MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9736f5417c474a27c98a2323894d7948a0841fb74615e1909c0fabddc1e8bc2d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 8 File information Comments

SHA256 hash:	9736f5417c474a27c98a2323894d7948a0841fb74615e1909c0fabddc1e8bc2d
SHA3-384 hash:	440a49d107a8d93b752d7305be255c4230fd3c21719c66d096c40820ee8cde4bfd81e99d9f57e84747500cd2f2d87ff6
SHA1 hash:	8b5737f2d255c4a082c3a156cedeec89d1d1bb4b
MD5 hash:	9eb73189f800e918a170f10b7c97d311
humanhash:	fifteen-queen-pennsylvania-high
File name:	GRN03546290_SC8290.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'047'184 bytes
First seen:	2021-03-06 06:10:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	8c5647b86b09cfc0f1762d3113675fec (2 x RemcosRAT)
ssdeep	12288:zda++OCNr8oSF+g6BMe7dxnA47BFBcV4KPg7MK/WhjUMlVtUI3xo:zdt/yS/QNRA8CVxPi7olC3
Threatray	114 similar samples on MalwareBazaar
TLSH	1425E4B2E9569E32F01B143DC90EE6384816BDF1351CD496AFE47F05ABA374836168B3
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

abuse_ch

RemcosRAT C2:
export.zapto.org

Intelligence

File Origin

# of uploads :

# of downloads :

175

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

GRN03546290_SC8290.exe

Verdict:

Malicious activity

Analysis date:

2021-03-06 06:12:52 UTC

Tags:

rat remcos keylogger

Link:

https://app.any.run/tasks/2fb01564-2d28-4c8e-990a-404032961178

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/122580/

Detection(s):

Win.Dropper.Fareit-9838621-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

DNS request

Sending a custom TCP request

Creating a file

Deleting a recently created file

Unauthorized injection to a recently created process

Connecting to a non-recommended domain

Creating a file in the %AppData% subdirectories

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Setting a global event handler for the keyboard

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/630414

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to capture and log keystrokes

Contains functionality to detect sleep reduction / modifications

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Country aware sample found (crashes after keyboard check)

Delayed program exit found

Detected Remcos RAT

Detected unpacking (creates a PE file in dynamic memory)

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Executables Started in Suspicious Folder

Sigma detected: Execution in Non-Executable Folder

Sigma detected: Remcos

Sigma detected: Suspicious Program Location Process Starts

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9736f5417c474a27c98a2323894d7948a0841fb74615e1909c0fabddc1e8bc2d/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2021-03-05 17:01:06 UTC

AV detection:

13 of 48 (27.08%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=s43pkql4i5fcpsmkemrystlzjcqiih5xiyk6dee4b6v53qpixqwq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

4a74ac9210751c192d84ad49d567de4cc5f7d005f62767b59a6a7901051a5304

RemcosRAT

604bc26afab3f25d1c4d98e45872e798eef3061cc8720be0db28d900bddb277c

RemcosRAT

6ebfb5f6ff23404832ee6380a09aee89b19186eccc66fea2512b2708ee00c329

RemcosRAT

86eb335425ab87285d7fc03826498925262e64a466fac29d22c8ae1a806feaae

RemcosRAT

b0dad01939e09e869b27e59d7a7d7c79fdd31bb4a8c52153844c23c3c34bf368

RemcosRAT

b782581b1ca3da09fdf3ecbb173ee3ca1f313f5f325f407df976601cad8ce839

RemcosRAT

d6bb7d0218b0894bcc733065261069c1cb4e151b4ca367f37e888d2beacc0dd9

RemcosRAT

ef6ac1293cdfda22c8d940f96c5433f406a4c3666e6941e4f094a8cf50d04ac1

RemcosRAT

f1e9d6eb71a715e5f47a5c6fa5d03e9c3b871a0e88c91c709ff67ab9311caf4e

RemcosRAT

+ 104 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos persistence rat

Link:

https://tria.ge/reports/210306-7ajvk9zr5a/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Remcos

Malware Config

C2 Extraction:

export.zapto.org:4832

Unpacked files

SH256 hash:

f9f8a2abd0de5a2052dee5631163e4cd6124873fe5ee6e80089a6be9f2b209a3

MD5 hash:

2dadb1d18f8141233c7b74fd7bb31306

SHA1 hash:

5101e36d15db1f5592af8b05934b1854d9a93d8a

Link:

https://www.unpac.me/results/57e00c34-8bf5-420c-ba93-0be306dc2901/

SH256 hash:

9736f5417c474a27c98a2323894d7948a0841fb74615e1909c0fabddc1e8bc2d

MD5 hash:

9eb73189f800e918a170f10b7c97d311

SHA1 hash:

8b5737f2d255c4a082c3a156cedeec89d1d1bb4b

Link:

https://www.unpac.me/results/57e00c34-8bf5-420c-ba93-0be306dc2901/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9736f5417c474a27c98a2323894d7948a0841fb74615e1909c0fabddc1e8bc2d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	INDICATOR_KB_CERT_56f008e69a7c4c3feb389c66eaf58259 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

exe 9736f5417c474a27c98a2323894d7948a0841fb74615e1909c0fabddc1e8bc2d

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/122580/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample