MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c50d72da5ab733ffcc197ef2f403e4b490673164ea72012440fcbfa72ac31fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c50d72da5ab733ffcc197ef2f403e4b490673164ea72012440fcbfa72ac31fc
SHA3-384 hash: fd9a6b3359219032c7eeb0f97dfc1b20741b20f3cf57f60e83a1f520cdbf7d65df51623a9627cd9f903ca89dca2b4966
SHA1 hash: e119a6cbb6ff426ca35ef597a5906231dbd34b64
MD5 hash: a529633ffa991638887d99c4cbfa9eb4
humanhash: mars-hotel-washington-jersey
File name:6c50d72da5ab733ffcc197ef2f403e4b490673164ea72012440fcbfa72ac31fc
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:531'968 bytes
First seen:2020-11-03 12:17:59 UTC
Last seen:2020-11-08 14:12:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 6144:Eow5DWusz2xsEuNllqxBd5OHiZFdN9ERTCJk++507Eus/XXk9j:Bw5o2xNuNTkOCnetCG++5Tus/n
Threatray 1'021 similar samples on MalwareBazaar
TLSH 03B4E7077F92A7B1D0A0767B03F5A7A5376EE1CBD3214756130E46698D832CA2E0FB58
Reporter madjack_red
Tags:RemcosRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/82027/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader33.63577.12875.5659.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Creating a file
Launching cmd.exe command interpreter
Creating a process from a recently created file
Sending a UDP request
Creating a window
Running batch commands
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/519116
Signature
.NET source code contains very large array initializations
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates an undocumented autostart registry key
Detected Remcos RAT
Hides that the sample has been downloaded from the Internet (zone.identifier)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 308658 Sample: tasvyCzmer Startdate: 03/11/2020 Architecture: WINDOWS Score: 100 83 Malicious sample detected (through community Yara rule) 2->83 85 Multi AV Scanner detection for submitted file 2->85 87 Detected Remcos RAT 2->87 89 3 other signatures 2->89 11 tasvyCzmer.exe 4 2->11         started        15 remcos.exe 2->15         started        process3 file4 75 C:\Users\user\AppData\...\tasvyCzmer.exe.log, ASCII 11->75 dropped 105 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->105 17 cmd.exe 1 11->17         started        19 cmd.exe 2 11->19         started        signatures5 process6 file7 22 tnt.exe 3 17->22         started        25 conhost.exe 17->25         started        71 C:\Users\user\Desktop\tnt.exe, PE32 19->71 dropped 27 conhost.exe 19->27         started        process8 signatures9 95 Multi AV Scanner detection for dropped file 22->95 97 Contains functionalty to change the wallpaper 22->97 99 Uses cmd line tools excessively to alter registry or file data 22->99 101 5 other signatures 22->101 29 tnt.exe 4 4 22->29         started        32 cmd.exe 1 22->32         started        35 cmd.exe 1 22->35         started        37 6 other processes 22->37 process10 file11 77 C:\Users\user\AppData\Roaming\...\remcos.exe, PE32 29->77 dropped 39 wscript.exe 1 29->39         started        81 Uses cmd line tools excessively to alter registry or file data 32->81 42 reg.exe 1 1 32->42         started        45 conhost.exe 32->45         started        47 conhost.exe 35->47         started        49 reg.exe 35->49         started        51 WerFault.exe 37->51         started        54 conhost.exe 37->54         started        56 reg.exe 37->56         started        58 6 other processes 37->58 signatures12 process13 dnsIp14 79 192.168.2.1 unknown unknown 39->79 60 cmd.exe 39->60         started        103 Creates an undocumented autostart registry key 42->103 62 conhost.exe 42->62         started        64 reg.exe 1 42->64         started        73 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 51->73 dropped file15 signatures16 process17 process18 66 remcos.exe 60->66         started        69 conhost.exe 60->69         started        signatures19 91 Multi AV Scanner detection for dropped file 66->91 93 Hides that the sample has been downloaded from the Internet (zone.identifier) 66->93
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6c50d72da5ab733ffcc197ef2f403e4b490673164ea72012440fcbfa72ac31fc/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-11-02 03:32:01 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nrinolnfvnzt77gbs7xs6qb6jneqm4ywj2tsaeseb7f7u4vmgh6a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
308245e3b036eaa8e2b12c92852a64e5feedd6d952789d12da2ea5da9b7acced
RemcosRAT
3569d46f24fc262031aad2932c38bf1347420472f197628c622a45e6b061ca76
RemcosRAT
4096056536154e1fa5a10e3495cd3ddadf7c01022b7b65b0c35a67b2eac2bc6b
RemcosRAT
52360edd07bcd18738ccc44906897ece6c659883978d6ed61bd1e73dca205bd4
RemcosRAT
5c9667b60610ff2eeb6b26096b7ac951ed3d59fc716a6b8aa1c94c38658b0db7
RemcosRAT
929aed244ea7ad68ca44b6274a388dcc772b9d4bc6f4e2cb4370555ecc292c80
RemcosRAT
bfa4daa95a303253a45cc02597d1fa404168fb88e627dc3afa4b3548a6ff893d
RemcosRAT
d7c62c1526c39e136b5c7a703c92ec5f8a67c987a7414e0cbb145172671a2293
RemcosRAT
dfa62653c2606c14be6b244fdc19c07c2d31fe4553f2cebba08c972e92f27434
RemcosRAT
f412da03defe68cc6e1f264449adf519a4c5470c51e7b502854f7fbf358f8516
RemcosRAT
+ 1'011 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat
Link:
https://tria.ge/reports/201103-rpcq9dk83j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Modifies WinLogon for persistence
Remcos
Malware Config
C2 Extraction:
moorenike.sytes.net:1024
Unpacked files
SH256 hash:
6c50d72da5ab733ffcc197ef2f403e4b490673164ea72012440fcbfa72ac31fc
MD5 hash:
a529633ffa991638887d99c4cbfa9eb4
SHA1 hash:
e119a6cbb6ff426ca35ef597a5906231dbd34b64
Link:
https://www.unpac.me/results/5dc42bd5-b37d-42d7-9f38-53c3bff5487b/
SH256 hash:
4f690f3cf792f24a571f09740cf25d0979bde8c11180a26864056643c30479cd
MD5 hash:
304cc4a1948539064cfec5b70bd83e21
SHA1 hash:
32b3754f52323fd71b8349f01c9dd4bc4fecd880
Link:
https://www.unpac.me/results/5dc42bd5-b37d-42d7-9f38-53c3bff5487b/
SH256 hash:
bf3d2689c1877c0b300453b5078bc97d778437d03fb25c37293411d33c0924bb
MD5 hash:
000f710cd191efc49e36e86f912008ac
SHA1 hash:
9f059d6fc68f0d38ec55f40c1464fcf78b76b97c
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/5dc42bd5-b37d-42d7-9f38-53c3bff5487b/
SH256 hash:
542282ed737d2cb55e3cb59d05e58e8dbf6473d63461194a9ba597f0f3eb5d75
MD5 hash:
0ab09caf48c9dcbcbd53aef80493abd2
SHA1 hash:
fd985c8ed98d443fde035be26592b92662b9c5ea
Link:
https://www.unpac.me/results/5dc42bd5-b37d-42d7-9f38-53c3bff5487b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6c50d72da5ab733ffcc197ef2f403e4b490673164ea72012440fcbfa72ac31fc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/82027/

Comments