MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b4a57c6eb6a005e9641a19c161334890128dfd6b15477f1add890041b7c8bf8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 5 File information Comments

SHA256 hash:	6b4a57c6eb6a005e9641a19c161334890128dfd6b15477f1add890041b7c8bf8
SHA3-384 hash:	372d3423b3c4fe8263dedebcdbebb48a8c8a7f62d58f90b0c287067a1f07771aa804b14d10d98a8127524fb10a7267b1
SHA1 hash:	b70bd81299ce7ab14e5a2798fc6212ada4e593b3
MD5 hash:	15b3e8310e456f5dd6abb3277438f1e2
humanhash:	kansas-gee-fifteen-william
File name:	IMG_38100045321200455687.scr
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	831'488 bytes
First seen:	2021-07-12 13:15:13 UTC
Last seen:	2021-07-12 13:56:18 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	81b44cc9bb38ca599d2bb46a023cd8f4 (2 x Formbook, 1 x RemcosRAT, 1 x BitRAT)
ssdeep	12288:PXjVVvgR6lgIdw67J0/BVEULCi/FKGI9isgfDeuiqOeA:PXjfrR+6dwJLxsr9isgfK2
Threatray	323 similar samples on MalwareBazaar
TLSH	T1FC059E23E253C436DCB21B7D948373A59929ED102D1491CB5EE1C87CEEB9AE13E26347
Reporter	Anonymous
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

152

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

IMG_621800045312000755.scr

Verdict:

Malicious activity

Analysis date:

2021-07-12 13:36:34 UTC

Tags:

installer

Link:

https://app.any.run/tasks/0f90f665-c51a-4df2-8a30-e560a7de4260

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/171107/

Detection(s):

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Dbatloader

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4057b29d-e418-4d41-8c0d-61a30810ffd4

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/814881

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Creates a thread in another existing process (thread injection)

Delayed program exit found

Detected Remcos RAT

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Sigma detected: WScript or CScript Dropper

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/6b4a57c6eb6a005e9641a19c161334890128dfd6b15477f1add890041b7c8bf8/

Threat name:

Win32.Spyware.AveMaria

Status:

Malicious

First seen:

2021-07-12 13:16:15 UTC

AV detection:

18 of 29 (62.07%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nnffprxlniaf5fsbugobmezureasrx6wwfkhp4nn3ciaig34rp4a._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

1fc8b21214b10720988c33582ca6415bf3d052a829ba4db3dcbd77655de4f95d

RemcosRAT

34ae6e94fd8ce101fadff4baf68d7c0b8bf606d1796b7c8199e7d45a9bc57a02

RemcosRAT

3d263b6e2cdc6e43060faf06203a211ed5f716238157fc36f3f0d5b21777c0ac

RemcosRAT

44130b6c18abaaea8d59ba7ef447b231e2bde5ae9fd572104ca51136e5e35150

RemcosRAT

995f29caf80a4902430611c45e0619adbcd60e3a9f283a562fce6bd7baebc075

RemcosRAT

a0bb5a244b144a8e10087fd70a04580c3bb8c4c8add7da671a06f10020473004

RemcosRAT

dfca1bf3a2bc630e60ee036b0fd5be55b2f2b44e7dc8d2005b86d763bfc7c8ac

RemcosRAT

e7510144ab7ab12ed58b249055cf818ae37c82f46d503086cd9933d456b58cb1

RemcosRAT

f9e2ac4c422df790f71f3c1a4a9839edb7405862b1419144f08129400aaa1f6e

RemcosRAT

+ 313 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost persistence rat

Link:

https://tria.ge/reports/210712-3qfvm2xel6/

Behaviour

Suspicious use of WriteProcessMemory

Adds Run key to start application

Remcos

Malware Config

C2 Extraction:

marinelife9003.duckdns.org:4190
bitybity900.ddns.net:4190

Unpacked files

SH256 hash:

7470d7a49c6e61e406c0e1cfb17ad86221ea7af972abb3da166c1ba1e9a1a7ed

MD5 hash:

9a495f6dc375d601c8aa5015c8a14a17

SHA1 hash:

0f167fabe37b1a5a44a9cbb40e84abb4303230a6

Link:

https://www.unpac.me/results/01006468-e7d2-46a9-8921-f9861a536add/

SH256 hash:

6b4a57c6eb6a005e9641a19c161334890128dfd6b15477f1add890041b7c8bf8

MD5 hash:

15b3e8310e456f5dd6abb3277438f1e2

SHA1 hash:

b70bd81299ce7ab14e5a2798fc6212ada4e593b3

Link:

https://www.unpac.me/results/01006468-e7d2-46a9-8921-f9861a536add/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6b4a57c6eb6a005e9641a19c161334890128dfd6b15477f1add890041b7c8bf8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Distributed via e-mail link

Cape

https://www.capesandbox.com/analysis/171107/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample