MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 704cea9cf2bcfaf5eb8e072ec299125703ff291d1223db387365079758e366bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 704cea9cf2bcfaf5eb8e072ec299125703ff291d1223db387365079758e366bb
SHA3-384 hash: c2205fcc01d5a5ccd4539918d88c77eb061094cf4bb5b8d667ce409ae128d78faa38689d74d2f4d69c808cf16d6e54f8
SHA1 hash: 51bf74f04bedf54d7c68f00727b9a359031162a3
MD5 hash: 51ce1318c71a5a1ab1ed2314390d08c8
humanhash: asparagus-gee-bravo-timing
File name:51ce1318c71a5a1ab1ed2314390d08c8
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:617'854 bytes
First seen:2021-07-01 20:02:29 UTC
Last seen:2021-07-01 20:44:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep 12288:mbvuvDWFDyB98SEbe6PGSe9scMCvXesF/m/Uc6yPLX:EvuvA+sB1cMaesF/mMePLX
TLSH 43D41299F150E0F7DE6444745C2699D3C7BBAD3DD9B02B0272E4BB9F3932A53822B841
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
51ce1318c71a5a1ab1ed2314390d08c8
Verdict:
Malicious activity
Analysis date:
2021-07-01 20:04:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/13c48274-1baa-4477-bea2-abeb0e614ec6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/169233/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46558130.2794.13008.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f458e40d-4ebc-4d35-9c86-3f9ea17e1cb7
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/810805
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/704cea9cf2bcfaf5eb8e072ec299125703ff291d1223db387365079758e366bb/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-30 15:25:33 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=obgovhhsxt5pl24oa4xmfgisk4b76ki5cir5wodtmudzowhdm25q._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos rat
Link:
https://tria.ge/reports/210701-77rls9z4c2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Remcos
Unpacked files
SH256 hash:
a8cd8bed3159a99a6c4787800ac13742d6e3eca8567186620d9d2e41fac0e961
MD5 hash:
f0fe13d1a0b20414bc8777e3ae273183
SHA1 hash:
df3f7f6e340b31c9ae520e278f021b6a56194a8f
Link:
https://www.unpac.me/results/6a5ee80b-21dd-4938-92f2-cae9eee95360/
SH256 hash:
6d73cedbfb30c62b119ef1433508eec41c274abd313295c024e92d57c0c8d5e4
MD5 hash:
6182806d317c2612c2cb11a9ffede27a
SHA1 hash:
6843cac34e6897cfae53d5110a9a34ecd72b7f04
Detections:
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/6a5ee80b-21dd-4938-92f2-cae9eee95360/
Parent samples :
704cea9cf2bcfaf5eb8e072ec299125703ff291d1223db387365079758e366bb
41f469d18016a7ba9938f2f4409b7e15acd9657a4c639f772a05c53e93287aa7
SH256 hash:
704cea9cf2bcfaf5eb8e072ec299125703ff291d1223db387365079758e366bb
MD5 hash:
51ce1318c71a5a1ab1ed2314390d08c8
SHA1 hash:
51bf74f04bedf54d7c68f00727b9a359031162a3
Link:
https://www.unpac.me/results/6a5ee80b-21dd-4938-92f2-cae9eee95360/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.67
Link:
https://yomi.yoroi.company/submissions/704cea9cf2bcfaf5eb8e072ec299125703ff291d1223db387365079758e366bb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 704cea9cf2bcfaf5eb8e072ec299125703ff291d1223db387365079758e366bb

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/169233/
  
URLhaus
https://urlhaus.abuse.ch/url/1417371/

Comments


Avatar
zbet commented on 2021-07-01 20:02:31 UTC

url : hxxp://conver.work/files/62_283cleaner.exe