MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9293d69e18aeace49e1589491658a84ba2aeb90358b4e35aeae2f2aa18ec81ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9293d69e18aeace49e1589491658a84ba2aeb90358b4e35aeae2f2aa18ec81ca
SHA3-384 hash: 24758f57047da63f3a0f93da0b9c8cbd8247afaa0c9580c8bcb7ccc6b4d60eb41af2d6281505cb2a8281bcaed1848252
SHA1 hash: b95a817992625100ba159845b7a6e5e038e314ce
MD5 hash: 6b6d3a42847483adc86e7f5d3731540e
humanhash: quiet-undress-twenty-violet
File name:6b6d3a42847483adc86e7f5d3731540e.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:559'104 bytes
First seen:2021-06-16 10:12:57 UTC
Last seen:2021-06-16 10:56:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8293ad000eb8f07ba025580bfe785c23 (2 x RemcosRAT, 2 x Smoke Loader, 1 x RedLineStealer)
ssdeep 12288:Cdg1g7IHGvuSMyhot/euPFEy1+/CO/mbG8yJSLBbd/2AM:Xi7ImbotD1uX/WyJSLze
Threatray 267 similar samples on MalwareBazaar
TLSH B1C4D000A7A0D034F1F667F81D7693B8A92A79B1677890CF52D616EA1B34AF4DC3131B
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6b6d3a42847483adc86e7f5d3731540e.exe
Verdict:
Suspicious activity
Analysis date:
2021-06-16 10:47:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3227356e-c5af-4013-bf20-64b6195aa30f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.1445.17828.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Sending a UDP request
Creating a window
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Deleting a recently created file
Running batch commands
Setting a keyboard event handler
DNS request
Creating a file in the %AppData% directory
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1a52ad70-120f-4945-95a8-3bf6130a27ce
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/802938
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Sigma detected: WScript or CScript Dropper
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 435351 Sample: 8swg16uWzU.exe Startdate: 16/06/2021 Architecture: WINDOWS Score: 100 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 7 other signatures 2->54 11 8swg16uWzU.exe 2->11         started        14 etiwa.exe 2->14         started        16 etiwa.exe 2->16         started        process3 signatures4 58 Detected unpacking (changes PE section rights) 11->58 60 Detected unpacking (overwrites its own PE header) 11->60 62 Contains functionalty to change the wallpaper 11->62 66 4 other signatures 11->66 18 8swg16uWzU.exe 4 5 11->18         started        64 Injects a PE file into a foreign processes 14->64 21 etiwa.exe 14->21         started        23 etiwa.exe 16->23         started        process5 file6 40 C:\Users\user\AppData\Roaming\...\etiwa.exe, PE32 18->40 dropped 42 C:\Users\user\...\etiwa.exe:Zone.Identifier, ASCII 18->42 dropped 44 C:\Users\user\AppData\Local\...\install.vbs, data 18->44 dropped 25 wscript.exe 1 18->25         started        process7 process8 27 cmd.exe 1 25->27         started        process9 29 etiwa.exe 27->29         started        32 conhost.exe 27->32         started        signatures10 68 Multi AV Scanner detection for dropped file 29->68 70 Detected unpacking (changes PE section rights) 29->70 72 Detected unpacking (overwrites its own PE header) 29->72 74 7 other signatures 29->74 34 etiwa.exe 3 2 29->34         started        process11 dnsIp12 46 remno.myddns.me 192.71.172.145, 43266, 49723 TELIANETTeliaCarrierEU Sweden 34->46 56 Installs a global keyboard hook 34->56 38 svchost.exe 34->38         started        signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9293d69e18aeace49e1589491658a84ba2aeb90358b4e35aeae2f2aa18ec81ca/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-06-16 08:22:25 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=skj5nhqyv2wojhqvrfermwfijork5oidlc2ogwxk4lzkughmqhfa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0b71fa3fa8549d6a826faaeb1be86b5f866242f35afdb0c0bc7a8ba6c35981e7
RemcosRAT
134427c58b0e1acd504b9f8980bfa29a808a27216adb1999e8dbc4a3fe2b0031
RemcosRAT
4e4463e40d78f3eb63012ed1f3aa7727d98ff68fc9c7b69cf6c0f482c9483476
RemcosRAT
6761993e603b7084d87c6abe972c61d7129a11a60bc1ef564971f183b66e6ae8
RemcosRAT
6b4cda8e0f766056eadbd9c59df82298fa4acbf7a6e526d36c4168e4f511bd8b
RemcosRAT
8156b58e3c433b45ab29498fe69e2a506167283f9bc09a5310a117a360ba76f0
RemcosRAT
b07811345693beb5bb27b4f03f2678219088205f4bdf15c827f5048b173be333
RemcosRAT
ce2a4851127ba6470bdc2db5b8f87be72bb919bf1c512e1d293d89dab76903d5
RemcosRAT
e3552f29a4edea23050280c0e3ec77cd141dcb699eea5f0c8ec4349019b65ce1
RemcosRAT
e53122230df3df822e7e4476d12fe580f5b6a18e793b42703e00fb58e9f2547b
RemcosRAT
+ 257 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:start persistence rat
Link:
https://tria.ge/reports/210616-xq3rjwjtq6/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
remno.myddns.me:43266
remgeesecond.duckdns.org:43266
ddns.dbcdubai.com:43266
Unpacked files
SH256 hash:
c03fb3e8fed0af98d2333ba38e9380087253970d423d58cf82c172601f6e2205
MD5 hash:
997ec0d80e999e3e418b4a3a26ce26f8
SHA1 hash:
58be6008b4231e20c89ce22a84e9a475b28aad30
Detections:
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/ae85c5c8-0391-436f-80a4-39d3589f5047/
SH256 hash:
9293d69e18aeace49e1589491658a84ba2aeb90358b4e35aeae2f2aa18ec81ca
MD5 hash:
6b6d3a42847483adc86e7f5d3731540e
SHA1 hash:
b95a817992625100ba159845b7a6e5e038e314ce
Link:
https://www.unpac.me/results/ae85c5c8-0391-436f-80a4-39d3589f5047/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9293d69e18aeace49e1589491658a84ba2aeb90358b4e35aeae2f2aa18ec81ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 9293d69e18aeace49e1589491658a84ba2aeb90358b4e35aeae2f2aa18ec81ca

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1364978/
  
Delivery method
Distributed via web download

Comments