MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6cef436fd5577158e43bd7cc85ea84cdac90044d8e9f93c254ee7ed119fa7aed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6cef436fd5577158e43bd7cc85ea84cdac90044d8e9f93c254ee7ed119fa7aed
SHA3-384 hash: 5538656ea4c51237f8784a446c98cdf1bfd0cfd2bd768ef86e07d336aa1e2ff78931c11cf65d998f761486f0ea309217
SHA1 hash: c71de10e92cc82c4319f5adb784a4fd07f2a7677
MD5 hash: 49c178fe7ccf97e9a20af386f51eb7e6
humanhash: alpha-twelve-double-idaho
File name:SecuriteInfo.com.Trojan.Inject4.6969.3657.1678
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:698'368 bytes
First seen:2021-02-04 08:20:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:9XapnTKavrS7BbfsBgEyqrlVvI8fS0/V/pTshp7UIzZ:JapnOavrWNfePrlVbnhhshp7U
Threatray 13 similar samples on MalwareBazaar
TLSH 12E4F1487250758FC4D7C1328E98DD27A710A967573B8703A4931AEBAA1D68BCF3D1F2
Reporter SecuriteInfoCom
Tags:RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.Inject4.6969.3657.1678
Verdict:
No threats detected
Analysis date:
2021-02-04 08:23:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7f5f1ef4-c318-4089-948c-889f4b418b1c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/115507/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.6969.3657.1678.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Enabling the 'hidden' option for recently created files
Sending a UDP request
Forced shutdown of a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/598875
Signature
Allocates memory in foreign processes
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected Remcos RAT
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 348469 Sample: SecuriteInfo.com.Trojan.Inj... Startdate: 04/02/2021 Architecture: WINDOWS Score: 100 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Detected Remcos RAT 2->51 53 2 other signatures 2->53 7 SecuriteInfo.com.Trojan.Inject4.6969.3657.exe 1 3 2->7         started        11 Sysdiagnostie.exe 1 2->11         started        13 Sysdiagnostie.exe 2->13         started        process3 file4 31 C:\Users\user\AppData\...\Sysdiagnostie.exe, PE32+ 7->31 dropped 33 C:\...\Sysdiagnostie.exe:Zone.Identifier, ASCII 7->33 dropped 35 SecuriteInfo.com.T...4.6969.3657.exe.log, ASCII 7->35 dropped 55 Writes to foreign memory regions 7->55 57 Allocates memory in foreign processes 7->57 59 Injects a PE file into a foreign processes 7->59 15 svchost.exe 4 3 7->15         started        61 Multi AV Scanner detection for dropped file 11->61 19 svchost.exe 11->19         started        21 svchost.exe 13->21         started        signatures5 process6 dnsIp7 37 185.244.128.34, 2404, 49738, 49741 BELCLOUDBG Romania 15->37 39 System process connects to network (likely due to code injection or exploit) 15->39 41 Contains functionality to steal Chrome passwords or cookies 15->41 43 Contains functionality to capture and log keystrokes 15->43 45 4 other signatures 15->45 23 svchost.exe 15->23         started        25 svchost.exe 15->25         started        27 svchost.exe 15->27         started        29 5 other processes 15->29 signatures8 process9
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6cef436fd5577158e43bd7cc85ea84cdac90044d8e9f93c254ee7ed119fa7aed/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-03 14:32:57 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
3
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ntxug36vk5yvrzb327gil2uezwwjabcnr2pzhqsu5z7ncgp2plwq._file
Verdict:
unknown
Similar samples:
035cba8ea6bbe0336a0221e86b571e530764939150df17f636fd23ad30db3f27
RemcosRAT
2f85c41ee13d69e68454d97153252e8ba9a3a0e85573427eac0600d41fa6824d
RemcosRAT
33b25ae8a09b3249f6f5a9971d563933e88d20dca6f2b761c308783e164de492
RemcosRAT
719bb30fb8ff3d79fd0216bdbc9f9d1b377c1456a20c8d9a26f1a19e283352ba
RemcosRAT
a8889ff384c38b97b5a48ef4e9586df7c281f40e2719fe248b0d252832969521
RemcosRAT
cacfd3f384737f85e02f8c4dfad0689a71b228c8b930995c24da43582f688a64
RemcosRAT
e759db35e2aa047d055ca4d5d089da667aaa39d443a35601784090382f0d1e2a
RemcosRAT
e9b069d8601f3c5af52496366ce5921ad0a5938c1f25e18602355027c26ed631
RemcosRAT
eddb00e96bcae82158333e9c0a0e0e1cf8002af1f6287fe8a99f5e3d619af2fb
RemcosRAT
f5b21be44a7076a4414adf52f6bae43d0dfbcd460bc35921e5ea81549ea16f4a
RemcosRAT
+ 3 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/210204-adxacz92fj/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Unpacked files
SH256 hash:
6cef436fd5577158e43bd7cc85ea84cdac90044d8e9f93c254ee7ed119fa7aed
MD5 hash:
49c178fe7ccf97e9a20af386f51eb7e6
SHA1 hash:
c71de10e92cc82c4319f5adb784a4fd07f2a7677
Link:
https://www.unpac.me/results/cce5cb64-49cc-4cbb-af59-f692bc0e5fb4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6cef436fd5577158e43bd7cc85ea84cdac90044d8e9f93c254ee7ed119fa7aed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 6cef436fd5577158e43bd7cc85ea84cdac90044d8e9f93c254ee7ed119fa7aed

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/990048/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/115507/

Comments