MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8104295d1d2338902c8eb82cf3b7724e9bf65bd1b8b098c8d181dd5df9753b78. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8104295d1d2338902c8eb82cf3b7724e9bf65bd1b8b098c8d181dd5df9753b78
SHA3-384 hash: 05cde6d7991a1a112aa80125495d3bfa37c4cc472a4ffdba0e5b1dfcad8531257dc5602401a90c3a776a57c601534ee2
SHA1 hash: 662f49a228fce5df2655de97470e374c0acbaee9
MD5 hash: c5cad11824fde5d12db45a1a7dd54f4e
humanhash: island-foxtrot-salami-carbon
File name:c5cad11824fde5d12db45a1a7dd54f4e.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'086'360 bytes
First seen:2021-01-11 07:18:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 34688f6e75b1bb27a358488e10a9abac (3 x RemcosRAT, 2 x Loki, 1 x Phobos)
ssdeep 12288:SNZGyaAmYrFHmXVCu/BnA3ddRw+SRnSYeCRqlZVpiiiiiOvp:SN0DiZ0knO+KnS5CclZ7iiiiiM
Threatray 1'353 similar samples on MalwareBazaar
TLSH D53592A86478649FF3B24336DC12F134E992DF662046A12A3497E7FB14323C4D51EB2E
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c5cad11824fde5d12db45a1a7dd54f4e.exe
Verdict:
Malicious activity
Analysis date:
2021-01-11 07:23:45 UTC
Tags:
installer rat remcos
Link:
https://app.any.run/tasks/ae60fd3a-5cd7-4c6a-bdda-acb1e2ce8b2b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/111196/
Detection(s):
SecuriteInfo.com.Generic.mg.c5cad11824fde5d1.31409.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/577624
Signature
Allocates memory in foreign processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 337862 Sample: E8Jkw96qFU.exe Startdate: 11/01/2021 Architecture: WINDOWS Score: 100 31 agentpapple.ac.ug 2->31 33 taenaia.ac.ug 2->33 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected Remcos RAT 2->53 55 3 other signatures 2->55 7 E8Jkw96qFU.exe 1 21 2->7         started        12 Qrurblution.exe 17 2->12         started        14 Qrurblution.exe 16 2->14         started        signatures3 process4 dnsIp5 35 1drv.ws 168.235.93.122, 443, 49706, 49708 RAMNODEUS United States 7->35 37 bn-files.fe.1drv.com 7->37 39 0s0icq.bn.files.1drv.com 7->39 23 C:\Users\user\Contacts\Qrurblution.exe, PE32 7->23 dropped 57 Writes to foreign memory regions 7->57 59 Allocates memory in foreign processes 7->59 61 Creates a thread in another existing process (thread injection) 7->61 16 ieinstal.exe 1 7->16         started        41 bn-files.fe.1drv.com 12->41 43 0s0icq.bn.files.1drv.com 12->43 63 Multi AV Scanner detection for dropped file 12->63 65 Injects a PE file into a foreign processes 12->65 19 ieinstal.exe 12->19         started        45 bn-files.fe.1drv.com 14->45 47 0s0icq.bn.files.1drv.com 14->47 21 ieinstal.exe 14->21         started        file6 signatures7 process8 dnsIp9 25 agentpapple.ac.ug 16->25 27 taenaia.ac.ug 185.140.53.149, 49717, 49718, 49719 DAVID_CRAIGGG Sweden 16->27 29 192.168.2.1 unknown unknown 16->29
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8104295d1d2338902c8eb82cf3b7724e9bf65bd1b8b098c8d181dd5df9753b78/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-11 07:19:06 UTC
AV detection:
8 of 46 (17.39%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qeccsxi5em4jaleoxawphn3sj2n7mw6rxcyjrsgrqhov36lvhn4a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
248eabc9c97d8c4994c26c88cf1806ea9274eb187e3eb0bae7ae8035c7f3b189
RemcosRAT
34d1451c8ac71d3eb9582092492d4b50a4202b962d8a7cff5cce9c93823aec5d
RemcosRAT
483c603c9fb09c2e908d782f7e6f3f04e6e26b7eaaf8ac637733a4e4a32c80e7
RemcosRAT
6916d0f41d35a9142e598496a1e996616b4fad6d15f0f3da7ec9210b6a124586
RemcosRAT
871f11c78d3f9bf94da3d5442f4fe2a3bfe6a3d26cf4768d70f9a37d58bac8d9
RemcosRAT
ae4577de0e93d13f37be12a01ef37f25427124813afffb8ea0396efdd69d0f05
RemcosRAT
b234046301b208b5caf548041361be6e5031911fb41e8c5b7dc47905104291f3
RemcosRAT
bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d
RemcosRAT
f3453d83f263aa7665cb7398e7216db55cb8d7d75b8d45cdaf889c9265ba72fb
RemcosRAT
fdeab1bddd43965a3ec2ed0a6001bc926a7f995bffc549b64379324374beac4b
RemcosRAT
+ 1'343 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader persistence
Link:
https://tria.ge/reports/210111-6pa9dj529a/
Behaviour
Modifies system certificate store
Script User-Agent
Suspicious use of WriteProcessMemory
Adds Run key to start application
Unpacked files
SH256 hash:
8104295d1d2338902c8eb82cf3b7724e9bf65bd1b8b098c8d181dd5df9753b78
MD5 hash:
c5cad11824fde5d12db45a1a7dd54f4e
SHA1 hash:
662f49a228fce5df2655de97470e374c0acbaee9
Link:
https://www.unpac.me/results/24aecb02-afef-4bd0-9efe-c87a4d5c766c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8104295d1d2338902c8eb82cf3b7724e9bf65bd1b8b098c8d181dd5df9753b78

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 8104295d1d2338902c8eb82cf3b7724e9bf65bd1b8b098c8d181dd5df9753b78

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/948788/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/948792/
Cape
Cape
https://www.capesandbox.com/analysis/111196/

Comments