MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84f6968bec673a61d9408dd7a9dc1bf38be61c947078887d27d09210792f5eee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 8 File information Comments

SHA256 hash:	84f6968bec673a61d9408dd7a9dc1bf38be61c947078887d27d09210792f5eee
SHA3-384 hash:	1bfcc8ab1c96861f107fd102649e58923cc6cc2d7993fc19ac65360be8eebf638093fa03f30e77eaa82774b214a49f6f
SHA1 hash:	460cdca7556f9ee5dc5492096b21c997a3d1a819
MD5 hash:	c942e578f5449ab92e720f47f2cbbb8f
humanhash:	salami-hot-blue-moon
File name:	Iwfifvwzd4.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	404'992 bytes
First seen:	2020-11-27 14:18:40 UTC
Last seen:	2020-11-27 15:46:21 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	6144:h4MUo9SMQq3NB3cgT0YAOjVmiV13wYi/4TG:nS+3b4EmiTjigT
Threatray	52 similar samples on MalwareBazaar
TLSH	A384AD61934ECE17C5E92AF7CCBFA6010AD09D04BE86F3A9189475C9F43E786C8D2947
Reporter	James_inthe_box
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

105

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/105817/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

DNS request

Creating a file in the %AppData% subdirectories

Setting a global event handler for the keyboard

Sending a TCP request to an infection source

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Remcos

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/549397

Signature

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Creates an undocumented autostart registry key

Detected Remcos RAT

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/84f6968bec673a61d9408dd7a9dc1bf38be61c947078887d27d09210792f5eee/

Threat name:

ByteCode-MSIL.Trojan.SmartAssembly

Status:

Malicious

First seen:

2020-11-26 17:27:34 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qt3jnc7mm45gdwkarxl2txa36of6mheuob4iq7jh2cjba6jpl3xa._file

Verdict:

malicious

RemcosRAT

4479c12f5259fffa37704031bec2fbe625d029a4b16c77a08628f04aa7442166

RemcosRAT

5dcd1649d97e0da882778ec70677be52b49603b6596b044518f02c278d93d0f2

RemcosRAT

6fb60c80bdc9cd558a384b468dc8b8467fb2e02764728e6a0ebc28ca865f31f6

RemcosRAT

78491e950a624399f497cedd25cae2231223b1bcd2f93379480b3c9edb4c6a92

RemcosRAT

96bed9c453b26eee99a3e50cf3ec45332d982bf9b9b5099bd4e7d365afd614f7

RemcosRAT

bc36fa2314f4e45645af22ca75887b7b627de4a65bfd1d274f18e7fc1975c8e4

RemcosRAT

bdcd13abdded8f4f709fb288fb78b4afff486854b3ea78ad378d11220a31c3c4

RemcosRAT

d0f1b190868c2b25c602e6eee551a39fe677678d6e7dc45eb304fa82a5760799

RemcosRAT

f7b8a43156a4ed375acd101847b41f358fd4ea3ce4d2cf9ffcf18f278f7a4479

RemcosRAT

+ 42 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos rat

Link:

https://tria.ge/reports/201127-vxpyakfavj/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetThreadContext

Remcos

Malware Config

C2 Extraction:

latua.nsupdate.info:7722
fanta.nsupdate.info:7722
coke.nsupdate.info:7722

Unpacked files

SH256 hash:

c7805eba61e9b005126d709c3de4dee7d32fdb9bb91a6530c6b9c6911b0c459e

MD5 hash:

1096f14ff88f080fbed74f61f5e80beb

SHA1 hash:

700712558c00aae65e8cfb71739c0d8538c6f90a

Detections:

win_remcos_g0

win_remcos_auto

Link:

https://www.unpac.me/results/ca5e5085-b16d-4567-a649-c86e38531245/

Parent samples :

7cdc50bb11050e621535e8f02ce97838225962cd88318322bddaa73db26bd3b8
84f6968bec673a61d9408dd7a9dc1bf38be61c947078887d27d09210792f5eee

SH256 hash:

983f2e9e929d459685bceed35bf6dc74a62c03b773d28634662916cf0ebfe6d6

MD5 hash:

e2f9f2f48fd9855dc20d6c85f39d13b5

SHA1 hash:

f350df497fdd54b0f37c5b402c92953af84753fd

Link:

https://www.unpac.me/results/ca5e5085-b16d-4567-a649-c86e38531245/

SH256 hash:

83c08f0721c8b0c96e3d6a8f3ccaf5c96fbcc427d574625c34424c3429fefaa1

MD5 hash:

3c5dbcc3bb27e913e14efd8054811373

SHA1 hash:

b0eba9388abddaef9d5aa49ccd5dbab2924cced0

Link:

https://www.unpac.me/results/ca5e5085-b16d-4567-a649-c86e38531245/

SH256 hash:

7ad9348c87db8ffd8f7064642c513efd0f76e1c60125c8a6624c7ddc4431a0ee

MD5 hash:

6ac5bbe952b43d66be4c6178577059f5

SHA1 hash:

52f4dab188f6f8e76d465ff7e2e87d604420d186

Link:

https://www.unpac.me/results/ca5e5085-b16d-4567-a649-c86e38531245/

SH256 hash:

84f6968bec673a61d9408dd7a9dc1bf38be61c947078887d27d09210792f5eee

MD5 hash:

c942e578f5449ab92e720f47f2cbbb8f

SHA1 hash:

460cdca7556f9ee5dc5492096b21c997a3d1a819

Link:

https://www.unpac.me/results/ca5e5085-b16d-4567-a649-c86e38531245/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Remcos

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/84f6968bec673a61d9408dd7a9dc1bf38be61c947078887d27d09210792f5eee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/105817/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample