MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8378cff1c00e9259db81de361f9e5ebfc5eb1e932c0d21c5b003360c46a7eb43. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 14

Intelligence 14 IOCs 1 YARA 8 File information Comments

SHA256 hash:	8378cff1c00e9259db81de361f9e5ebfc5eb1e932c0d21c5b003360c46a7eb43
SHA3-384 hash:	ccc12ed46c1b999e0010ee31d8214b8c7906bd0cdc11c13dc308d64400d60ed8f6f1936c43454263301fe565b11951c2
SHA1 hash:	82731eb07393a28ad6bab5c6089af86f71976bac
MD5 hash:	9e5cbdf378f275a84fdea6731c42959d
humanhash:	saturn-spring-iowa-saturn
File name:	9e5cbdf378f275a84fdea6731c42959d.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	912'384 bytes
First seen:	2021-09-27 13:57:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:OmtiK5oBMtXP0l3OOhhHTS32PHKigo/vpAPlZhBBwKgSbMCHFdLhNBGLS/lKUNqi:O+FoBoXP0rb+y/BATBYCHr9NVN
Threatray	652 similar samples on MalwareBazaar
TLSH	T1DD15F15D764072EFC967CDB69A642C14EB20B56A530BD303A01362EDAE0E6DBCF141F2
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

abuse_ch

RemcosRAT C2:
31.210.20.224:22420

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
31.210.20.224:22420	https://threatfox.abuse.ch/ioc/227069/

Intelligence

File Origin

# of uploads :

# of downloads :

138

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

9e5cbdf378f275a84fdea6731c42959d.exe

Verdict:

Malicious activity

Analysis date:

2021-09-27 14:00:05 UTC

Tags:

rat remcos

Link:

https://app.any.run/tasks/7e3127f0-03c4-4217-a63c-e6fc290fedf6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/192133/

Detection(s):

SecuriteInfo.com.Variant.MSILHeracles.26929.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file in the %temp% directory

Delayed writing of the file

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d25cbcae-bd58-4975-8201-ff1e26a2b876

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/859034

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Detected Remcos RAT

Detected unpacking (changes PE section rights)

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/8378cff1c00e9259db81de361f9e5ebfc5eb1e932c0d21c5b003360c46a7eb43/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-09-22 01:31:24 UTC

AV detection:

22 of 45 (48.89%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qn4m74oab2jftw4b3y3b7hs6x7c6whutfqgsdrnqam3ayrvh5nbq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

77ce24c903d75a340e3d5664091c7b72a2529640931e662b80b8dc3fb9226929

RemcosRAT

860e16c192167d5dd823b8e533858cdada7aa9b3173254f2f57031af68b84e0c

RemcosRAT

87284733f84447db5f12697e7ce2fb44671cbf404e040cf85085b223eab02b95

RemcosRAT

993528adce97be31c6c1e1c01f4877f229b10e8f06b87d8cbcc2f95b46866872

RemcosRAT

a3faa214333ce59ed895410e011c4cbd44fe51b26ed5bf2a0ed54e225616f893

RemcosRAT

af9fa73ff6907f77d55aac6376f3f2e73160fc97afec3656e77da8d5e0a6a488

RemcosRAT

b2beeab94f7cbc38143e2a050c263476419bb48d2ec37470df5b1ee0da812f50

RemcosRAT

bfd45ef21e21655c921b457242c1d4e05a1e979d0051a4195192d8e17b7bed38

RemcosRAT

d83290b80bf412884168a6d24a06fad12edb578cc612ea555476b422a4499613

RemcosRAT

+ 642 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost rat

Link:

https://tria.ge/reports/210927-q9tqzahbdr/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Remcos

Malware Config

C2 Extraction:

fax-joh.dyn-ip24.de:22420

Unpacked files

SH256 hash:

3b9493c3457c94356613af717f006ed9283f2b09eb7062266b0a4d66a2ba7afe

MD5 hash:

5c082f5988c375e2c8927be6ecb27f57

SHA1 hash:

dc1b957a265b55169b631e32114857326497eca6

Link:

https://www.unpac.me/results/50c7af14-2cda-48d1-8617-e86c63ac1dfa/

SH256 hash:

583e2d17dbbe6a8ec7462c786dc0ac0029d9efb05443007f895e84b27325a749

MD5 hash:

cfbb93ccd23695db5deb49c247797161

SHA1 hash:

c79f0b7cc1e9c067d9d33d9829aa9e56491eea8c

Link:

https://www.unpac.me/results/50c7af14-2cda-48d1-8617-e86c63ac1dfa/

SH256 hash:

cac8b347040a359c02ae5e658d3d76230c7dd7eb33505605ed0b9bc49ff268c7

MD5 hash:

71a894ff252c767b80d65ab1e54fda2b

SHA1 hash:

bcc4ff628585ca28b8b0f2c30e63049b910d4d49

Link:

https://www.unpac.me/results/50c7af14-2cda-48d1-8617-e86c63ac1dfa/

SH256 hash:

d50db54d0287d66ab2d897abbf801eff7f7d947fcaba4fc47d9598aac988f85b

MD5 hash:

5374f07f10cfe91adcc2c60d5aed9044

SHA1 hash:

7c433b6330159f3ea616fab3fb381ae4e61935c4

Detections:

win_remcos_g0

Link:

https://www.unpac.me/results/50c7af14-2cda-48d1-8617-e86c63ac1dfa/

Parent samples :

6f92daf1987fdbeb08911e7081215c3bf8d5241428011e635ed1c61db6230bb0
8378cff1c00e9259db81de361f9e5ebfc5eb1e932c0d21c5b003360c46a7eb43
993528adce97be31c6c1e1c01f4877f229b10e8f06b87d8cbcc2f95b46866872
af9fa73ff6907f77d55aac6376f3f2e73160fc97afec3656e77da8d5e0a6a488

SH256 hash:

8378cff1c00e9259db81de361f9e5ebfc5eb1e932c0d21c5b003360c46a7eb43

MD5 hash:

9e5cbdf378f275a84fdea6731c42959d

SHA1 hash:

82731eb07393a28ad6bab5c6089af86f71976bac

Link:

https://www.unpac.me/results/50c7af14-2cda-48d1-8617-e86c63ac1dfa/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/8378cff1c00e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8378cff1c00e9259db81de361f9e5ebfc5eb1e932c0d21c5b003360c46a7eb43

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/192133/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample