MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9060ad04ba96cfc836426974d363d912ff313c23a9638d65482f1b1bf6b1a029. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 8

Intelligence 8 IOCs YARA 3 File information Comments

SHA256 hash:	9060ad04ba96cfc836426974d363d912ff313c23a9638d65482f1b1bf6b1a029
SHA3-384 hash:	f65c5e1b519a76b29fb0385f8d13e57340c4c0e13cebf2aadc97a4c29bd20d58eed6ff1ff81fc751e02f4fe6e102fc1e
SHA1 hash:	04ca256a8e468bd0adfc7ecd77aa469594bcfd41
MD5 hash:	f3bf9c6f8abe069c5d2e2bc9271efe1f
humanhash:	king-batman-whiskey-oven
File name:	9060ad04ba96cfc836426974d363d912ff313c23a9638d65482f1b1bf6b1a029
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'179'144 bytes
First seen:	2020-07-06 06:38:10 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep	24576:yAHnh+eWsN3skA4RV1Hom2KXMmHaLIahgxY3b57:1h+ZkldoPK8YaLDN7
Threatray	1'436 similar samples on MalwareBazaar
TLSH	6245AE02B3D6C076FF9AA2B39B69B24257BC6D350133842F23982D79BD711B1127D663
Reporter	JAMESWT_WT
Tags:	RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/20866/

Detection(s):

Win.Malware.Autoit-6985962-0

SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for recently created files

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a process with a hidden window

Launching a process

Deleting a recently created file

Running batch commands

DNS request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process by context flags manipulation

Setting a global event handler for the keyboard

Enabling autorun with Startup directory

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/9060ad04ba96cfc836426974d363d912ff313c23a9638d65482f1b1bf6b1a029/

Threat name:

Win32.Trojan.CryptInject

Status:

Malicious

First seen:

2020-06-29 18:43:22 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

31 of 31 (100.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=sbqk2bf2s3h4qnscnf2ngy6zcl7tcpbdvfry2zkif4nrx5vruauq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

20a6a3dde2b79a85641bcfa4d8e03a48dde38aa55137f18fb567de24d3a0beec

RemcosRAT

2bc1fb27f988d0d3beebcc805b59232c7cf182daa66cbbd642f18c7faab6639f

RemcosRAT

36f3bdf1bd05519baf7a6a3880b2d0043057aea8fef15f2a4e55b8a474916cf4

RemcosRAT

54e9e8ac005eba3cd288eac02d69cb77b8b419b5bf00da41f175d40aec919717

RemcosRAT

566af71633f6af78b39270d21853decfe26f41cb866272ec4e530f7e9f14a0cb

RemcosRAT

6083d7084795ed9d60be324c610dbfab644a3e25c982755a93071e23db11198a

RemcosRAT

793f375be5ed01b66b47d24ca49594af11ddcd125f3fb41ca77cae45632eba52

RemcosRAT

ac2a1a0b8560a6c0305e4d8e4fba8221974f011c5b52a5adec277268d4715f69

RemcosRAT

fd25b09006d514098cff84fe7c68b57ddbf3f5b6229e419689e2bfb28164b6e7

RemcosRAT

+ 1'426 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

rat family:remcos persistence

Link:

https://tria.ge/reports/200706-nvgzbtr4ys/

Behaviour

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of SetThreadContext

Adds Run entry to start application

Loads dropped DLL

Executes dropped EXE

Remcos

Malware Config

C2 Extraction:

daya4659.ddns.net:8282

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/20866/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample