MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62960caf3d007638be89631e502733f30c42a9ba0269e8c00457c9dec10e9136. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 62960caf3d007638be89631e502733f30c42a9ba0269e8c00457c9dec10e9136
SHA3-384 hash: de417bb31120536058aa26df4435c3f93eb91fc23cabba00f207ae693823178a0d8ac13e61b83d4c0c9f517b28969689
SHA1 hash: 7da3f5506945407f8f8e1adcacc1723687350a2c
MD5 hash: 2805ce182e1675cc95aeee36afe349e3
humanhash: ceiling-yellow-california-connecticut
File name:bank.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:719'874 bytes
First seen:2021-08-09 22:29:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 64b99ed56fe51c14a44881c90ac9ff50 (4 x RemcosRAT, 1 x BitRAT)
ssdeep 12288:SnE1eDMrSuUFA+/ARNb43cRuM7bUwYgsI4pR8fCH3eVg2m+7ph:42HfUG+oRNb43chyXI4pRUU3e7f
Threatray 1'155 similar samples on MalwareBazaar
TLSH T177E46C1771708E73C23F4A786D1792A59C27BE012D28EED67AE66D0CBF3E25520260D7
dhash icon 12b232f2b98c8681 (12 x Formbook, 12 x RemcosRAT, 2 x AveMariaRAT)
Reporter James_inthe_box
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/177769/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.17036.3219.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Deleting a recently created file
Launching a process
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Sending a UDP request
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8f59d267-305c-4ffc-811d-48ebedc1acba
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/829755
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to steal Instant Messenger accounts or passwords
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 462186 Sample: bank.exe Startdate: 10/08/2021 Architecture: WINDOWS Score: 100 66 Multi AV Scanner detection for domain / URL 2->66 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 6 other signatures 2->72 8 bank.exe 1 24 2->8         started        13 Qbvsekh.exe 16 2->13         started        15 Qbvsekh.exe 16 2->15         started        process3 dnsIp4 52 192.168.2.1 unknown unknown 8->52 54 sn-files.fe.1drv.com 8->54 60 2 other IPs or domains 8->60 48 C:\Users\Public\Libraries\...\Qbvsekh.exe, PE32 8->48 dropped 82 Writes to foreign memory regions 8->82 84 Creates a thread in another existing process (thread injection) 8->84 86 Injects a PE file into a foreign processes 8->86 17 mshta.exe 2 8->17         started        21 cmd.exe 1 8->21         started        23 cmd.exe 1 8->23         started        56 sn-files.fe.1drv.com 13->56 62 2 other IPs or domains 13->62 88 Multi AV Scanner detection for dropped file 13->88 90 Machine Learning detection for dropped file 13->90 25 mshta.exe 13->25         started        58 sn-files.fe.1drv.com 15->58 64 2 other IPs or domains 15->64 27 DpiScaling.exe 15->27         started        file5 signatures6 process7 dnsIp8 50 twistednerd.dvrlists.com 62.102.148.130, 49722, 49723, 49724 TEKNIKBYRANSE Sweden 17->50 74 Contains functionality to steal Chrome passwords or cookies 17->74 76 Contains functionality to inject code into remote processes 17->76 78 Contains functionality to steal Firefox passwords or cookies 17->78 80 2 other signatures 17->80 29 mshta.exe 1 17->29         started        32 mshta.exe 17->32         started        34 mshta.exe 17->34         started        36 reg.exe 1 21->36         started        38 conhost.exe 21->38         started        40 cmd.exe 1 23->40         started        42 conhost.exe 23->42         started        signatures9 process10 signatures11 92 Tries to steal Instant Messenger accounts or passwords 29->92 44 conhost.exe 36->44         started        46 conhost.exe 40->46         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/62960caf3d007638be89631e502733f30c42a9ba0269e8c00457c9dec10e9136/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-08-09 19:35:05 UTC
File Type:
PE (Exe)
Extracted files:
62
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mklazlz5ab3drpujmmpfajzt6mgefkn2aju6rqaek7e55qiose3a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
3d263b6e2cdc6e43060faf06203a211ed5f716238157fc36f3f0d5b21777c0ac
RemcosRAT
40ef0ea8d499ef74760da82a71c8cf548149e01826b62767c75431cc4cdad67f
RemcosRAT
756f9b558a3bedf13017b0e8b5214d6d074778ee2696935c883eb0248b98fb39
RemcosRAT
995f29caf80a4902430611c45e0619adbcd60e3a9f283a562fce6bd7baebc075
RemcosRAT
ba4b51ae64c68b32d126322b51b41dce7c300c01faed97aca35ff142e121a914
RemcosRAT
cbe42b277b9e2d8ad915917a6c9a6cca9858efb70c342462a0a6701b39dda1fc
RemcosRAT
d4d30acde6fa4db431b90817911b44d21c65fc1fa72744625bccafe3899869bc
RemcosRAT
ded1412f9509d9fbc0c48687c3611d6cd8356ff0f00a9a2c5836890a5df03925
RemcosRAT
+ 1'145 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:augusta persistence rat
Link:
https://tria.ge/reports/210809-e9k7ddh3x2/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
twistednerd.dvrlists.com:8618
Unpacked files
SH256 hash:
795b2b5d6668147d7924ac96f90741ddc2a2b5003f455fb842b613a286fbf8fc
MD5 hash:
53011b69a7231aea23d66805a681144b
SHA1 hash:
e3d0d157e763c865e79ccc5bedc2fd5fd90413f7
Link:
https://www.unpac.me/results/7725238b-adce-4367-b159-c7688c6a9dc4/
SH256 hash:
bdea4aca4bb743437299170c2665eba028b6a403d2e013afa7efa10a49a40670
MD5 hash:
85896ed27fa1d1d56986f8a09aa9b978
SHA1 hash:
65996d05e03ec3490ee54a146ff6ab684ce2593c
Link:
https://www.unpac.me/results/7725238b-adce-4367-b159-c7688c6a9dc4/
SH256 hash:
62960caf3d007638be89631e502733f30c42a9ba0269e8c00457c9dec10e9136
MD5 hash:
2805ce182e1675cc95aeee36afe349e3
SHA1 hash:
7da3f5506945407f8f8e1adcacc1723687350a2c
Link:
https://www.unpac.me/results/7725238b-adce-4367-b159-c7688c6a9dc4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/62960caf3d00/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/62960caf3d007638be89631e502733f30c42a9ba0269e8c00457c9dec10e9136

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EnvVarScheduledTasks
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC (ab)using Environment Variables in Scheduled Tasks
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/177769/

Comments