MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 724c5c5649720c7ded1b006fe6fd4cd16b49f8d1596f0c358cac8a29d8dab9c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 12

Intelligence 12 IOCs YARA 7 File information Comments

SHA256 hash:	724c5c5649720c7ded1b006fe6fd4cd16b49f8d1596f0c358cac8a29d8dab9c9
SHA3-384 hash:	327205fea8cad9e7160379f58a2fe7fdc2a7401b2f01f23c55d48a78881ee4cdd4ccf07881a0eb0a80d91edf1da3496f
SHA1 hash:	8cbabfcd197c0e81e69e6fc936ea54d44b6c852c
MD5 hash:	3aac2e51f94bea6ebde212013f2157a8
humanhash:	low-carbon-alpha-washington
File name:	e3.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	296'094 bytes
First seen:	2021-06-03 13:57:59 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep	6144:8Qq+avd/ylkKIsTknNyc94u/e50OKNojiY/Bym1b7hfs5oTSYxp:TavdaFI8kEcWu/e50b2mY5FbptZp
Threatray	1'113 similar samples on MalwareBazaar
TLSH	28541324B2C8DAEBCD9341306B7B1AA6D3B54E524310271B9F161EEE7921253859F7C2
Reporter	madjack_red
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

194

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

e3.exe

Verdict:

Malicious activity

Analysis date:

2021-06-03 13:59:45 UTC

Tags:

installer rat remcos keylogger

Link:

https://app.any.run/tasks/32acc7bb-a8ef-477d-85c0-10072b6fbb2b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/164423/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a file

Sending a UDP request

Unauthorized injection to a recently created process

Setting a keyboard event handler

Sending a custom TCP request

Creating a file in the %AppData% subdirectories

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Remcos

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/796728

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Detected Remcos RAT

Found malware configuration

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/724c5c5649720c7ded1b006fe6fd4cd16b49f8d1596f0c358cac8a29d8dab9c9/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-06-02 09:39:01 UTC

AV detection:

20 of 47 (42.55%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ojgfyvsjoigh33i3abx6n7km2fvut6grlfxqynmmvsfctwg2xheq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

19fea0b558bc85df1bec0bd5a086fd2678767117999762731b0f6fe15e1c590a

RemcosRAT

1aa7d80336821e86d39b12d3787619f82096e3e4e0004d82187067d92ac105cf

RemcosRAT

62a98a16e7262b61b178e3b5d101373e41122b6763669be0779b932efde81076

RemcosRAT

66397096608335845167fddbffd425342849a6803e130518cb2c35c4251d7346

RemcosRAT

c7f5583441b2891803552b77c33c628f4aa2f7300f3404e004ffbf78c52ddb51

RemcosRAT

ca90a8391204ee90d138b7eddbd1f2e9a1193c1ea1a5ee28cc0d373f9d167c52

RemcosRAT

caef1c1bf021d8a6adbf6032e999aa68e1052014bdc8691dfbf182eeadc338f1

RemcosRAT

d105536c7b43d74fb3c32f8179261835f52007d8fb83eb8bdf1972756156a1c9

RemcosRAT

f73dcca2952ca3a15b309f8064bcaeb48c3213c9ac318c5a741f9805363f8e72

RemcosRAT

+ 1'103 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos rat upx

Link:

https://tria.ge/reports/210603-awd9hn83x2/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

UPX packed file

Remcos

Unpacked files

SH256 hash:

724c5c5649720c7ded1b006fe6fd4cd16b49f8d1596f0c358cac8a29d8dab9c9

MD5 hash:

3aac2e51f94bea6ebde212013f2157a8

SHA1 hash:

8cbabfcd197c0e81e69e6fc936ea54d44b6c852c

Link:

https://www.unpac.me/results/e6bc56fa-a024-412f-8cb1-3e14e2ede8a0/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.77

Link:

https://yomi.yoroi.company/submissions/724c5c5649720c7ded1b006fe6fd4cd16b49f8d1596f0c358cac8a29d8dab9c9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/164423/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample