MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7965402620f6c8430667021160882a918fd7da56667a8e5295f9c0b776458c99. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	7965402620f6c8430667021160882a918fd7da56667a8e5295f9c0b776458c99
SHA3-384 hash:	23c75d0a806fb007eb566ead84b30179f5d053ca28c6ed3c7c69ebec37ba5ac71bda7b8062d01bc36be86e11b502baa7
SHA1 hash:	bad2b4c954da922faa449433a2c3abe2238fff50
MD5 hash:	353b6406907837cab59cd18f61a9373e
humanhash:	coffee-carolina-berlin-eleven
File name:	7965402620f6c8430667021160882a918fd7da56667a8e5295f9c0b776458c99
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	451'584 bytes
First seen:	2020-06-10 12:23:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	6144:rGSzYBchGp6VEJD6LpMXxLY3dsc3LWOXCMQ5h12Tb7E2tcs0a5fegqgv/hIb/:rGSY6VEt6mXa3ScyO/QCg2rdv
Threatray	835 similar samples on MalwareBazaar
TLSH	9FA46D2276C60055D43B027D10F86BA1EA3C7DB13B15876FF39AE30D1E6147ED2267AA
Reporter	JAMESWT_WT
Tags:	RemcosRAT

Intelligence

File Origin

# of uploads :

1

# of downloads :

65

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Threat name:

ByteCode-MSIL.Backdoor.Remcos

Status:

Malicious

First seen:

2020-05-26 20:01:10 UTC

File Type:

PE (.Net Exe)

Extracted files:

3

AV detection:

23 of 31 (74.19%)

Threat level:

5/5

Verdict:

malicious

Label(s):

remcos

nanocorerat

Similar samples:

19efc1df3507cb2addad31eb226196bcacd77ae3bccf11a9b8a0f5c0147b6c34

36a40ec4deea590187112deb4f39489b2a01de2680f85504b8d59d19cee145c5

738ea925d9f26dc03c18efd41de5e310285a36eef0147e7767a25dcf3fb1b24d

8e28928a582c475fa995b9d487aad1d6b9997c07f4fdab1e449e25adc7cee0d0

8e81382d94e87aa1cdc85da08f858ec825bc7ca56011a2c7de2b42f7740b5f85

e1b4622454cead31c14bd55cf1985eb6b5e93483989b183cf32e79e07ee4dc13

e1d3edbd73ae8b8946796dd8f19de14f42c8fe8d92954a308979ed9d1f9bf1d3

eb014a8ce4cf51f56669eccfdf4acb02794efb3897323cbe066a36194f693b85

eee72be9b19c5e0fa5fd1b5404798a7ccd5b73830249562f9465583004980a18

f332609731fb4f454cc0a03829a8dcd98b3f2b199f9ffedb7b6b0a42c1ee2180

+ 825 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos agilenet persistence rat

Link:

https://tria.ge/reports/201109-gh7gp9yky6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Executes dropped EXE

Remcos

Malware Config

C2 Extraction:

eastsidepapi.myq-see.com:6996

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample