MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ee87843a613bf888304843d62cec0507600503af4260024e4b37efdd829cd40. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ee87843a613bf888304843d62cec0507600503af4260024e4b37efdd829cd40
SHA3-384 hash: 6ad5f487b8f7790bee817250c9521f4ebd3655b64453014814bb0c368123553893d82f405e1e55ded800f8ca16d8b362
SHA1 hash: c5c50f57001d80892fd905911d1dc53d141dace0
MD5 hash: 75955dcfbeee97c176783c4e58d5bc23
humanhash: enemy-alanine-vegan-oscar
File name:UMT ????????? ????? ?????????,pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:905'728 bytes
First seen:2021-10-01 06:07:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 232258adce45df6a738819fd4629c94a (4 x RemcosRAT, 1 x Formbook)
ssdeep 12288:B+o1a37hoDboRXMoWUPPaR1t2+XkzYjqWG7w3785jWU1bjjx:Bv1ZbUWUPG/KYjvHL85SU1bj
Threatray 676 similar samples on MalwareBazaar
TLSH T198158E12A2C5C432D136273D4C5F96709C3A3E526C60694EB6FC7B4DAF37942363AA93
File icon (PE):PE icon
dhash icon 616110152b2b5130 (12 x RemcosRAT, 5 x Formbook, 4 x BitRAT)
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
194.147.140.18:7536

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.147.140.18:7536 https://threatfox.abuse.ch/ioc/229361/

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0d1dab86-05a4-4cce-b6a0-5eb9f79c34c3
Verdict:
Malicious activity
Analysis date:
2021-10-01 06:09:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/82647c77-c6e1-4d58-a6cc-bd8ce52dc89b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/193857/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.16444.12936.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8ba19ce7-5f0d-4e6f-aadd-0e86d0f5fce3
Result
Threat name:
Remcos DBatLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/862488
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 494916 Sample: UMT _________ _____ _______... Startdate: 01/10/2021 Architecture: WINDOWS Score: 100 40 ohekelem4x4.hopto.org 2->40 52 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 4 other signatures 2->58 9 UMT _________ _____ _________,pdf.exe 1 22 2->9         started        14 Ckwhtsq.exe 2->14         started        16 Ckwhtsq.exe 2->16         started        signatures3 process4 dnsIp5 44 sn-files.fe.1drv.com 9->44 46 qe0jow.sn.files.1drv.com 9->46 48 onedrive.live.com 9->48 38 C:\Users\Public\Libraries\...\Ckwhtsq.exe, PE32 9->38 dropped 68 Writes to foreign memory regions 9->68 70 Allocates memory in foreign processes 9->70 72 Creates a thread in another existing process (thread injection) 9->72 74 Injects a PE file into a foreign processes 9->74 18 secinit.exe 2 9->18         started        22 cmd.exe 1 9->22         started        24 cmd.exe 1 9->24         started        50 192.168.2.1 unknown unknown 14->50 file6 signatures7 process8 dnsIp9 42 ohekelem4x4.hopto.org 194.147.140.18, 49829, 7536 PTPEU unknown 18->42 60 Contains functionality to steal Chrome passwords or cookies 18->60 62 Contains functionality to inject code into remote processes 18->62 64 Contains functionality to register a low level keyboard hook 18->64 66 2 other signatures 18->66 26 reg.exe 1 22->26         started        28 conhost.exe 22->28         started        30 cmd.exe 1 24->30         started        32 conhost.exe 24->32         started        signatures10 process11 process12 34 conhost.exe 26->34         started        36 conhost.exe 30->36         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6ee87843a613bf888304843d62cec0507600503af4260024e4b37efdd829cd40/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-10-01 06:08:14 UTC
AV detection:
7 of 45 (15.56%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=n3uhqq5gco7yrayeqq6wftwakb3aaub26qtaajhewn7p3wbjzvaa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
026668d9855f0c4aac1cb86f163e6e28569a5a4d53d0bde93ac9880a90a8225c
RemcosRAT
098777450fb98055538af7369ae8b2ae93513fb853fed0ab72ae0304917165ce
RemcosRAT
17997c6f08706bfcc59f2c0be0b773803dffcde1e65111e8d45eb07cdee8acf6
RemcosRAT
204806f363e25b8caab19fade1152cbdef6d19a2ee0f122ce2a2aa3949154f1d
RemcosRAT
229f038b88ac837d525cf09911915cb9a87581b0eeb06ce834d9e40afec5f675
RemcosRAT
45cbfcaef7666a834e2d71b743847e5c3eb024d3abe6d897fc81de60903de41c
RemcosRAT
a6e1bb4ed47aa0c32ba63a6c0215e870b69ef69b678312bc5417cadcca53ac36
RemcosRAT
b9384216a5aea20cd398e51c6549bb84d6b252f3fde114010e3cc0c60b1e2b13
RemcosRAT
e0da748ac698c5eae9e9f9f6d3da20ea8f30fbdbd124597aae25f521988bc858
RemcosRAT
e15e4ca40396780514e28cfed891f1b9b4884ddd305f44d35742c4ab04170f98
RemcosRAT
+ 666 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:blessedohekelem persistence rat
Link:
https://tria.ge/reports/211001-gvxdwaahg4/
Behaviour
Modifies registry key
Suspicious use of WriteProcessMemory
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
ohekelem4x4.hopto.org:7536
Unpacked files
SH256 hash:
f808a11e5b1cb4332bb4d65cdbcf1e0ca7323b15bcf73cb7462ad3eb30f05703
MD5 hash:
6cfdeebc3c72279486ddd229eb14b009
SHA1 hash:
e3a2a0a2a0fabd55415c9007f52c79fe9e19e0a7
Link:
https://www.unpac.me/results/72c47ef3-5cfa-497e-81d7-fad9c961987f/
SH256 hash:
6ee87843a613bf888304843d62cec0507600503af4260024e4b37efdd829cd40
MD5 hash:
75955dcfbeee97c176783c4e58d5bc23
SHA1 hash:
c5c50f57001d80892fd905911d1dc53d141dace0
Link:
https://www.unpac.me/results/72c47ef3-5cfa-497e-81d7-fad9c961987f/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6ee87843a613/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.50
Link:
https://yomi.yoroi.company/submissions/6ee87843a613bf888304843d62cec0507600503af4260024e4b37efdd829cd40

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EnvVarScheduledTasks
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC (ab)using Environment Variables in Scheduled Tasks
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/193857/

Comments