MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64c32d82c0dd8612a93831055d36ba9b2767c213b2706212545fc80b34a4d900. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 12

Intelligence 12 IOCs YARA 9 File information Comments

SHA256 hash:	64c32d82c0dd8612a93831055d36ba9b2767c213b2706212545fc80b34a4d900
SHA3-384 hash:	1c2f8a392db734efcd03e9123519eebed3772847c83124443ab59d53c2efe6923aafdf3daa685a31190681fe572ec52f
SHA1 hash:	286e65e21dc0ab4199484c948527bb3d20c4039b
MD5 hash:	704320b0ab5d2f24ec101cfda39589c7
humanhash:	maine-violet-cat-maine
File name:	Covid-19 Data Report Google Checklist.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'218'155 bytes
First seen:	2021-09-07 13:23:37 UTC
Last seen:	2021-09-09 14:12:00 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep	24576:5AOcZ9Z++WzSRUHcjOtgzDJ1ZoRWS+TUI3fO+veifWtU:z8W2RUHsWgzDHyRWSJkzUU
Threatray	2'398 similar samples on MalwareBazaar
TLSH	T1DB45DFD2A34084B6D477073544779B23BE73A12C5EB5460E2BA0BE2E7D323416E36E97
dhash icon	7eeceeccd6c2f2f2 (14 x Formbook, 9 x AgentTesla, 8 x RemcosRAT)
Reporter	Anonymous
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

132

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Covid-19 Data Report Google Checklist.exe

Verdict:

Malicious activity

Analysis date:

2021-09-07 13:27:14 UTC

Tags:

covid19 trojan rat remcos

Link:

https://app.any.run/tasks/317abac3-76e7-4564-8eac-9f2438420eeb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/186044/

Detection(s):

SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Creating a file

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Adding an access-denied ACE

Launching a process

Connection attempt to an infection source

Creating a file in the %AppData% subdirectories

Sending a UDP request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Setting a global event handler for the keyboard

Query of malicious DNS domain

Sending a TCP request to an infection source

Unauthorized injection to a system process

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/073a31d7-4db4-4159-baaf-93135209cee6

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/846631

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Detected Remcos RAT

Drops PE files with a suspicious file extension

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Writes to foreign memory regions

Yara detected AntiVM autoit script

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/64c32d82c0dd8612a93831055d36ba9b2767c213b2706212545fc80b34a4d900/

Threat name:

Win32.Trojan.Woreflint

Status:

Malicious

First seen:

2021-09-07 12:14:07 UTC

AV detection:

24 of 42 (57.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mtbs3awa3wdbfkjygecv2nv2tmtwpqqtwjygeesul7eawnfe3eaa._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

3afedea501a9bca64d1d400f5e3aa79e1f0d359a035d84569c123d49458425f2

RemcosRAT

65d246d802665601ae63bd52d49d3208bdad035aa193378fc349df3ed0777a44

RemcosRAT

80d596a7fa52a5d9b41243e03a88ba0ca560cc95219a38d764947a75f568bea1

RemcosRAT

a97278750b1c8339b6fc7601434b733174ec05d6bd5dbde44a2a98ca6951f183

RemcosRAT

b9b61268d1a21a119391e6316826c44425aec53a42155a7253f62639876eb687

RemcosRAT

c8c67b9895ec2b463cc43a5c9c1e32363ff1a7a061c99d01dd3de5691e9d1d47

RemcosRAT

ccca82e76f5e7fae5c3bcf6a5ff542f95ad241e2c47a00c969ddbf2f50beda25

RemcosRAT

+ 2'388 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:nanocore family:remcos botnet:newyear keylogger persistence rat spyware stealer trojan

Link:

https://tria.ge/reports/210907-qndsmafhdk/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Loads dropped DLL

Executes dropped EXE

NanoCore

Remcos

Malware Config

C2 Extraction:

cato.fingusti.club:6609

Unpacked files

SH256 hash:

f8ff8336b9c3036dd6d83cf065f2ecb649786af35dc2d0a2c8ccbf27901f7b6a

MD5 hash:

53d6622008bc5d9718732c4a8fccc4c6

SHA1 hash:

7d00569a7160255e9a144211fb3fac99a176bb1d

Detections:

win_remcos_g0

win_remcos_auto

Link:

https://www.unpac.me/results/e265d789-dd90-4ded-9ecb-e3627674b1c7/

Parent samples :

bf2250c3400a28a3063a4a4489a5fc3e54975d4bd4c97a429de0d3b1699224e9
63df29d3fa84705de35251b66c3cf555ba225d9a2b064edbd566ccd1b3c59e07
009a336f3bae013c379a21bcfdbbcd9642984cb613dbe59ccff8d2e7c50c32b3
db5d7098903a45bb318ee2f897baa8584d86071be755582e87d3fd7192f87c18
ac63e6a70d5a7b867b798cd4a22db827d66c95f2506d1efdb49d2b6bf6d73aa8
0b4ede6ce80824c7bf66ecf5b42e1032c1039dc8e8b6e462d91be333fe9572e4
64c32d82c0dd8612a93831055d36ba9b2767c213b2706212545fc80b34a4d900
a3f8ab3315bcd827a53bf5dfe1b55f550a21e40287d15e082e364b870d6a02f8

SH256 hash:

b917549adb62df701f23f4d2357200baaba6dbbb6121bfe1aca436dc6e9e71e0

MD5 hash:

249a4b62c410eaf157fcc8f86dd119c5

SHA1 hash:

3798a79a47c1f1160bc19c61c72f283aa75b55f5

Link:

https://www.unpac.me/results/e265d789-dd90-4ded-9ecb-e3627674b1c7/

SH256 hash:

64c32d82c0dd8612a93831055d36ba9b2767c213b2706212545fc80b34a4d900

MD5 hash:

704320b0ab5d2f24ec101cfda39589c7

SHA1 hash:

286e65e21dc0ab4199484c948527bb3d20c4039b

Link:

https://www.unpac.me/results/e265d789-dd90-4ded-9ecb-e3627674b1c7/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/64c32d82c0dd/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Remcos

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/64c32d82c0dd8612a93831055d36ba9b2767c213b2706212545fc80b34a4d900

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Embedded_PE Create hunting rule

Rule name:	Embedded_PE Create hunting rule

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Distributed via e-mail link

Cape

https://www.capesandbox.com/analysis/186044/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample