MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 926da3334135961ff0c19ecf4358201ba4734ab01186061c423deeb081ec1cff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 926da3334135961ff0c19ecf4358201ba4734ab01186061c423deeb081ec1cff
SHA3-384 hash: a5d4830662f1a2563456865b46ff3bd85caf83d0dc3cd2dc26f6e5d898e61719a9fe58e053f893b30baec98b9f98cb26
SHA1 hash: e3104b4647c8d7f7f51aefd8128f353af42884e0
MD5 hash: 4e00a5d42245a24a24d8e7dc07257b81
humanhash: montana-equal-nuts-pip
File name:ORDER_6353745.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:959'264 bytes
First seen:2021-02-09 12:58:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8e07a9a5b0478a28ef2ed98fdb216dea (5 x RemcosRAT, 1 x AgentTesla)
ssdeep 12288:oO0ZG/0U8iJ5MxnpC8aQscNe1IsPaD7nug8g9JndEtOUQdCvE:oOhvMtZaQscN+Cug8UBmFACM
Threatray 65 similar samples on MalwareBazaar
TLSH 7C152A917E71CCEED3E32E7D98469264042E7CC89818F42E97A07DC6FA31285B49784F
Reporter cocaman
Tags:exe RAT RemcosRAT

Code Signing Certificate

Organisation:LunarG
Issuer:DigiCert SHA2 Assured ID Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:Apr 8 00:00:00 2016 GMT
Valid to:Aug 10 12:00:00 2017 GMT
Serial number: 03B471CD4D7FFEC29A3B20B2CB0F5F54
Thumbprint Algorithm:SHA256
Thumbprint: E97787883B3E7031546090C1B180F32B93611143E8AC4EC8634E68C7A1ED0629
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ORDER_6353745.exe
Verdict:
Malicious activity
Analysis date:
2021-02-09 13:00:48 UTC
Tags:
installer rat remcos keylogger
Link:
https://app.any.run/tasks/8c99973f-e3f9-4a8a-9202-df69ecee545e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/116182/
Detection(s):
PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.BScope.Trojan.Fuerboos.7399.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Launching a process
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Connection attempt to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/602950
Signature
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/926da3334135961ff0c19ecf4358201ba4734ab01186061c423deeb081ec1cff/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2021-02-09 11:40:52 UTC
File Type:
PE (Exe)
Extracted files:
70
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sjw2gm2bgwlb74gbt3hugwbadoshgsvqcgdamhcchxxlbapmdt7q._file
Verdict:
malicious
Similar samples:
035cba8ea6bbe0336a0221e86b571e530764939150df17f636fd23ad30db3f27
RemcosRAT
1e5a328f760c35f905390fb4bcf0eefa75936c79a43e22ca7557da0e315c72ed
RemcosRAT
2f85c41ee13d69e68454d97153252e8ba9a3a0e85573427eac0600d41fa6824d
RemcosRAT
6cef436fd5577158e43bd7cc85ea84cdac90044d8e9f93c254ee7ed119fa7aed
RemcosRAT
719bb30fb8ff3d79fd0216bdbc9f9d1b377c1456a20c8d9a26f1a19e283352ba
RemcosRAT
a8889ff384c38b97b5a48ef4e9586df7c281f40e2719fe248b0d252832969521
RemcosRAT
aa9c1ce82c3c4c29355c38931c6cc6e1cd1414051c772de3fbf0cd9439c52965
RemcosRAT
d96b554a08cd2f503d6a1ffe5303b34f8bd6f91b369bd95e9d16642b4fece2cb
RemcosRAT
f5b21be44a7076a4414adf52f6bae43d0dfbcd460bc35921e5ea81549ea16f4a
RemcosRAT
f631405eb61bdf6f6e34657e5b99273743e1e24854942166a16f38728e19f200
RemcosRAT
+ 55 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat
Link:
https://tria.ge/reports/210209-3bbwphda46/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
Remcos
Unpacked files
SH256 hash:
d2f876d808e77cfce00ded4bfc541671c500f0ea9ea873c04333c554ea54a791
MD5 hash:
e561fb27b26e5d960fd61580e5fb35bd
SHA1 hash:
5df94fbbf001b70e2f20f4a3101de45d321016e5
Link:
https://www.unpac.me/results/3b47256e-d5e4-4619-9263-fedcb8c5f0dd/
SH256 hash:
926da3334135961ff0c19ecf4358201ba4734ab01186061c423deeb081ec1cff
MD5 hash:
4e00a5d42245a24a24d8e7dc07257b81
SHA1 hash:
e3104b4647c8d7f7f51aefd8128f353af42884e0
Link:
https://www.unpac.me/results/3b47256e-d5e4-4619-9263-fedcb8c5f0dd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/926da3334135961ff0c19ecf4358201ba4734ab01186061c423deeb081ec1cff

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

rar 6c2321e3f0928e3ddcc82bef42f2ff5c046da1c2ef2a0ff24f8e59f8133abbed

RemcosRAT

Executable exe 926da3334135961ff0c19ecf4358201ba4734ab01186061c423deeb081ec1cff

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 6c2321e3f0928e3ddcc82bef42f2ff5c046da1c2ef2a0ff24f8e59f8133abbed
Cape
Cape
https://www.capesandbox.com/analysis/116182/

Comments