MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93d03d01d8db67b90274877ff9248f33af80094ced24376805ab660a670ea5bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 9

Intelligence 9 IOCs YARA 8 File information Comments

SHA256 hash:	93d03d01d8db67b90274877ff9248f33af80094ced24376805ab660a670ea5bd
SHA3-384 hash:	1550f6eb07dac6242abb59ce99cb1f3bc1aea1664fde74f9a5884e57a3d5c809a1a761c879dd0f9a93a78602f0ba8f14
SHA1 hash:	1cf8cec27dd5bd2d253541a701d5ad11e3dc0476
MD5 hash:	426363bb975ee155bdeb9cf56e610fda
humanhash:	ohio-violet-yankee-princess
File name:	93d03d01d8db67b90274877ff9248f33af80094ced24376805ab660a670ea5bd
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	276'992 bytes
First seen:	2020-11-15 22:38:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	6144:JcekJ21Fske0J3ZtBDK3vd8VgRSARaaGiSXuFFFFFDzxH:JcekI1FQ0d83v/IvaGiSXuFFFFFDzx
Threatray	1'104 similar samples on MalwareBazaar
TLSH	C944C35D9A4FFFB0F27536B3110514C3C515F1C91AAAB569DBC06E38AE42DCE288BB60
Reporter	seifreed
Tags:	RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a process from a recently created file

DNS request

Running batch commands

Creating a process with a hidden window

Launching a process

Creating a file in the %AppData% subdirectories

Creating a file

Unauthorized injection to a recently created process by context flags manipulation

Setting a global event handler for the keyboard

Connection attempt to an infection source

Enabling autorun

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/93d03d01d8db67b90274877ff9248f33af80094ced24376805ab660a670ea5bd/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-11-15 22:40:06 UTC

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=spid2aoy3nt3satuq577sjepgoxyackm5usdo2afvntauzyouw6q._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

308245e3b036eaa8e2b12c92852a64e5feedd6d952789d12da2ea5da9b7acced

RemcosRAT

4096056536154e1fa5a10e3495cd3ddadf7c01022b7b65b0c35a67b2eac2bc6b

RemcosRAT

5c9667b60610ff2eeb6b26096b7ac951ed3d59fc716a6b8aa1c94c38658b0db7

RemcosRAT

6c50d72da5ab733ffcc197ef2f403e4b490673164ea72012440fcbfa72ac31fc

RemcosRAT

73d81b006456f319cc451766b237a7b18cb902405ff47c3f5e9c9d6feb40047f

RemcosRAT

929aed244ea7ad68ca44b6274a388dcc772b9d4bc6f4e2cb4370555ecc292c80

RemcosRAT

bfa4daa95a303253a45cc02597d1fa404168fb88e627dc3afa4b3548a6ff893d

RemcosRAT

d7c62c1526c39e136b5c7a703c92ec5f8a67c987a7414e0cbb145172671a2293

RemcosRAT

f412da03defe68cc6e1f264449adf519a4c5470c51e7b502854f7fbf358f8516

RemcosRAT

+ 1'094 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos rat

Link:

https://tria.ge/reports/201115-k26ncfbgce/

Behaviour

NTFS ADS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

Remcos

Malware Config

C2 Extraction:

igweumz.myddns.me:6404

Unpacked files

SH256 hash:

93d03d01d8db67b90274877ff9248f33af80094ced24376805ab660a670ea5bd

MD5 hash:

426363bb975ee155bdeb9cf56e610fda

SHA1 hash:

1cf8cec27dd5bd2d253541a701d5ad11e3dc0476

Link:

https://www.unpac.me/results/08db6b47-638d-4d6e-a366-13b5d0fe1da4/

SH256 hash:

583de9e17e182400e14be394eaba566c96116def0d7378aa58ce77c7466146e7

MD5 hash:

bf6a6400033fabae67527b1eb05374c0

SHA1 hash:

f2213f00ec2038ba65d6b0727f70759610540401

Detections:

win_remcos_g0

win_remcos_auto

Link:

https://www.unpac.me/results/08db6b47-638d-4d6e-a366-13b5d0fe1da4/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/93d03d01d8db67b90274877ff9248f33af80094ced24376805ab660a670ea5bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample