MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 98e5d25243d03b80cc83c955796c42b39f308f55102a9ec01d0f308e06b4cfa9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	98e5d25243d03b80cc83c955796c42b39f308f55102a9ec01d0f308e06b4cfa9
SHA3-384 hash:	7446d4862241cdb648d6c9dee80e39797ebd86ad4c7e53530a9eb2c6ec1de0298bd267cc0eee51ad0c5f95c1dd1fda6c
SHA1 hash:	a2bafce0284f457eafd3dcbed73adeb84ed762df
MD5 hash:	384e5af70000fb658251d79ddf8e8878
humanhash:	stream-earth-bakerloo-leopard
File name:	Statement of Account April-2021.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'474'560 bytes
First seen:	2021-05-07 13:01:12 UTC
Last seen:	2021-05-07 13:54:33 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:dlo0SEzXF0oP0tKSRGhsC3Am7lB47mJ7AZbmDKt:dlo0SM0oPDhsJ8mmSRm2t
Threatray	333 similar samples on MalwareBazaar
TLSH	40657C07B7806792D1962A71C653D17442F28D3B9632F28F5CF43EE77A08B8B465F826
Reporter	James_inthe_box
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

122

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/152705/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.36861289.534.9739.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Sending a UDP request

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file

Launching the default Windows debugger (dwwin.exe)

Unauthorized injection to a recently created process by context flags manipulation

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/719666

Signature

.NET source code contains very large array initializations

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Detected Remcos RAT

Drops PE files with benign system names

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Suspect Svchost Activity

Sigma detected: Suspicious Svchost Process

Sigma detected: System File Execution Location Anomaly

System process connects to network (likely due to code injection or exploit)

Writes to foreign memory regions

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/98e5d25243d03b80cc83c955796c42b39f308f55102a9ec01d0f308e06b4cfa9/

Threat name:

ByteCode-MSIL.Backdoor.Remcos

Status:

Malicious

First seen:

2021-05-07 06:00:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 46 (36.96%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tds5eusd2a5ybtedzfkxs3ccwoptbd2vcavj5qa5b4yi4bvuz6uq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

0b71fa3fa8549d6a826faaeb1be86b5f866242f35afdb0c0bc7a8ba6c35981e7

RemcosRAT

0c2f78458061b2e848305409a90351eff2c4c31eed1a4667b6366bfdc43ef52a

RemcosRAT

32c3d29676757629b7ceeafd699c33c14147a79fc07a54889e6f66cd5118b123

RemcosRAT

598fbc003f3775d3441846dec51317b6e81422a78c9a0d1b53353025d6953175

RemcosRAT

6651bccb46e6763f601eee888c54fec1c5cd085750e0d05eca6d595ab59a890f

RemcosRAT

6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e

RemcosRAT

8156b58e3c433b45ab29498fe69e2a506167283f9bc09a5310a117a360ba76f0

RemcosRAT

ba52101e664d1ab4110977264bb16ff13c5bf4bdb004ddcacba915006d275b81

RemcosRAT

f138fb2bb1b74757f02ed6159d3766cd5bbae760e04907ea7520bc09dd968783

RemcosRAT

+ 323 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos agilenet rat

Link:

https://tria.ge/reports/210507-s4ljp879xe/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Executes dropped EXE

Remcos

Malware Config

C2 Extraction:

45.137.22.107:5888

Unpacked files

SH256 hash:

98e5d25243d03b80cc83c955796c42b39f308f55102a9ec01d0f308e06b4cfa9

MD5 hash:

384e5af70000fb658251d79ddf8e8878

SHA1 hash:

a2bafce0284f457eafd3dcbed73adeb84ed762df

Link:

https://www.unpac.me/results/d7f6bfe9-8753-40df-833c-c784217a5f45/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/98e5d25243d03b80cc83c955796c42b39f308f55102a9ec01d0f308e06b4cfa9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/152705/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample