MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 872c552974708cea64df67fd5ae841611ff951f8c8d5230e611cec5f062bfa1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 872c552974708cea64df67fd5ae841611ff951f8c8d5230e611cec5f062bfa1f
SHA3-384 hash: 28c9f04e69ec58ac144f766dd882daf7d285d6e08b4e6200ea335fea11bd1c97b540669d34ed25b783104742edca4849
SHA1 hash: 5f93b324511542397018479957fde68ac6116eed
MD5 hash: 6ddfd4b9e0342283546a757df305cf55
humanhash: quebec-princess-magazine-apart
File name:6ddfd4b9e0342283546a757df305cf55.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'490'878 bytes
First seen:2021-03-20 08:22:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a1a66d588dcf1394354ebf6ec400c223 (49 x RedLineStealer, 7 x CryptBot, 4 x AZORult)
ssdeep 24576:l53uhFrwh/NnpxaqxLGHd/BF8eBMGKplzftQSSxvPkBuifBbX8PYzerTux:l5+hFrwh/Np4i6x4yTKlpivZipj8geo
Threatray 196 similar samples on MalwareBazaar
TLSH 8665025269E150F6C0531F72203A7E8E15BF9E2C2F34A5D30655B62A5FB3FC2933A981
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
288
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6ddfd4b9e0342283546a757df305cf55.exe
Verdict:
Malicious activity
Analysis date:
2021-03-20 08:27:21 UTC
Tags:
autoit rat remcos
Link:
https://app.any.run/tasks/9eef3db8-3061-42f4-ab09-fc45aedd855a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/125769/
Detection(s):
PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

SecuriteInfo.com.Artemis8A5D1E11C3D3.26302.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Sending a UDP request
Creating a process from a recently created file
Deleting a recently created file
DNS request
Connecting to a non-recommended domain
Sending a custom TCP request
Searching for the window
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2ec1ba24-3799-468c-a6c7-3ca0cc12f1bf
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/646805
Signature
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected Remcos RAT
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Remcos
Submitted sample is a known malware sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 372370 Sample: u10EBxSi5W.exe Startdate: 20/03/2021 Architecture: WINDOWS Score: 100 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Detected Remcos RAT 2->53 55 3 other signatures 2->55 10 u10EBxSi5W.exe 8 2->10         started        process3 signatures4 65 Contains functionality to register a low level keyboard hook 10->65 13 cmd.exe 1 10->13         started        process5 signatures6 67 Submitted sample is a known malware sample 13->67 69 Obfuscated command line found 13->69 71 Uses ping.exe to sleep 13->71 73 Uses ping.exe to check the status of other devices and networks 13->73 16 cmd.exe 3 13->16         started        19 conhost.exe 13->19         started        process7 signatures8 45 Obfuscated command line found 16->45 47 Uses ping.exe to sleep 16->47 21 Sospettoso.exe.com 16->21         started        24 PING.EXE 1 16->24         started        27 findstr.exe 1 16->27         started        process9 dnsIp10 57 Contains functionalty to change the wallpaper 21->57 59 Contains functionality to steal Chrome passwords or cookies 21->59 61 Contains functionality to capture and log keystrokes 21->61 63 3 other signatures 21->63 30 Sospettoso.exe.com 21->30         started        41 127.0.0.1 unknown unknown 24->41 37 C:\Users\user\AppData\...\Sospettoso.exe.com, Targa 27->37 dropped file11 signatures12 process13 dnsIp14 43 lJNXchFSUcil.lJNXchFSUcil 30->43 75 Injects a PE file into a foreign processes 30->75 34 Sospettoso.exe.com 2 30->34         started        signatures15 process16 dnsIp17 39 176.111.174.14, 2904, 49726 WILWAWPL Russian Federation 34->39
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/872c552974708cea64df67fd5ae841611ff951f8c8d5230e611cec5f062bfa1f/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=q4wfkkluocgouzg7m76vv2cbmep7supyzdksgdtbdtwf6brl7ipq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
22f8d1582e34c1754955d616542d3bf5e784d357ed58dd45e6bc3a5df9c82446
RemcosRAT
3b63323d965a34d9a828593150e9c765b085eb844c8c1596a86def9b623e099e
RemcosRAT
5d0b09993c8b1d6de2ab162c32f2c36fb250b5a8051fbde5d5bcf9e8142ef75d
RemcosRAT
620afc2abbee35a3927169681326c1f1800030fd02c77eef6a49550978a41257
RemcosRAT
883bd670d55447865cc753c58efafc0c26c17c8d2b11b10f3bc9f70093abe507
RemcosRAT
b782581b1ca3da09fdf3ecbb173ee3ca1f313f5f325f407df976601cad8ce839
RemcosRAT
c059548509d5ca453810776ad5bdea3440fb122b361211616d7300cc3b25fac0
RemcosRAT
e01d9c12ce59def16d3aa593e461d13173b98d4cef9658834f756ff4edbfd3d7
RemcosRAT
ef6ac1293cdfda22c8d940f96c5433f406a4c3666e6941e4f094a8cf50d04ac1
RemcosRAT
ff8dd2511c1721a535a31eb7e8c4f813ba114a2ec963f4b85f8808fa99d47422
RemcosRAT
+ 186 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos rat upx
Link:
https://tria.ge/reports/210320-7fpcl71x3s/
Behaviour
Runs ping.exe
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
UPX packed file
Remcos
Unpacked files
SH256 hash:
25f40121b904103316c2ff7e99a7e874f005d96bd94d63c0d87116e557f78170
MD5 hash:
32dd16f14faf26d4dca2358677996882
SHA1 hash:
d38df0febbbf848bb78e336bb9719e626a5d0483
Link:
https://www.unpac.me/results/92bffdee-3520-42be-af42-55647147806b/
SH256 hash:
872c552974708cea64df67fd5ae841611ff951f8c8d5230e611cec5f062bfa1f
MD5 hash:
6ddfd4b9e0342283546a757df305cf55
SHA1 hash:
5f93b324511542397018479957fde68ac6116eed
Link:
https://www.unpac.me/results/92bffdee-3520-42be-af42-55647147806b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AutoKMS
Score:
0.70
Link:
https://yomi.yoroi.company/submissions/872c552974708cea64df67fd5ae841611ff951f8c8d5230e611cec5f062bfa1f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 872c552974708cea64df67fd5ae841611ff951f8c8d5230e611cec5f062bfa1f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1002464/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/125769/

Comments