4ea16682c6d48eb737c1857beceadc3d3077921c03fa62d9dad44d551d92729d
RemcosRAT
6c882aeb918e424cefe1068a6d3fbff5526c31e185716bf3a0d5ae0295772f09
RemcosRAT
84a066f7294211d47a88b38b0ad9ff2f0e385973c4a3b92b39b2df25e178aca8
RemcosRAT
92f26df2b8881b2971127cc9bd67d17924b895e4124092d49fdc6ebe4d362620
RemcosRAT
a1c561c21720c4f1c3626276db6afc2c12b1aae9304c78518763eb78454f84b8
RemcosRAT
b1e43124a401714ce72691a059cfaf3182e0e63986ab8e165d8333bf11540568
RemcosRAT
b8d1d962744d0c6ab3abe293c4671b3ba6524f623f9d6f02361bc60eec7b4cb4
RemcosRAT
c0b1ba178d886a9d71fb7ffd5b169bf023021e13c545e3cd8d15461221dd2006
RemcosRAT
f18bf944f9365beda201e63d97f1b93139994d9cef424f855d691cf797c33d0f
RemcosRAT
+ 775 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
persistence rat family:remcos
Link:
https://tria.ge/reports/200713-dl8hbxr59n/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Adds Run entry to start application
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
185.140.53.209:1990
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 6274c01dd6783517a68267d2c6c2af38143ed35074cfc2372d8bc385a7c5f4e9

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/25465/
  
URLhaus
https://urlhaus.abuse.ch/url/412467/
  
Delivery method
Distributed via web download

Comments