MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 9371abbf0b553023b6ddd05e91a3acaf95f4b5a1a38db5bf8634c1aca7e18d34. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
RemcosRAT
Vendor detections: 8
| SHA256 hash: | 9371abbf0b553023b6ddd05e91a3acaf95f4b5a1a38db5bf8634c1aca7e18d34 |
|---|---|
| SHA3-384 hash: | 11bb2752a6b9734fd58945c50974d3b6d186e886968e8d2c5106994202296d21c1e1ef73a6cee0929278f84fd8e463ce |
| SHA1 hash: | fe0347fcdd2121354f961165560c4bc199195f4c |
| MD5 hash: | a540aa59c9c8f8b446d670d6f486b5ec |
| humanhash: | robin-steak-fruit-cardinal |
| File name: | a540aa59c9c8f8b446d670d6f486b5ec.exe |
| Download: | download sample |
| Signature | RemcosRAT |
| File size: | 8'015'661 bytes |
| First seen: | 2021-07-05 00:01:14 UTC |
| Last seen: | 2021-07-05 00:48:20 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat) |
| ssdeep | 196608:/8+bw8NN2l+UOKyyw+He3zFHukTYflLyWiQen9H:UaFU+jKtw++3zFFTOeWi3H |
| TLSH | 6E863305BBA98873C5E24D308362A32557F63C200F29D687D7A43B9DDF705E5AE123A7 |
| Reporter |  abuse_ch |
| Tags: | exe RAT RemcosRAT |
Indicators Of Compromise (IOCs)
Below is a list of indicators of compromise (IOCs) associated with this malware samples.
| IOC | ThreatFox Reference |
|---|---|
| 85.206.165.111:48627 | https://threatfox.abuse.ch/ioc/157546/ |
Intelligence
File Origin
# of uploads :
2
# of downloads :
180
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a540aa59c9c8f8b446d670d6f486b5ec.exe
Verdict:
Malicious activity
Analysis date:
2021-07-05 00:02:51 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
Antivirus detection for dropped file
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Schedule system process
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.Fsysna
Status:
Malicious
First seen:
2021-07-01 01:37:00 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
5/5
Detection(s):
Malicious file
Result
Malware family:
limerat
Score:
10/10
Tags:
family:limerat pyinstaller rat
Behaviour
Creates scheduled task(s)
Modifies registry class
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
LimeRAT
Unpacked files
SH256 hash:
0b9e654c2975d117f58d8d724641c8bfd8b72ae27e060e4cc9f9a01206b05eca
MD5 hash:
bd4ae99ff6c0aa2d61d779c5aa42d0e1
SHA1 hash:
77300552f385624c4d10f716b4c6bfa03d4bf588
SH256 hash:
7cffe09c7056c8afe9ee2045132d1d3ed6c1adaa51fa5334dfca218686dc91e0
MD5 hash:
c67fefa5fb251f99a180b46eb6b7b7d9
SHA1 hash:
d4b9b3948b63f83ff7e9e0ffc2ba75ae32c437e4
SH256 hash:
08b647969ab405bec128dacf597a51c842e1ea1d1bb9abafd70e9ea9b9ef0ad9
MD5 hash:
110f81f1680da41e1f56f9b3b8457fb4
SHA1 hash:
bf968bd2a6c83a505b8d77240c1c05f625cbc2e3
SH256 hash:
8eff98d21fcb524607aaf1d1b8ddac0665ad472bbfce6293e68920827bc80e0d
MD5 hash:
796453f7d87c79504adb32a96e00c33f
SHA1 hash:
1a55dd3bc1cc5d86f427fcbf02dce7d3750e917d
SH256 hash:
e0c7a9a95233a5c6a8181e06bf1f8b3d319a19712cb2160ba9d9b5a5b71acb79
MD5 hash:
8139d0abf696afa7025ff0e6b5c03ffb
SHA1 hash:
8709102970ab53bc9f7b94029463f4c73c5eb209
SH256 hash:
6fd330f33c591c1ee83950d9275a5a31fa7f4f936041085112917f4e4f9c9859
MD5 hash:
43dafe5ad9af7416f3f6584c21b6efc8
SHA1 hash:
8d9b690b3a7ef770d8d7c45028231023b3c06160
SH256 hash:
96e3932963b2974ae6ebdf1329103a6f950b450095577a0b6223074382fbaeaf
MD5 hash:
d59cac18091b59219928fd13f391c82c
SHA1 hash:
fb35585603597053b17a271ee45779747464c7e9
SH256 hash:
e78a702036777c4690b7c8ead91a105059e014df7d0be54f8d2467e3f687e4d3
MD5 hash:
d5df2d378076ba1b325046e2186ab5e8
SHA1 hash:
ed5c7e25fd59756248bdc8232c3f49039a61a4cd
SH256 hash:
c1145bc49abda4f76a838baf46d40eb8d423ea31fa91afac568afaed46914cd4
MD5 hash:
4097a97cf5595dd3a5a66dfedd99bec2
SHA1 hash:
e60cc532882e39c92c9173c38efa550ec118ca22
SH256 hash:
89a37a137404a0efce437fd2c676560ab277a77591f431422dd9bd0067dedc48
MD5 hash:
5bd66fd5b25e051dbb80388d0dcb5e8e
SHA1 hash:
da22803d0757065ff1a76aa90ad432bd2a765b0f
SH256 hash:
b32e7b2154096c6ce0ba9e472d234d4bf7129eb5f65212b7f27f6c934f34c786
MD5 hash:
c7f7598f5321d6ff278b16dbb3375d33
SHA1 hash:
c8b1f14cb162ba35927c89760e23b97cfb41a7bd
SH256 hash:
f68dd3ad93b8c986e4f9f25ed3ab00abe2524182aa5fc7c74bf6a4f31cc46056
MD5 hash:
790f53ae9d1a1737552a5bb883bbec7a
SHA1 hash:
a2d00c517684157646d8138c95cffdebebc3c255
SH256 hash:
710c682069f17eff3d516e8df58df40e6ddea2c5de25fa8b1ef0969485a0617b
MD5 hash:
83b64539bb7d17e4ceffc33d70e4f756
SHA1 hash:
96565ed7f7211bc3917b18281a4fceb453d5e12f
SH256 hash:
e147a3f6ea65bf2bfffccc5a7b4163dfbcacb9e951f7a68f01014104e6ca303d
MD5 hash:
a2ff8c9cba9c1f22c2b4bc38c89345d5
SHA1 hash:
94b0c19d9a158adda5e416e3d909564525dfa2a2
SH256 hash:
5a306eaf88452859662e66b31040da2e888c245e0143088c7fbeba474da00988
MD5 hash:
1e795ef6ac30b7f08d10668a7577199c
SHA1 hash:
925e2844904029dfb63f975f5c712662d94da633
SH256 hash:
dbc3797cd717a74aa94011a8269ed2a5fad580877134a1837fc6bbe30c253d2a
MD5 hash:
b4f7f2ee7e3ac8af925d1377a9928741
SHA1 hash:
79ffc59d5f98a5904303e115353a5982158701f0
SH256 hash:
3d854e7102340c9ee10f8b5c786356831b5f23e9f8883d02189b6bae9bd670e6
MD5 hash:
76d174db299fc4bad63f0f2d8cdb8d29
SHA1 hash:
6106e6088a4075a34163af457b09ed5804755233
SH256 hash:
5b82d9c5236154614de0b8e52448d9850e2c9bd39822fd1998caecb9a2efe4d5
MD5 hash:
4aaf9d66fef132399246b14a55d91e39
SHA1 hash:
4dae1f05fd6ed5bc10dcb8612fce44076ba41f5c
SH256 hash:
3382525a289ede0594ca7d14edf429fbb1585bd90e7c142bd6855e124f0b446e
MD5 hash:
4009ec4414a93df6350dff6c1ae9ecee
SHA1 hash:
2f5509e5309b1e5d4f15cec7f351e274367427ed
SH256 hash:
1accb4ecc5391809eca541268d921007ad00304589db83a626b058829d210ba7
MD5 hash:
e9acd6af56701af1852a6004ab130659
SHA1 hash:
2f1b8c2585087a32fb35f36b56f862e5f54b08f1
SH256 hash:
8002f7e9e57d6c0e7211c119dd28089c0a354d0cc1f30c99b4e15be7a59e7448
MD5 hash:
290e7c3a2454d3cc0638a3f1b64a54ec
SHA1 hash:
10c6a3e1438404b206fa9c386eab1eda703fb3fb
SH256 hash:
338fa1ff095cac913f75c1c68295bc10275c728789761bcfa3b95dc94cb4bd1c
MD5 hash:
c26feb9f40d10be09f999210881e2978
SHA1 hash:
483d29580d034df5de296e32419d9fc2f1583351
SH256 hash:
9371abbf0b553023b6ddd05e91a3acaf95f4b5a1a38db5bf8634c1aca7e18d34
MD5 hash:
a540aa59c9c8f8b446d670d6f486b5ec
SHA1 hash:
fe0347fcdd2121354f961165560c4bc199195f4c
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.