MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8767a5b4518a08d3ca336a881a40e28806afcb6074074356665706fcb4e3ccd0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	8767a5b4518a08d3ca336a881a40e28806afcb6074074356665706fcb4e3ccd0
SHA3-384 hash:	b6086c94e56c0fea9a554ac747f5b7204dba3566ebdd8b4dbe5e0f5319efd519839b17bbaffb0a222112c302b91d6d3f
SHA1 hash:	98fc40bdcd2a698bf42a21bc8f69e47b7f35cdc3
MD5 hash:	02256c4961043d567f5e378bbab51f69
humanhash:	washington-comet-indigo-magnesium
File name:	PO B4007121.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	711'168 bytes
First seen:	2021-07-23 09:36:53 UTC
Last seen:	2021-07-23 11:10:57 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	58af898a8945f807ca70ebf9933b9268 (4 x RemcosRAT, 1 x BitRAT)
ssdeep	12288:RcOqhpe5sWWUgjIkdcCMTOArWe/C36lgnm4vNOpRKa:R7q+sWiItCoC9v
Threatray	214 similar samples on MalwareBazaar
TLSH	T106E44B26A062D8F2C11165B8080E6669A952FE313934AD4635E4F93CFEBF3D13D1FA47
dhash icon	72c28292b2a888e0 (7 x RemcosRAT, 1 x BitRAT, 1 x AveMariaRAT)
Reporter	abuse_ch
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

152

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PO B4007121.exe

Verdict:

Suspicious activity

Analysis date:

2021-07-23 09:42:16 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b03507a6-cd14-4d49-a809-82c703103309

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/173578/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.312.9815.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0f41c9e3-52dd-4773-91ba-3c6044979959

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/820661

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Creates a thread in another existing process (thread injection)

Delayed program exit found

Detected Remcos RAT

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/8767a5b4518a08d3ca336a881a40e28806afcb6074074356665706fcb4e3ccd0/

Threat name:

Win32.Trojan.Woreflint

Status:

Malicious

First seen:

2021-07-23 09:37:10 UTC

AV detection:

11 of 46 (23.91%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=q5t2lncrrienhsrtnkebuqhcradk7s3aoqdugvtgk4dpznhdztia._file

Verdict:

malicious

RemcosRAT

1c036008043bc63c7fb8377d10a14b60793a9f2bfa96aca7a9f462eb6e3c23fe

RemcosRAT

38bd80f1a17882d299bdac7df085d889ef677951b8954d847e42503d38b77141

RemcosRAT

5dd2f8347b2c2a334231ec2167d38514868ebbeede5311ace774c9a4b5375fff

RemcosRAT

88f79e83c95b1e666a1bcb387919b2dba6ebb0cdc6db14c7f6d1229728e40a6c

RemcosRAT

a846b19ee029394012dc19a190096807497edb4ea4096c30550dbc3cbaa5435f

RemcosRAT

d8d1848fcde25e0975a524cb62ef2d622997caacbee10038cb4b49b23b76d484

RemcosRAT

e7aa9ed4edc37d0b7515085211d1107ff1a54f2ca2651bd6698ae345663b93c6

RemcosRAT

+ 204 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:young rat

Link:

https://tria.ge/reports/210723-tszqbrw4p2/

Behaviour

Suspicious use of WriteProcessMemory

Remcos

Malware Config

C2 Extraction:

june248.ddns.net:3759

Unpacked files

SH256 hash:

d174ea83359cec0b0a35da88fa2a1791a1308e35a5e36e83f51a2723e48582a6

MD5 hash:

5c63077607b089e7045eb5e93d8324d9

SHA1 hash:

9ca12c4d6e4a97269d26fe6755aae441276bff42

Link:

https://www.unpac.me/results/9bd9ce75-ace6-41ef-b8bc-eccb3643bbec/

SH256 hash:

8767a5b4518a08d3ca336a881a40e28806afcb6074074356665706fcb4e3ccd0

MD5 hash:

02256c4961043d567f5e378bbab51f69

SHA1 hash:

98fc40bdcd2a698bf42a21bc8f69e47b7f35cdc3

Link:

https://www.unpac.me/results/9bd9ce75-ace6-41ef-b8bc-eccb3643bbec/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/8767a5b4518a08d3ca336a881a40e28806afcb6074074356665706fcb4e3ccd0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/173578/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample