MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d412a4c1f64570ac98ccb0ec55d80ae36e97b8c5d6ab544b0802f9e91458449. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d412a4c1f64570ac98ccb0ec55d80ae36e97b8c5d6ab544b0802f9e91458449
SHA3-384 hash: b411b524c395f328b9427970b767ae645bd6cdf1e0a2b0d0ab09c786af04704dbd85694e2d0df9927377f5f4850d7e11
SHA1 hash: 65bf072360c5d77784248561fd597d437d728139
MD5 hash: 1ebd267f990c03f0cffa9355a28ab48c
humanhash: mirror-early-video-neptune
File name:1ebd267f990c03f0cffa9355a28ab48c.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'408'000 bytes
First seen:2021-06-03 10:02:59 UTC
Last seen:2021-06-03 10:57:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:EAAsKd6zrZyqTDiSiUtiAvoPuvQFMYZitlUXso/17MWilz:ZFICi1Uo1PuYFMYCksOIWi
Threatray 277 similar samples on MalwareBazaar
TLSH ED5518D07F54C3B8DD49D632AA145C3983B0A2A960013F3D9FDD85A92E77B45ABCC42B
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
165
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1ebd267f990c03f0cffa9355a28ab48c.exe
Verdict:
Suspicious activity
Analysis date:
2021-06-03 10:06:11 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/93d2730e-c740-459d-9aa5-0227089d9274

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/164358/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/796576
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 428972 Sample: D9rwhrAnJk.exe Startdate: 03/06/2021 Architecture: WINDOWS Score: 100 26 Multi AV Scanner detection for domain / URL 2->26 28 Found malware configuration 2->28 30 Malicious sample detected (through community Yara rule) 2->30 32 6 other signatures 2->32 7 D9rwhrAnJk.exe 4 2->7         started        process3 file4 22 C:\Users\user\AppData\...\D9rwhrAnJk.exe.log, ASCII 7->22 dropped 34 Contains functionalty to change the wallpaper 7->34 36 Contains functionality to steal Chrome passwords or cookies 7->36 38 Adds a directory exclusion to Windows Defender 7->38 40 3 other signatures 7->40 11 D9rwhrAnJk.exe 1 7->11         started        14 powershell.exe 26 7->14         started        16 D9rwhrAnJk.exe 7->16         started        18 D9rwhrAnJk.exe 7->18         started        signatures5 process6 dnsIp7 24 176.111.174.74, 4173, 49691 WILWAWPL Russian Federation 11->24 20 conhost.exe 14->20         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8d412a4c1f64570ac98ccb0ec55d80ae36e97b8c5d6ab544b0802f9e91458449/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-06-03 01:25:00 UTC
AV detection:
7 of 29 (24.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rvasuta7mrlqvsmmzmhmkxmavy3os64mlvvlkrfqqaxz5ekfqreq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
123f349fcba6342f4485ac4fde03c22eb47cf70cce0bae103ac4e2ac4e82d02c
RemcosRAT
712eb19b7de426341be8eda9e82462388f6c291ee7014c0c47b58d9a1ab9483d
RemcosRAT
72008754051624f741da1756ab4f5ffecca2713875fc7cb429fd225775ade951
RemcosRAT
7f26dcc6924c677d848f4ed98bf7a52a0cdba84a22e5727ba9b9af72fb83bace
RemcosRAT
bcb76430a56e75d67495ec905eaf0f6c5b6cd2eddbacf71af5c621c807d55b74
RemcosRAT
cc348d59b645b999a5f3b83240e6459338c605d8c0b5ec6b47f82baae02a316b
RemcosRAT
ddcd88b517ea06605fb2353580d34f502499588f25066487ebd5fa0d8c7e3683
RemcosRAT
edacb9ce365031b86ad1c3eedc43d903ecaa38e7904539de21d45eda78a4286e
RemcosRAT
f1e32b25727ce5ba6c5790aa6b8ba7c5e561a49c0df747ceed15e08cce9b73ab
RemcosRAT
feedd6efd7f0f971d6b9da9033e8c062180b2e613fb10c55e019aa6c2a6c353a
RemcosRAT
+ 267 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/210603-mrjpyzwahx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
UPX packed file
Unpacked files
SH256 hash:
1e7c66f6da06a0ea81371fb98d0e76424a600518b808140279c7ba8e06541ac5
MD5 hash:
8fe0389e4b903545421e42b628186cd2
SHA1 hash:
f6adc3d1a4ac995fad2a49474243d896b0236c2b
Link:
https://www.unpac.me/results/1918835c-c0c0-4210-b367-25f4b773946a/
SH256 hash:
8d412a4c1f64570ac98ccb0ec55d80ae36e97b8c5d6ab544b0802f9e91458449
MD5 hash:
1ebd267f990c03f0cffa9355a28ab48c
SHA1 hash:
65bf072360c5d77784248561fd597d437d728139
Link:
https://www.unpac.me/results/1918835c-c0c0-4210-b367-25f4b773946a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8d412a4c1f64570ac98ccb0ec55d80ae36e97b8c5d6ab544b0802f9e91458449

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 8d412a4c1f64570ac98ccb0ec55d80ae36e97b8c5d6ab544b0802f9e91458449

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1281662/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/164358/

Comments