MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 68f59f9ceb6a93c4ce1cb450202bd0dd021543c5bf60d82f36c86252a5bd69e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 68f59f9ceb6a93c4ce1cb450202bd0dd021543c5bf60d82f36c86252a5bd69e8
SHA3-384 hash: 8c91f6dd8bc626b7da48481e6b9075f5d0779c2a89dbacee7fb883bcccc74feda916c0446954707ce0cfe66fab8b7a19
SHA1 hash: 97b88df636884ea96e1e02dda4136c1a0bba2b3e
MD5 hash: 710ff8dd9375beacf7c9dff03f6e90b1
humanhash: fix-december-river-grey
File name:Attachment.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'133'568 bytes
First seen:2021-09-21 19:46:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bc8cc1eea5c25ce2056d7da92bd98134 (9 x RemcosRAT, 3 x NetWire, 1 x AveMariaRAT)
ssdeep 24576:320N/seflZhTmiW3AOuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuc:3tdfU5f
Threatray 624 similar samples on MalwareBazaar
TLSH T14A357CD277C8C8F9ED60397EDC49B2812305BBFA7C924D489DF06F8A1670A61B46D44B
File icon (PE):PE icon
dhash icon 8ccc0c37e3969a68 (8 x RemcosRAT, 2 x NetWire, 1 x BitRAT)
Reporter GovCERT_CH
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
262
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Attachment.exe
Verdict:
Malicious activity
Analysis date:
2021-09-21 19:48:34 UTC
Tags:
installer rat remcos keylogger
Link:
https://app.any.run/tasks/02f9efb5-a1ec-4892-b37f-ae03399eedde

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189988/
Detection(s):
SecuriteInfo.com.ArtemisB8815A518089.2641.23959.UNOFFICIAL
Create hunting rule

Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3f58cd2f-2dd4-4d66-9064-19d632cf4ebd
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/855181
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 487612 Sample: Attachment.exe Startdate: 21/09/2021 Architecture: WINDOWS Score: 100 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Detected Remcos RAT 2->53 55 2 other signatures 2->55 6 Attachment.exe 1 17 2->6         started        11 Vgeczmk.exe 15 2->11         started        13 Vgeczmk.exe 15 2->13         started        process3 dnsIp4 25 pyno2q.am.files.1drv.com 6->25 27 onedrive.live.com 6->27 29 am-files.fe.1drv.com 6->29 23 C:\Users\Public\Libraries\...\Vgeczmk.exe, PE32 6->23 dropped 57 Writes to foreign memory regions 6->57 59 Creates a thread in another existing process (thread injection) 6->59 61 Injects a PE file into a foreign processes 6->61 15 logagent.exe 2 3 6->15         started        31 pyno2q.am.files.1drv.com 11->31 35 2 other IPs or domains 11->35 63 Multi AV Scanner detection for dropped file 11->63 19 logagent.exe 11->19         started        33 pyno2q.am.files.1drv.com 13->33 37 2 other IPs or domains 13->37 21 DpiScaling.exe 13->21         started        file5 signatures6 process7 dnsIp8 39 sinzu1.camdvr.org 185.157.161.92, 2404, 49769 OBE-EUROPEObenetworkEuropeSE Sweden 15->39 41 Contains functionality to steal Chrome passwords or cookies 15->41 43 Contains functionality to inject code into remote processes 15->43 45 Contains functionality to steal Firefox passwords or cookies 15->45 47 Delayed program exit found 15->47 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/68f59f9ceb6a93c4ce1cb450202bd0dd021543c5bf60d82f36c86252a5bd69e8/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-09-21 19:47:05 UTC
AV detection:
10 of 45 (22.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nd2z7hhlnkj4jtq4wricak6q3ubbkq6fx5qnqlzwzbrffjn5nhua._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
04f483018f53c35976cfd9c4b5191279761a351b3e135a70ae9c5c2b53be154b
RemcosRAT
15851690d3cb99d95e82bb47d3f31db71688c69dd50b0a8367e97aa3b501b637
RemcosRAT
5f14d3a74387554c330e7ee790f26fb55c5bfeb1dbefc6f2de93ba69d46383e8
RemcosRAT
62960caf3d007638be89631e502733f30c42a9ba0269e8c00457c9dec10e9136
RemcosRAT
897e01eafce2598ea8af8d75f531b87118872fb82f101aa788fc987fdac0ff62
RemcosRAT
8cb9b0ac073c398ffc0147a1a84ffa9c2db217df67c5a89f34f4a5fb12be7cc3
RemcosRAT
a3d751c0554f2d36ae56987adeca6f9b8f7953fab4a5214ad913a9021fe168fc
RemcosRAT
b0f43b627353f91afa5e4a9c5eea655f5375e497933a6e37c3c0f8a5a29a2889
RemcosRAT
b484a4cb667f840e50d5fe91ed76752a5db90759ed1cac25ec965ce5751da9e2
RemcosRAT
b9384216a5aea20cd398e51c6549bb84d6b252f3fde114010e3cc0c60b1e2b13
RemcosRAT
+ 614 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat
Link:
https://tria.ge/reports/210921-yhjexsdbbr/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
sinzu1.camdvr.org:2404
sinzu2.camdvr.org:2404
sinzu3.kozow.com:2404
sinzu4.ddnsgeek.com:2404
sinzu5.giize.com:2404
sinzu6.camdvr.org:2404
sinzu7.camdvr.org:2404
Unpacked files
SH256 hash:
8af0b1d0dd47bb390af4256646d4b07c56d811fc8d59ddd0caaae17e4fb8963c
MD5 hash:
bf6f925b0d88b4605d61d5a251e8ca6d
SHA1 hash:
c016fd257edfa231f52e43022fc6d403c5064485
Link:
https://www.unpac.me/results/c7ba3405-3d2e-4ba1-ac37-ade8b45b388a/
SH256 hash:
68f59f9ceb6a93c4ce1cb450202bd0dd021543c5bf60d82f36c86252a5bd69e8
MD5 hash:
710ff8dd9375beacf7c9dff03f6e90b1
SHA1 hash:
97b88df636884ea96e1e02dda4136c1a0bba2b3e
Link:
https://www.unpac.me/results/c7ba3405-3d2e-4ba1-ac37-ade8b45b388a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/68f59f9ceb6a93c4ce1cb450202bd0dd021543c5bf60d82f36c86252a5bd69e8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 68f59f9ceb6a93c4ce1cb450202bd0dd021543c5bf60d82f36c86252a5bd69e8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/189988/

Comments