MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8dc3da77d945f8df3206906bcf76f1096e4db213a9b7b5911d7f0e8eaf3c8b67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8dc3da77d945f8df3206906bcf76f1096e4db213a9b7b5911d7f0e8eaf3c8b67
SHA3-384 hash: d2617d0756c51cb3f46b7833606c31f1fcf2fa60615b201c235202ea0ec8bc63f5e87cfaa665e83c0696b154928abb84
SHA1 hash: c3828f550527c84fa7150ae944167d3ee9ca726b
MD5 hash: 7ccc15217d4c2a598b5b04ec928f32a4
humanhash: hamper-missouri-red-nitrogen
File name:DOC20210403A266NR5282RBL20266178278_PDF.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:865'752 bytes
First seen:2021-04-08 07:58:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ae7338b3afd80640cfdf97dc6c436449 (2 x RemcosRAT)
ssdeep 24576:RL9xpvuy0SLIzpK8UflZVcFWwOfCFETOYXiL4Uj3q:R9xQRsIzuPBC+TOof
Threatray 163 similar samples on MalwareBazaar
TLSH 6B059F21E2C18433E1725B358C5AB6755836BF102DE8B98A7BD81D0C4F3B791783A2D7
Reporter TeamDreier
Tags:RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DOC20210403A266NR5282RBL20266178278_PDF.exe
Verdict:
Malicious activity
Analysis date:
2021-04-08 08:02:58 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/90de513f-cd0e-42ff-9c32-8a0fa8366ef6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/133087/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/670026
Signature
C2 URLs / IPs found in malware configuration
Detected Remcos RAT
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8dc3da77d945f8df3206906bcf76f1096e4db213a9b7b5911d7f0e8eaf3c8b67/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-04-07 16:11:33 UTC
AV detection:
31 of 48 (64.58%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rxb5u56zix4n6mqgsbv465xrbfxe3mqtvg33lei5p4hi5lz4rntq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1009dfd8b0678ec363efae43da9bb4eac2f44ae77a7f7f89ccc120a592f20a78
RemcosRAT
26c230cde9fb7544f7e3762f1abac39f6c8f0d2db0689178b223e0e68d2a6a0a
RemcosRAT
5719740e2e46073095cfb08ed7c0d397a7e76dda4047749b7ea0cb4ab47150a5
RemcosRAT
5f7e614ee696c3c2c437fa513db6c09a5203536793ef2e2b2f47971df90fbc1f
RemcosRAT
6b4cda8e0f766056eadbd9c59df82298fa4acbf7a6e526d36c4168e4f511bd8b
RemcosRAT
711e6d2b6ee80bd1ac945eee8aa67dfb485249f95bd0eb0357d33e302336a2fb
RemcosRAT
736c1c3ed4301b2f069ba84d5bcdf3919e88d5412fa13080d2eed53fe98c0ac4
RemcosRAT
896d2dc1eab72419ab524333d3fba88c8ddf92b087f1c9af5d6ea402b0c77d89
RemcosRAT
b0dad01939e09e869b27e59d7a7d7c79fdd31bb4a8c52153844c23c3c34bf368
RemcosRAT
d94560cd6d50d7d21e77bc064c508f5569329d6c2a074859ba3b1ea2f64142ec
RemcosRAT
+ 153 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat
Link:
https://tria.ge/reports/210408-6rsf1m9alj/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
olorunwa.duckdns.org:6548
Unpacked files
SH256 hash:
68247adf9c5d5961c0fc61a2af5bbfa7da927f36c0a9ae05003599b4b27e38b7
MD5 hash:
1b8ca94170420aee9e1609e419d7c2b0
SHA1 hash:
7c04b1b128246ab1421ca34fd7723a4a027d8510
Link:
https://www.unpac.me/results/7dfd99c6-1424-41a5-b738-630d93b2fe1d/
SH256 hash:
8dc3da77d945f8df3206906bcf76f1096e4db213a9b7b5911d7f0e8eaf3c8b67
MD5 hash:
7ccc15217d4c2a598b5b04ec928f32a4
SHA1 hash:
c3828f550527c84fa7150ae944167d3ee9ca726b
Link:
https://www.unpac.me/results/7dfd99c6-1424-41a5-b738-630d93b2fe1d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8dc3da77d945f8df3206906bcf76f1096e4db213a9b7b5911d7f0e8eaf3c8b67

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_DLAgent07
Create hunting rule
Author:ditekSHen
Description:Detects delf downloader agent
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/133087/

Comments